[gentoo-dev] [PATCH] profiles: update pie use-flag masks for sys-devel/gcc

[gentoo-dev] [PATCH] profiles: update pie use-flag masks for sys-devel/gcc

[Matthias Maier]

Hello all,

In light of the recent discussion, I will restore the status quo for the
pie use-flag: masked on non-hardened profiles, unmasked and forced on
hardened profiles.

The next step will be to switch the pie use-flag on default profiles from
masked to unmasked/forced with a profile update.

Best,
Matthias

[gentoo-dev] [PATCH] profiles: update pie use-flag masks for sys-devel/gcc

[Matthias Maier]

 - mask pie for sys-devel/gcc unconditionally in base/

 - selectively unmask pie use-flag for hardened/linux and
   hardened/linux/musl profiles
---
 profiles/arch/amd64/package.use.mask                | 4 ----
 profiles/arch/base/package.use.mask                 | 4 ----
 profiles/base/package.use.mask                      | 4 ++++
 profiles/hardened/linux/musl/amd64/package.use.mask | 4 ----
 profiles/hardened/linux/musl/package.use.mask       | 4 ++++
 profiles/hardened/linux/package.use.mask            | 4 ++++
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/profiles/arch/amd64/package.use.mask b/profiles/arch/amd64/package.use.mask
index 372ea9c..cb0fafd 100644
--- a/profiles/arch/amd64/package.use.mask
+++ b/profiles/arch/amd64/package.use.mask
@@ -34,10 +34,6 @@ dev-lang/ocaml -spacetime
 # nvidia drivers are unmasked here
 media-video/ffmpeg -nvenc
 
-# Magnus Granberg <zorry@gentoo.org> (18 Jan 2017)
-# masked in base, unmask for amd64
->=sys-devel/gcc-6.3.0 -pie
-
 # Luke Dashjr <luke-jr+gentoobugs@utopios.org> (04 Jan 2017)
 # Assembly optimisations are supported on amd64 for all versions
 dev-libs/libsecp256k1 -asm
diff --git a/profiles/arch/base/package.use.mask b/profiles/arch/base/package.use.mask
index 5adfb6a..a9d8a52 100644
--- a/profiles/arch/base/package.use.mask
+++ b/profiles/arch/base/package.use.mask
@@ -22,10 +22,6 @@ media-video/ffmpeg nvenc
 # media-libs/raspberrypi-userland not keyworded
 media-video/motion mmal
 
-# Magnus Granberg <zorry@gentoo.org> (18 Jan 2017)
-# Mask it globally, unmask it on supported arch
->=sys-devel/gcc-6.2.0 pie
-
 # Luke Dashjr <luke-jr+gentoobugs@utopios.org> (04 Jan 2017)
 # Mask assembly optimisations that are platform-specific
 dev-libs/libsecp256k1 asm
diff --git a/profiles/base/package.use.mask b/profiles/base/package.use.mask
index 9f55b27..68fe87a 100644
--- a/profiles/base/package.use.mask
+++ b/profiles/base/package.use.mask
@@ -7,6 +7,10 @@
 # This file is only for generic masks. For arch-specific masks (i.e.
 # mask everywhere, unmask on arch/*) use arch/base.
 
+# Matthias Maier <tamiko@gentoo.org> (11 May 2017)
+# Globally mask pie use flag. Selectively unmask on specific profiles.
+sys-devel/gcc pie
+
 # Mike Gilbert <floppym@gentoo.org> (28 Apr 2017)
 # Needs sandbox-2.11 (masked)
 >=www-client/chromium-59 tcmalloc
diff --git a/profiles/hardened/linux/musl/amd64/package.use.mask b/profiles/hardened/linux/musl/amd64/package.use.mask
index e2d77b0..49830f8 100644
--- a/profiles/hardened/linux/musl/amd64/package.use.mask
+++ b/profiles/hardened/linux/musl/amd64/package.use.mask
@@ -1,6 +1,2 @@
 # Copyright 1999-2017 Gentoo Foundation.
 # Distributed under the terms of the GNU General Public License v2
-
-# Matthias Maier <tamiko@genoto.org> (07 May 2017)
-# masked in arch/base, unmask for hardened/musl/amd64
->=sys-devel/gcc-6.3.0 -pie
diff --git a/profiles/hardened/linux/musl/package.use.mask b/profiles/hardened/linux/musl/package.use.mask
index 9078b7c..d66f247 100644
--- a/profiles/hardened/linux/musl/package.use.mask
+++ b/profiles/hardened/linux/musl/package.use.mask
@@ -1,6 +1,10 @@
 # Copyright 1999-2015 Gentoo Foundation.
 # Distributed under the terms of the GNU General Public License v2
 
