On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/21/2013 03:00 PM, Magnus Granberg wrote:
Agenda
1.0 New Devloper
2.0 Toolchain
3.0 Kernel/Grsec/Pax
  3.1 Use pax_kernel
The USE=pax_kernel is used for two reasons.  One reason is XYZ needs to
be done or pax kills the build/test.  The second reason is XYZ needs to
be done to build against a hardened kernel.

It is wrong to build anything against the kernel api except as defined in /usr/include/linux, hardened or not. We have lots of ebuild which look at the kernel source tree in /usr/src/linux and build against it. These are broken. The kernel source tree exposes many internal structures which are subject to change without notice, not the least of which afflicted iptables for the longest time.

By extension, no ebuild should build against a hardened kernel source tree. USE=pax_kernel should never mean "XYZ needs to be done to build against a hardened kernel". It should only be used to mean "the ELFs provided by this package *may* be run under a kernel with pax memory protection enforced." If its a question of an out of source tree kernel module being built and requiring a patch, eg constification, then some other solution needs to be found.

What ebuilds are we talking about here that fit the later category?

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : [email protected]
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA


Reply via email to