On Sun, Apr 7, 2013 at 5:11 PM, Chí-Thanh Christopher Nguyễn <chith...@gentoo.org> wrote: > Hello All, > > After recent changes in dev-lang/v8 and related ebuilds, the pax-mark call no > longer has a || die. This means that the resulting binaries may have PT_PAX, > XATTR_PAX, both or neither markings depending on kernel configuration, > filesystem and mount options. > > I'd say that is not a good thing. If you agree with me, what could be done > here? Have pax-mark die in the eclass or mandate || die in ebuilds? This > would probably require pax-mark calls to be conditional on pax_kernel USE > flag or similar. >
Most ebuilds do not call pax-mark || die. Most people do not run PaX systems, so a failure here is not a major issue. I would like to see the kernel patch enabling user.pax attributes on tmpfs submitted to Linus' kernel tree; that would eliminate the major cause of failures here. In the mean time, maybe we could disable XATTR_PAX markings by default for people not using the hardened profile.
