On 10/23/2011 03:20 PM, Alexandre Rostovtsev wrote: > On Sun, Oct 23, 2011 at 3:03 PM, Anthony G. Basile <[email protected]> > wrote: >> Where would the hardened profiles fit in this? This requires some >> thought. Right now "hardened" means three choices: 1) hardened >> toolchain, 2) hardened-sources kernel, 3) hardened profile. Some >> packages are masked or added to the profile for the toolchain, some for >> the kernel. We'd have to disentangle those. I'm not sure how the >> details would play out. > My impression was that for the hardened kernels case, specific USE > flags such as "pax_kernel" are supposed to be used instead of the > generic "hardened". > > -Alexandre > Yes. Because some people wanted binaries built with a vanilla toolchain running under a pax kernel. So, we encouraged the use of a different USE flag to tell ebuilds that this package *might* be run under a pax_kernel and therefore should have certain pax markings. Since that has nothing to do with a hardened toolchain, we encouraged the use of a new local flag, pax_kernel. However, this is a weak USE flag because pax marking a binary that runs under a vanilla kernel is harmless, as the kernel will simply ignore the pt_pax program header in the ELF. And all binaries built in gentoo have this header automatically because of a patch in binutils. Its added "just in case". You can see it when you do readelf -l /path/to/elf.
So if you look in the hardened profiles, you'll see some things masked like net-im/skype because of the kernel, and some things masked like =sys-devel/gdb-7.0* because of the toolchain. If the hardened toolchain moves into mainstream, then we'll have to sort through those and figure out how to incorporate them into the main profiles. How would we say, if you use gcc-config and choose gcc-4.5.1-hardened spec, mask gdb-7.0*? I don't think its impossible, but I'm not seeing how to proceed right now. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : [email protected] GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