+# Matthias Maier <tamiko@genoto.org> (11 May 2017)
+# masked in base, unmask for hardened/musl/
+sys-devel/gcc -pie
+
 # See bug #504200
 sys-devel/gcc sanitize
 
diff --git a/profiles/hardened/linux/package.use.mask b/profiles/hardened/linux/package.use.mask
index 4178151..4a80418 100644
--- a/profiles/hardened/linux/package.use.mask
+++ b/profiles/hardened/linux/package.use.mask
@@ -1,6 +1,10 @@
 # Copyright 1999-2017 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
+# Matthias Maier <tamiko@gentoo.org> (11 May 2017)
+# masked in base, unmask for hardened profiles
+sys-devel/gcc -pie
+
 # Ilya Tumaykin <itumaykin+gentoo@gmail.com> (19 Jan 2017)
 # Requires x11-drivers/nvidia-drivers. Needs testing first.
 media-video/mpv cuda
-- 
2.10.2

[gentoo-dev] Re: [PATCH] profiles: update pie use-flag masks for sys-devel/gcc

[Duncan]

Matthias Maier posted on Thu, 11 May 2017 19:17:51 -0500 as excerpted:

> In light of the recent discussion, I will restore the status quo for the
> pie use-flag: masked on non-hardened profiles, unmasked and forced on
> hardened profiles.
> 
> The next step will be to switch the pie use-flag on default profiles
> from masked to unmasked/forced with a profile update.

For those of us who already have a default-pie system and now that we do, 
don't want to go back, what's the prescribed override?  I've never felt 
the need to override a masked flag like that, before.

(I'm sure I could find the general documentation and handle it myself, 
but I'm equally sure that there's likely to be others in my situation by 
now, and we shouldn't /all/ need to figure it out on our own.)

(As some may remember, yes, I do have USE="-* ..." set, so didn't get pie 
with the initial gcc6 emerge and @world rebuild, but I was persuaded by 
the discussion here to try it, second global rebuild, and so far it 
works.  So both because it's supposed to be safer and because I don't 
want to do now a /third/ global rebuild, I strongly prefer to keep it, 
now that I have it, and no issues so far.)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

[gentoo-dev] Re: [PATCH] profiles: update pie use-flag masks for sys-devel/gcc

[Jonathan Callen]

[-- Attachment #1.1: Type: text/plain, Size: 1857 bytes --]

On 05/11/2017 10:45 PM, Duncan wrote:
> Matthias Maier posted on Thu, 11 May 2017 19:17:51 -0500 as excerpted:
> 
>> In light of the recent discussion, I will restore the status quo for the
>> pie use-flag: masked on non-hardened profiles, unmasked and forced on
>> hardened profiles.
>>
>> The next step will be to switch the pie use-flag on default profiles
>> from masked to unmasked/forced with a profile update.
> 
> For those of us who already have a default-pie system and now that we do, 
> don't want to go back, what's the prescribed override?  I've never felt 
> the need to override a masked flag like that, before.
> 
> (I'm sure I could find the general documentation and handle it myself, 
> but I'm equally sure that there's likely to be others in my situation by 
> now, and we shouldn't /all/ need to figure it out on our own.)
> 
> (As some may remember, yes, I do have USE="-* ..." set, so didn't get pie 
> with the initial gcc6 emerge and @world rebuild, but I was persuaded by 
> the discussion here to try it, second global rebuild, and so far it 
> works.  So both because it's supposed to be safer and because I don't 
> want to do now a /third/ global rebuild, I strongly prefer to keep it, 
> now that I have it, and no issues so far.)
> 

In general, to override a package.use{,.stable}.{mask,force} entry in
your profile, you add an entry to the same file in /etc/portage/profile/
that turns off the mask/force value in the profile. In this case, you
would add a line like:

    >=sys-devel/gcc-6.3.0 -pie

to the /etc/portage/profile/package.use.mask file (creating the
file/parent directory as needed).  If a flag is masked/forced for all
packages in use.{mask,force}, then you would add a line like "-foo" to
the use.{mask,force} file in /etc/portage/profile/.

-- 
Jonathan Callen


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-dev] Re: [PATCH] profiles: update pie use-flag masks for sys-devel/gcc

[Duncan]

Jonathan Callen posted on Thu, 11 May 2017 23:25:24 -0400 as excerpted:

> In this case, you would add a line like:
> 
>     >=sys-devel/gcc-6.3.0 -pie
> 
> to the /etc/portage/profile/package.use.mask file (creating the
> file/parent directory as needed).  If a flag is masked/forced for all
> packages in use.{mask,force}, then you would add a line like "-foo" to
> the use.{mask,force} file in /etc/portage/profile/.

Thanks.  As I said I doubt I'm the only one who will find this useful.  
=:^)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman