On 06/09/14 11:51, Jason Zaman wrote:
On Mon, Jun 9, 2014 at 7:43 PM, Michael Orlitzky <m...@gentoo.org> wrote:
On 06/07/2014 08:55 PM, Anthony G. Basile wrote:
When running with a pax kernel, you must enable EMUTRAMP in your Kconfig
and you must paxmark your python exe's with E. Note: EMUTRAMP is on by
default and the ebuild automatically does the markings for you, so leave
the defaults alone.
Can linux-info.eclass be used to spit out a warning during a python emerge?
This,
use hardened && CONFIG_CHECK+=" ~CONFIG_PAX_EMUTRAMP"
seems like a common pattern. With a little more ingenuity we can
probably have it check the running/installed kernel and not the USE flag.
Where did the "Gentoo Linux" option in the kernel config disappear?
the one that had the
openrc / systemd options among other things.
Could we just add an option in there that will force EMUTRAMP for the
hardened-sources?
-- Jason
Its on by default. I could force it so you can't turn it off. But this
is gentoo and you need lots of rope ;) On a serious note, I can think
of instances where I want it off: eg. an embedded system which doesn't
even have python would gain security by having it off.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
