[gentoo-dev] pax-utils.eclass: elog -> einfo?

[gentoo-dev] pax-utils.eclass: elog -> einfo?

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 359 bytes --]

I wonder why pax-utils.eclass uses elog instead of just einfo. An
example message looks like this:

 * Fallback PaX marking -m
 *      out/Release/chrome

IMHO it's not very useful in the elog messages, but maybe there are
scenarios in which it is useful.

My idea is to just replace all elogs with einfos in pax-utils.eclass.
What do you think?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 194 bytes --]

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 703 bytes --]

On Saturday, March 12, 2011 07:36:35 Paweł Hajdan, Jr. wrote:
> I wonder why pax-utils.eclass uses elog instead of just einfo. An
> example message looks like this:
> 
>  * Fallback PaX marking -m
>  *      out/Release/chrome
> 
> IMHO it's not very useful in the elog messages, but maybe there are
> scenarios in which it is useful.
> 
> My idea is to just replace all elogs with einfos in pax-utils.eclass.
> What do you think?

i think it depends on the person.  for people who dont use grsec/PaX, they 
probably could care less and never see this output.  for people who do, they 
probably do want to see this.

maybe have it `elog` only when [[ $(uname -r) == *-grsec* ]]
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Anthony G. Basile]

On 03/13/2011 04:19 PM, Mike Frysinger wrote:
> On Saturday, March 12, 2011 07:36:35 Paweł Hajdan, Jr. wrote:
>> I wonder why pax-utils.eclass uses elog instead of just einfo. An
>> example message looks like this:
>>
>>  * Fallback PaX marking -m
>>  *      out/Release/chrome
>>
>> IMHO it's not very useful in the elog messages, but maybe there are
>> scenarios in which it is useful.
>>
>> My idea is to just replace all elogs with einfos in pax-utils.eclass.
>> What do you think?
> i think it depends on the person.  for people who dont use grsec/PaX, they 
> probably could care less and never see this output.  for people who do, they 
> probably do want to see this.
>
> maybe have it `elog` only when [[ $(uname -r) == *-grsec* ]]
> -mike

blueness@yellowness ~ $ uname -r
2.6.37-hardened-r5

so you need == *-hardened-*

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 381 bytes --]

On Sunday, March 13, 2011 17:38:29 Anthony G. Basile wrote:
> On 03/13/2011 04:19 PM, Mike Frysinger wrote:
> > maybe have it `elog` only when [[ $(uname -r) == *-grsec* ]]
> 
> blueness@yellowness ~ $ uname -r
> 2.6.37-hardened-r5
> 
> so you need == *-hardened-*

you want to additionally match hardened, not replace.
[[ $(uname -r) =~ .*-(grsec|hardened).* ]]
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Anthony G. Basile]

On 03/13/2011 06:01 PM, Mike Frysinger wrote:
> On Sunday, March 13, 2011 17:38:29 Anthony G. Basile wrote:
>> On 03/13/2011 04:19 PM, Mike Frysinger wrote:
>>> maybe have it `elog` only when [[ $(uname -r) == *-grsec* ]]
>> blueness@yellowness ~ $ uname -r
>> 2.6.37-hardened-r5
>>
>> so you need == *-hardened-*
> you want to additionally match hardened, not replace.
> [[ $(uname -r) =~ .*-(grsec|hardened).* ]]
> -mike

1) I made a tiny error, but you caught it, it should be *-hardened*
without the extra dash.

2) This works for me, but I'm not familiar with any gentoo kernels that
have -grsec in the uname.  Am I missing something, or is this just in
case some of our users are deploying their own kernels?

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 330 bytes --]

On Sunday, March 13, 2011 18:07:48 Anthony G. Basile wrote:
> 2) This works for me, but I'm not familiar with any gentoo kernels that
> have -grsec in the uname.  Am I missing something, or is this just in
> case some of our users are deploying their own kernels?

not everyone uses sys-kernel/* ... i havent in a long time
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Kevin F. Quinn]

On Sun, 13 Mar 2011 17:38:29 -0400
"Anthony G. Basile" <blueness@gentoo.org> wrote:

