On 04/07/2013 05:20 PM, Mike Gilbert wrote:
On Sun, Apr 7, 2013 at 5:11 PM, Chí-Thanh Christopher Nguyễn
<chith...@gentoo.org> wrote:
Hello All,
After recent changes in dev-lang/v8 and related ebuilds, the pax-mark call no
longer has a || die. This means that the resulting binaries may have PT_PAX,
XATTR_PAX, both or neither markings depending on kernel configuration,
filesystem and mount options.
I'd say that is not a good thing. If you agree with me, what could be done
here? Have pax-mark die in the eclass or mandate || die in ebuilds? This
would probably require pax-mark calls to be conditional on pax_kernel USE
flag or similar.
Most ebuilds do not call pax-mark || die. Most people do not run PaX
systems, so a failure here is not a major issue.
I would like to see the kernel patch enabling user.pax attributes on
tmpfs submitted to Linus' kernel tree; that would eliminate the major
cause of failures here.
In the mean time, maybe we could disable XATTR_PAX markings by default
for people not using the hardened profile.
You can disable either or both type of pax markings by setting
PAX_MARKINGS. We can change the default in the eclass. Its currently
set to "PT XT". Setting it to "PT" would revert to only doing PT_PAX
markings. Then users will have to manually set XT in their make.conf.
I can try to get the user.pax on tmpfs patch into the Linux tree. At the
very least, we can get it into gentoo-sources.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
