On 12/15/2017 06:09 AM, Robert Sharp wrote:
>
> MISSING="berkdb gdbm tcpd ptpax session dri urandom"
>
> Is this a deliberate change or are they actually missing?
>
These are all intentional, but perhaps with an unintended side effect.
The default/linux profile sets,
USE="berkdb crypt ipv6 ncurses nls pam readline ssl tcpd zlib"
...
USE="${USE} cli pcre session"
Most of those flags are unnecessary, so the hardened profile disables
them (to reduce the surface area for attack):
# Default starting set of USE flags for all default/linux profiles.
# We unset them so we get a clean use flag profile.
USE="${USE} -berkdb -gdbm -tcpd"
USE="${USE} -fortran"
USE="${USE} -cli -session"
USE="${USE} -dri"
USE="${USE} -modules"
What that's trying to accomplish is to undo the overzealous USE in the
default/linux profile, but unfortunately, the "-foo" flags (with the
default stacking order in portage) will override the IUSE="+foo"
defaults set in the ebuilds themselves. So, for example, dev-lang/php
sets IUSE="+cli +session", but they'll be disabled when using the
hardened profile.
USE=ptpax is something else entirely. By now, everyone should be using
the default xattr markings with PAX_MARKINGS=XT in make.conf (the new
profile does this for you). USE=ptpax was dropped by default because you
shouldn't need it any more.
At least for "modules" and "session", we will eventually drop them as
defaults so that everything works right again:
* https://bugs.gentoo.org/635720 (modules)
* https://bugs.gentoo.org/635742 (session)