> On 03/13/2011 04:19 PM, Mike Frysinger wrote:
> > On Saturday, March 12, 2011 07:36:35 Paweł Hajdan, Jr. wrote:
> >> I wonder why pax-utils.eclass uses elog instead of just einfo. An
> >> example message looks like this:
> >>
> >>  * Fallback PaX marking -m
> >>  *      out/Release/chrome
> >>
> >> IMHO it's not very useful in the elog messages, but maybe there are
> >> scenarios in which it is useful.
> >>
> >> My idea is to just replace all elogs with einfos in
> >> pax-utils.eclass. What do you think?
> > i think it depends on the person.  for people who dont use
> > grsec/PaX, they probably could care less and never see this
> > output.  for people who do, they probably do want to see this.
> >
> > maybe have it `elog` only when [[ $(uname -r) == *-grsec* ]]
> > -mike
> 
> blueness@yellowness ~ $ uname -r
> 2.6.37-hardened-r5
> 
> so you need == *-hardened-*

I'd suggest doing something like:

use hardened && elog ...

There's an argument that it's better to make decisions according to
make.conf settings rather than the host system configuration, not
least to cater for people doing cross-builds.  Assuming cross builds
work at all; I've not tried that for a long time.

Kev.

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 1756 bytes --]

On Thursday, March 17, 2011 17:59:44 Kevin F. Quinn wrote:
> On Sun, 13 Mar 2011 17:38:29 -0400
> 
> "Anthony G. Basile" <blueness@gentoo.org> wrote:
> > On 03/13/2011 04:19 PM, Mike Frysinger wrote:
> > > On Saturday, March 12, 2011 07:36:35 Paweł Hajdan, Jr. wrote:
> > >> I wonder why pax-utils.eclass uses elog instead of just einfo. An
> > >> 
> > >> example message looks like this:
> > >>  * Fallback PaX marking -m
> > >>  *      out/Release/chrome
> > >> 
> > >> IMHO it's not very useful in the elog messages, but maybe there are
> > >> scenarios in which it is useful.
> > >> 
> > >> My idea is to just replace all elogs with einfos in
> > >> pax-utils.eclass. What do you think?
> > > 
> > > i think it depends on the person.  for people who dont use
> > > grsec/PaX, they probably could care less and never see this
> > > output.  for people who do, they probably do want to see this.
> > > 
> > > maybe have it `elog` only when [[ $(uname -r) == *-grsec* ]]
> > > -mike
> > 
> > blueness@yellowness ~ $ uname -r
> > 2.6.37-hardened-r5
> > 
> > so you need == *-hardened-*
> 
> I'd suggest doing something like:
> 
> use hardened && elog ...
> 
> There's an argument that it's better to make decisions according to
> make.conf settings rather than the host system configuration, not
> least to cater for people doing cross-builds.  Assuming cross builds
> work at all; I've not tried that for a long time.

in general, yes.  but this would have the unpleasant side effect of having 
IUSE=hardened show up for all packages that inherit the eclass.

also, this code is run at the pkg_* stage, so it's not the normal src host 
feature detection.  and we're talking about minor output behavior.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Zac Medico]

On 03/17/2011 03:18 PM, Mike Frysinger wrote:
> On Thursday, March 17, 2011 17:59:44 Kevin F. Quinn wrote:
>> I'd suggest doing something like:
>>
>> use hardened && elog ...
>>
>> There's an argument that it's better to make decisions according to
>> make.conf settings rather than the host system configuration, not
>> least to cater for people doing cross-builds.  Assuming cross builds
>> work at all; I've not tried that for a long time.
> 
> in general, yes.  but this would have the unpleasant side effect of having 
> IUSE=hardened show up for all packages that inherit the eclass.
> 
> also, this code is run at the pkg_* stage, so it's not the normal src host 
> feature detection.  and we're talking about minor output behavior.
> -mike

I don't know the specifics of what PMS says about this, if you put
hardened in use.force then portage will allow you to use that flag
without it being in IUSE.
-- 
Thanks,
Zac

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 1325 bytes --]

On Thursday, March 17, 2011 19:40:31 Zac Medico wrote:
> On 03/17/2011 03:18 PM, Mike Frysinger wrote:
> > On Thursday, March 17, 2011 17:59:44 Kevin F. Quinn wrote:
> >> I'd suggest doing something like:
> >> 
> >> use hardened && elog ...
> >> 
> >> There's an argument that it's better to make decisions according to
> >> make.conf settings rather than the host system configuration, not
> >> least to cater for people doing cross-builds.  Assuming cross builds
> >> work at all; I've not tried that for a long time.
> > 
> > in general, yes.  but this would have the unpleasant side effect of
> > having IUSE=hardened show up for all packages that inherit the eclass.
> > 
> > also, this code is run at the pkg_* stage, so it's not the normal src
> > host feature detection.  and we're talking about minor output behavior.
> 
> I don't know the specifics of what PMS says about this, if you put
> hardened in use.force then portage will allow you to use that flag
> without it being in IUSE.

that would require listing every package that inherits pax-utils in use.force 
too right ?  doesnt sound scalable.

my proposal, while certainly not perfect, attempts to take a middle ground 
without incurring too much cruft.  i think i achieved that while appeasing 
most people in practice.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Zac Medico]

On 03/17/2011 11:45 PM, Mike Frysinger wrote:
> On Thursday, March 17, 2011 19:40:31 Zac Medico wrote:
>> On 03/17/2011 03:18 PM, Mike Frysinger wrote:
>>> On Thursday, March 17, 2011 17:59:44 Kevin F. Quinn wrote:
>>>> I'd suggest doing something like:
>>>>
>>>> use hardened && elog ...
>>>>
>>>> There's an argument that it's better to make decisions according to
>>>> make.conf settings rather than the host system configuration, not
>>>> least to cater for people doing cross-builds.  Assuming cross builds
>>>> work at all; I've not tried that for a long time.
>>>
>>> in general, yes.  but this would have the unpleasant side effect of
>>> having IUSE=hardened show up for all packages that inherit the eclass.
>>>
>>> also, this code is run at the pkg_* stage, so it's not the normal src
>>> host feature detection.  and we're talking about minor output behavior.
>>
>> I don't know the specifics of what PMS says about this, if you put
>> hardened in use.force then portage will allow you to use that flag
>> without it being in IUSE.
> 
> that would require listing every package that inherits pax-utils in use.force 
> too right ?  doesnt sound scalable.

No, because use.force applies to all packages. I guess you were thinking
of package.use.force.

> my proposal, while certainly not perfect, attempts to take a middle ground 
> without incurring too much cruft.  i think i achieved that while appeasing 
> most people in practice.
> -mike

Shrug, I just thought I'd mention it.
-- 
Thanks,
Zac

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 731 bytes --]

On 3/17/11 11:18 PM, Mike Frysinger wrote:
> also, this code is run at the pkg_* stage, so it's not the normal src host 
> feature detection.  and we're talking about minor output behavior.

Is calling pax-mark in src_compile a misuse then? At least one ebuild I
maintain does that (and at least in one case it'd have to be either in
src_compile or src_test because the test binary has to be pax-mark-ed).

By the way, what do you think about using the "hardened" USE flag to
control the elog behavior, and forcing it on the hardened profile? In my
opinion it's a bit hacky.

Would it make more sense to scan all installed files in pkg_postinst for
pax-mark-ed files, and then elog something?

Paweł Hajdan, Jr.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 194 bytes --]

Re: [gentoo-dev] pax-utils.eclass: elog -> einfo?

[Mike Frysinger]

On Mon, Mar 21, 2011 at 8:26 AM, "Paweł Hajdan, Jr." wrote:
> On 3/17/11 11:18 PM, Mike Frysinger wrote:
>> also, this code is run at the pkg_* stage, so it's not the normal src host
>> feature detection.  and we're talking about minor output behavior.
>
> Is calling pax-mark in src_compile a misuse then? At least one ebuild I
> maintain does that (and at least in one case it'd have to be either in
> src_compile or src_test because the test binary has to be pax-mark-ed).

because the PaX markings live in the ELF itself, calling in src_* is
valid.  i might even propose that this should be done only in src_*
steps and not the pkg_* steps.  the less crap needed to execute at
pkg_* time the better.

> By the way, what do you think about using the "hardened" USE flag to
> control the elog behavior, and forcing it on the hardened profile? In my
> opinion it's a bit hacky.

not worth the time

> Would it make more sense to scan all installed files in pkg_postinst for
> pax-mark-ed files, and then elog something?

that'd work for me, and would make the output much more concise
-mike