[gentoo-dev] Re: [rfc] enable USE=xattr by default

[Duncan <1i5t5.duncan@cox.net>]

Alexander Tsoy posted on Thu, 15 Oct 2015 14:09:29 +0300 as excerpted:

> On Thu, 15 Oct 2015 18:56:28 +0800 Jason Zaman <perfinion@gentoo.org>
> wrote:
> 
>> On Thu, Oct 15, 2015 at 10:57:45AM +0200, Tobias Klausmann wrote:
>> > Hi!
>> > 
>> > On Wed, 14 Oct 2015, Mike Frysinger wrote:
>> > > anyone opposed to flipping this flag on by default ?
>> > > 
>> > > reference:
>> > > https://bugs.gentoo.org/506198 https://bugs.gentoo.org/556408
>> > 
>> > No objection, but a bit of a datapoint. I use btrfs on one of my
>> > machines, and that filesystem (apparently) does not support XATTR_PAX
>> > markings. So on every update I get some packages with message like
>> > these:
>> 
>> I used to run hardened on btrfs and it worked fine. pax xattrs are in
>> the user namespace (user.pax.flags) which isnt protected (unlike eg.
>> security.*). I dont remember doing anything special to enable xattrs on
>> btrfs, most of the newer FSs have them enabled by default.
>> 
>> Can you try this:
>> 
>> # getfattr -d -m- /bin/ping
> 
> I think he should check xattr support in PORTAGE_TMPDIR in the first
> place. :) I suspect something like tmpfs mounted on it (and
> CONFIG_TMPFS_XATTR=n in the kernel config).

As I posted, I have the same problem here (tho I didn't blame btrfs), but 
while PORTAGE_TMPDIR is indeed tmpfs, zgrep XATTR /proc/config.gz says 
CONFIG_TMPFS_XATTR=y, so that's not it.

But the closest thing btrfs has to that option is 
CONFIG_BTRFS_FS_POSIX_ACL, which I do NOT have enabled, so if it's 
required...

Meanwhile, the setfattr/getfattr test works (tho getfattr says it's 
removing the leading /).  So it would appear btrfs is fine, and the tmpfs 
PORTAGE_TMPDIR is fine, but I still get those XATTR_PAX failed-to-set 
warnings.

Tho I just remerged iputils and didn't get the warnings, so maybe we're 
not checking the right binaries?

IIRC, firefox gave me the warnings, however, and I'm doing an update 
including 41.0.1 ATM, so I can verify, tho of course FF takes awhile to 
build and it's near the end of a list of 100+ packages to update, so...

Could it be related to one of FEATURES="ipc-sandbox sandbox userpriv 
usersandbox xattr" (choosing a few from my set that look like possible 
candidates)?

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman