| 1 |
On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote: |
| 2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 3 |
> Hash: SHA1 |
| 4 |
> |
| 5 |
> On 10/21/2013 03:00 PM, Magnus Granberg wrote: |
| 6 |
>> Agenda |
| 7 |
>> 1.0 New Devloper |
| 8 |
>> 2.0 Toolchain |
| 9 |
>> 3.0 Kernel/Grsec/Pax |
| 10 |
>> 3.1 Use pax_kernel |
| 11 |
> The USE=pax_kernel is used for two reasons. One reason is XYZ needs to |
| 12 |
> be done or pax kills the build/test. The second reason is XYZ needs to |
| 13 |
> be done to build against a hardened kernel. |
| 14 |
|
| 15 |
It is wrong to build anything against the kernel api except as defined |
| 16 |
in /usr/include/linux, hardened or not. We have lots of ebuild which |
| 17 |
look at the kernel source tree in /usr/src/linux and build against it. |
| 18 |
These are broken. The kernel source tree exposes many internal |
| 19 |
structures which are subject to change without notice, not the least of |
| 20 |
which afflicted iptables for the longest time. |
| 21 |
|
| 22 |
By extension, no ebuild should build against a hardened kernel source |
| 23 |
tree. USE=pax_kernel should never mean "XYZ needs to be done to build |
| 24 |
against a hardened kernel". It should only be used to mean "the ELFs |
| 25 |
provided by this package *may* be run under a kernel with pax memory |
| 26 |
protection enforced." If its a question of an out of source tree |
| 27 |
kernel module being built and requiring a patch, eg constification, then |
| 28 |
some other solution needs to be found. |
| 29 |
|
| 30 |
What ebuilds are we talking about here that fit the later category? |
| 31 |
|
| 32 |
-- |
| 33 |
Anthony G. Basile, Ph.D. |
| 34 |
Gentoo Linux Developer [Hardened] |
| 35 |
E-Mail : blueness@g.o |
| 36 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 37 |
GnuPG ID : F52D4BBA |
Archives