| 1 |
On 12/18/14 20:36, Matthew Thode wrote: |
| 2 |
> On 12/18/2014 07:09 PM, Anthony G. Basile wrote: |
| 3 |
>> Hi fellow hardened devs: |
| 4 |
>> |
| 5 |
>> I'm sorry for missing the meeting but things came up and the day got |
| 6 |
>> hectic. It is an important meeting because we were to discuss: |
| 7 |
>> |
| 8 |
>> 1) what we want with toolchain.eclass - There is a move to get rid of |
| 9 |
>> the eclas because it is "messy". This is probably a bad thing in |
| 10 |
>> general and especially for hardened so we should discuss the pros and |
| 11 |
>> cons and what we want. |
| 12 |
>> |
| 13 |
>> 2) what to do about tar and POSIX capabilities in the context of |
| 14 |
>> building stage3's. Utilities like ping that used to be setuid to root |
| 15 |
>> are now just using posix caps. But preserving xattrs with tar is |
| 16 |
>> tricky. Since we dealt with this for the user.pax.* xattr namespace |
| 17 |
>> jmbsvicetto asked us to look at security.capability. However, the issue |
| 18 |
>> may now be mute because I just got a message from him that |
| 19 |
>> |
| 20 |
>> tar --xattrs --xattrs-include=security.capability |
| 21 |
>> --xattrs-include=user.* --acls -xjpvf |
| 22 |
>> |
| 23 |
>> works to get us all the xattr goodies we need for hardened and gentoo in |
| 24 |
>> general. |
| 25 |
>> |
| 26 |
>> |
| 27 |
>> We should try to discuss 1 soon-ish before Cthulu awakens and madness |
| 28 |
>> reigns in gentoo. |
| 29 |
>> |
| 30 |
> regarding 1: a refactoring is in order probably, but what are the |
| 31 |
> specific complaints? |
| 32 |
|
| 33 |
mgorny doesn't like it and says its intrusive. I was not able to get |
| 34 |
more out of him. See |
| 35 |
|
| 36 |
https://www.marc.info/?l=gentoo-dev&m=141804148612262&w=2 |
| 37 |
|
| 38 |
> |
| 39 |
> regarding 2: The thing we need to ask is if we want to ask users to run |
| 40 |
> that to extract stage3 tarballs, instead of -xf and the like. |
| 41 |
> |
| 42 |
|
| 43 |
Also responding to Swift. Since we build the stage3's we decide what |
| 44 |
xattrs get in there from what is set by the ebuilds --- "we" = any |
| 45 |
gentoo dev via the ebuild he/she writes. The question then is up to us |
| 46 |
what we want. Right now we are including only security.capability and |
| 47 |
user.pax.flags. releng has adopted a blacklist policy where all xattrs |
| 48 |
are excluded unless we specifically include them. So acls and selinux |
| 49 |
are not included. |
| 50 |
|
| 51 |
Note: this is just what gets into the stage3 tarball. Once unpacked, |
| 52 |
the user is free to set whatever xattrs he/she wants. |
| 53 |
|
| 54 |
-- |
| 55 |
Anthony G. Basile, Ph. D. |
| 56 |
Chair of Information Technology |
| 57 |
D'Youville College |
| 58 |
Buffalo, NY 14201 |
| 59 |
(716) 829-8197 |
Archives