On 08/02/2011 10:31 AM, Ciaran McCreesh wrote: > On Tue, 02 Aug 2011 10:28:58 -0400 > "Anthony G. Basile" <bluen...@gentoo.org> wrote: >> I prefer capsetting in the PMS itself, with a nice clean function >> which auto detects all the necessary conditions and transparently >> preserves caps, as you suggest. Maybe this can be in EAPI=5. > Would need a spec, along with a way of dealing with all the problems: > what happens if the build fs supports caps but the install fs doesn't? > What about if caps are supported on both but in different ways (tmpfs > on some kernels)? Is it up to the PM to deal with that? How does the PM > even know? >
That's exactly what I was thinking of for the PM. It would have to autodetect all that. Eg. it could create a test file on each fs and then do a getcap on it and if it fails, you have your answer. If necessary and it exists, it could look at /proc/config. I think it's doable. >> I'm also wondering if, in the mean time, it might be worth writing a >> bash script and/or howto on converting as many binaries as possible >> from setuid to caps --- hitting up all the usual suspects. Its not >> ideal but might still be useful until we get this squarely in the PMS. > PMS currently explicitly states that caps might get clobbered on a > merge (because Portage does that sometimes). So if you're doing it now, > it'd have to be as a pkg_postinst thing. But I'd strongly recommend not > going that route, since it'll almost certainly go horribly wrong in a > "your system randomly no longer works" kind of way... Better to ban > things from using caps for now. > I was thinking something even dirtier, something outside of the PMS altogether, along the lines of what one does when converting to a selinux system where one relabels the entire filesystem with rlpkg. So no, not something via pkg_postinst(). -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
