From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1E3F91381F3 for ; Sun, 7 Apr 2013 21:21:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 030FFE0F05; Sun, 7 Apr 2013 21:20:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 10E02E0EB9 for ; Sun, 7 Apr 2013 21:20:51 +0000 (UTC) Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: floppym) by smtp.gentoo.org (Postfix) with ESMTPSA id 204F433DC99 for ; Sun, 7 Apr 2013 21:20:51 +0000 (UTC) Received: by mail-ie0-f181.google.com with SMTP id 17so6174860iea.12 for ; Sun, 07 Apr 2013 14:20:49 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.50.100.201 with SMTP id fa9mr4770024igb.28.1365369649500; Sun, 07 Apr 2013 14:20:49 -0700 (PDT) Received: by 10.64.102.66 with HTTP; Sun, 7 Apr 2013 14:20:49 -0700 (PDT) In-Reply-To: <5161E0F1.1000308@gentoo.org> References: <5161E0F1.1000308@gentoo.org> Date: Sun, 7 Apr 2013 17:20:49 -0400 Message-ID: Subject: Re: [gentoo-dev] Automagic pax-mark From: Mike Gilbert To: Gentoo Dev Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: a81b4d6b-760c-4a20-ad57-3f7fe70c5ef5 X-Archives-Hash: b85f40acf6948daf6c2772179087f011 On Sun, Apr 7, 2013 at 5:11 PM, Ch=C3=AD-Thanh Christopher Nguy=E1=BB=85n wrote: > Hello All, > > After recent changes in dev-lang/v8 and related ebuilds, the pax-mark cal= l no > longer has a || die. This means that the resulting binaries may have PT_P= AX, > XATTR_PAX, both or neither markings depending on kernel configuration, > filesystem and mount options. > > I'd say that is not a good thing. If you agree with me, what could be don= e > here? Have pax-mark die in the eclass or mandate || die in ebuilds? This > would probably require pax-mark calls to be conditional on pax_kernel USE > flag or similar. > Most ebuilds do not call pax-mark || die. Most people do not run PaX systems, so a failure here is not a major issue. I would like to see the kernel patch enabling user.pax attributes on tmpfs submitted to Linus' kernel tree; that would eliminate the major cause of failures here. In the mean time, maybe we could disable XATTR_PAX markings by default for people not using the hardened profile.