Re: [gentoo-dev] Proposed update to pax-utils.eclass
On Wed, Mar 27, 2013 at 5:39 AM, Gilles Dartiguelongue wrote: > Le dimanche 24 mars 2013 à 20:20 -0400, Anthony G. Basile a écrit : >> Last call, does anyone have a problem with me updating the >> pax-utils.eclass? See Ref [3] above for the code. I'll wait a couple >> more days and then do it. > > looks like last conditional branch for XT marking in pax-mark function > is not using the proper variables (pt_* instead ot xt_*). > > The PAX_MARKINGS variable is not documented with eclass documentation > markup, it should at least get an "@INTERNAL" if this is not supposed to > be modified by eclass users. > > _pax_list_files can receive documentation this way as well. > > You should probably try to avoid mixing [[ ]] and [ ] in the eclass. [ ] > seems to be less used here so just have everything [[ ]] and drop the > useless quoting that came with [ ]. You should never use [ in the tree. -A > > The rest looks fine. > > -- > Gilles Dartiguelongue > Gentoo > >
Re: [gentoo-dev] Proposed update to pax-utils.eclass
Le dimanche 24 mars 2013 à 20:20 -0400, Anthony G. Basile a écrit : > Last call, does anyone have a problem with me updating the > pax-utils.eclass? See Ref [3] above for the code. I'll wait a couple > more days and then do it. looks like last conditional branch for XT marking in pax-mark function is not using the proper variables (pt_* instead ot xt_*). The PAX_MARKINGS variable is not documented with eclass documentation markup, it should at least get an "@INTERNAL" if this is not supposed to be modified by eclass users. _pax_list_files can receive documentation this way as well. You should probably try to avoid mixing [[ ]] and [ ] in the eclass. [ ] seems to be less used here so just have everything [[ ]] and drop the useless quoting that came with [ ]. The rest looks fine. -- Gilles Dartiguelongue Gentoo
Re: [gentoo-dev] Proposed update to pax-utils.eclass
On 03/17/2013 08:19 AM, Anthony G. Basile wrote: Hi everyone, The hardened team has been working on getting PaX markings moved to Extended Attributes rather then putting them in a program header of the ELF binaries [1]. The motivation here is that this is a generally safer way of doing PaX markings since mangling an ELF binary can break things [2]. The last step in the process is getting an eclass on the tree which does both xattr as well as elf phdr based PaX markings. We've been testing one for a while and we think we've clobbered all the bugs. The eclass deviates significantly from the one on the tree, so a I'm not sure a diff is the best way to present it. The current version is on the hardened-dev overay [3]. It also makes use of a new utility called paxctl-ng which does what paxctl did but also with xattr [4]. You may want to look at some documentation too. A updated discussion of PaX which includes xattr stuff is at [5]. A migration guide is at [6]. Please review. We are in no rush to get this done, so if you find bugs or have concerns, add blockers to the tracker [1]. Ref. [1] https://bugs.gentoo.org/show_bug.cgi?id=427888 [2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668 [3] http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f [4] This is part of the sys-apps/elfix package. The repo is at http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary [5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml [6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml Last call, does anyone have a problem with me updating the pax-utils.eclass? See Ref [3] above for the code. I'll wait a couple more days and then do it. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
[gentoo-dev] Proposed update to pax-utils.eclass
Hi everyone, The hardened team has been working on getting PaX markings moved to Extended Attributes rather then putting them in a program header of the ELF binaries [1]. The motivation here is that this is a generally safer way of doing PaX markings since mangling an ELF binary can break things [2]. The last step in the process is getting an eclass on the tree which does both xattr as well as elf phdr based PaX markings. We've been testing one for a while and we think we've clobbered all the bugs. The eclass deviates significantly from the one on the tree, so a I'm not sure a diff is the best way to present it. The current version is on the hardened-dev overay [3]. It also makes use of a new utility called paxctl-ng which does what paxctl did but also with xattr [4]. You may want to look at some documentation too. A updated discussion of PaX which includes xattr stuff is at [5]. A migration guide is at [6]. Please review. We are in no rush to get this done, so if you find bugs or have concerns, add blockers to the tracker [1]. Ref. [1] https://bugs.gentoo.org/show_bug.cgi?id=427888 [2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668 [3] http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f [4] This is part of the sys-apps/elfix package. The repo is at http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary [5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml [6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA