From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 41B78138010 for ; Mon, 25 Mar 2013 00:21:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7220CE07CF; Mon, 25 Mar 2013 00:20:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8684FE07CC for ; Mon, 25 Mar 2013 00:20:55 +0000 (UTC) Received: from [192.168.3.7] (cpe-67-252-134-33.buffalo.res.rr.com [67.252.134.33]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: blueness) by smtp.gentoo.org (Postfix) with ESMTPSA id 92F4833DB7A for ; Mon, 25 Mar 2013 00:20:54 +0000 (UTC) Message-ID: <514F9840.7030204@gentoo.org> Date: Sun, 24 Mar 2013 20:20:16 -0400 From: "Anthony G. Basile" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130314 Thunderbird/17.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Proposed update to pax-utils.eclass References: <5145B4B9.3070104@gentoo.org> In-Reply-To: <5145B4B9.3070104@gentoo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 5b287398-65a6-46c9-9d6c-ae9605be9275 X-Archives-Hash: ebf3999362f445611d04d045e85cfd4c On 03/17/2013 08:19 AM, Anthony G. Basile wrote: > Hi everyone, > > The hardened team has been working on getting PaX markings moved to > Extended Attributes rather then putting them in a program header of > the ELF binaries [1]. The motivation here is that this is a generally > safer way of doing PaX markings since mangling an ELF binary can break > things [2]. > > The last step in the process is getting an eclass on the tree which > does both xattr as well as elf phdr based PaX markings. We've been > testing one for a while and we think we've clobbered all the bugs. The > eclass deviates significantly from the one on the tree, so a I'm not > sure a diff is the best way to present it. The current version is on > the hardened-dev overay [3]. It also makes use of a new utility > called paxctl-ng which does what paxctl did but also with xattr [4]. > > You may want to look at some documentation too. A updated discussion > of PaX which includes xattr stuff is at [5]. A migration guide is at > [6]. > > Please review. We are in no rush to get this done, so if you find > bugs or have concerns, add blockers to the tracker [1]. > > > Ref. > > [1] https://bugs.gentoo.org/show_bug.cgi?id=427888 > > [2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668 > > [3] > http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f > > [4] This is part of the sys-apps/elfix package. The repo is at > http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary > > [5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml > > [6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml > > Last call, does anyone have a problem with me updating the pax-utils.eclass? See Ref [3] above for the code. I'll wait a couple more days and then do it. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA