On 04/08/2013 12:08 AM, Anthony G. Basile wrote: > On 04/07/2013 05:20 PM, Mike Gilbert wrote: >> On Sun, Apr 7, 2013 at 5:11 PM, Chí-Thanh Christopher Nguyễn >> <[email protected]> wrote: >>> Hello All, >>> >>> After recent changes in dev-lang/v8 and related ebuilds, the pax-mark call >>> no >>> longer has a || die. This means that the resulting binaries may have PT_PAX, >>> XATTR_PAX, both or neither markings depending on kernel configuration, >>> filesystem and mount options.
Although not used to PaX in general, I've fixed a bug report[1] where "pax-mark -c" was sufficient to get some prebuilt thirt-party binary to run on user's hardened machine. >> In the mean time, maybe we could disable XATTR_PAX markings by default >> for people not using the hardened profile. >> > You can disable either or both type of pax markings by setting PAX_MARKINGS. > We can change the default in the eclass. Its currently set to "PT XT". > Setting it to "PT" would revert to only doing PT_PAX markings. > Then users will have to manually set XT in their make.conf. While fixing that bug I've discovered the default value of PAX_MARKINGS="PT" (has changed to "PT XT" since), but no profile actually setting PAX_MARKINGS="none". Actually I've wondered if it would make more sense to default to PAX_MARKINGS="none", and have the hardened profiles (or the user in make.conf) set a different value. But thinking again now, I'm wondering if pax-mark should be done in pkg_preinst rather than src_install - for the sake of binary merges when the build machine has different PAX_MARKINGS than the target machine (no idea if that ever would happen). [1] https://bugs.gentoo.org/show_bug.cgi?id=456694 my 2 cents /haubi/
