Stuart Henderson <[email protected]> wrote: > On 2019/05/28 17:48, [email protected] wrote: > > So, following the new advancements in W^X from Theo, I was thinking about > > this idea: ports maintainers cannot make every single package be W^X, this > > is obvious. > > But they could test each package without wxallowed and, if it is not > > working, make > > the package go to other specified filesystem with wxallowed. > > For example: all packages I need can work without wxallowed on > > /usr/local/bin, > > except for some shitty python scripts that I unfortunately need. > > So, in order to make it work, I need to put wxallowed in all this mount > > point. > > Wouldn't it be better to just create, lets say, /usr/local/wxallowedbin/ > > on the installation procedure? Of course this would require some effors from > > ports > > maintainers, but should be doable. > > > > > > > > Regards. > > > > A binary doesn't *just* need to be on a wxallowed filesystem, it must also > be marked with the wxneeded flag. So even if you mount /usr/local with > wxallowed the vast majority of programs installed there are still denied > W|X maps, there's no need for a separate filesystem to do that.
And since only root can place binaries in that filesystem, the situation is safe.
