From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-hardened+bounces-4738-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 7B60713877A for <garchives@archives.gentoo.org>; Thu, 3 Jul 2014 10:47:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 70FB8E08AC; Thu, 3 Jul 2014 10:47:47 +0000 (UTC) Received: from virtual.dyc.edu (mail.virtual.dyc.edu [67.222.116.22]) by pigeon.gentoo.org (Postfix) with ESMTP id 5A097E08A5 for <gentoo-hardened@lists.gentoo.org>; Thu, 3 Jul 2014 10:47:46 +0000 (UTC) Received: from [192.168.3.7] (cpe-74-77-145-97.buffalo.res.rr.com [74.77.145.97]) by virtual.dyc.edu (Postfix) with ESMTPSA id 3A5317E00E5 for <gentoo-hardened@lists.gentoo.org>; Thu, 3 Jul 2014 06:47:43 -0400 (EDT) Message-ID: <53B5350A.4050700@opensource.dyc.edu> Date: Thu, 03 Jul 2014 06:48:42 -0400 From: "Anthony G. Basile" <basile@opensource.dyc.edu> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 Precedence: bulk List-Post: <mailto:gentoo-hardened@lists.gentoo.org> List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org> X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Help testing full end-to-end xattr support in portage References: <53A982CE.30901@opensource.dyc.edu> <20140627001737.42eccdb4@gentp.lnet> <53AEAB4E.2070906@opensource.dyc.edu> <20140702154119.78f11d0d@gentp.lnet> <53B533C0.7070502@opensource.dyc.edu> In-Reply-To: <53B533C0.7070502@opensource.dyc.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 7494dbef-88be-441d-ae7f-5b09df16d72b X-Archives-Hash: 4f60856e3a0bfe74570dc0a0291a4dff On 07/03/14 06:43, Anthony G. Basile wrote: > On 07/02/14 09:41, Luis Ressel wrote: >> On Sat, 28 Jun 2014 07:47:26 -0400 >> "Anthony G. Basile" <basile@opensource.dyc.edu> wrote: >> >>> There are two advantages to paxctl over paxctl-ng from elfix: 1) It >>> doesn't depend on elfutils to do its manipulation of elf phdr's. 2) >>> It does try to convert or create a PT_PAX_FLAGS phdr by either >>> creating (-C) or converting (-c) a PT_GNU_STACK phdr. >>> >>> The advantage of paxctl-ng over paxctl is 1) it is designed to do >>> both PT_PAX and/or XATTR_PAX markings, 2) it is consciously designed >>> to not try to create/convert ELF phdr's. >>> >>> If we ever drop the PT_PAX_FLAGS patch from binutils then paxctl >>> would no longer be needed and paxctl-ng can be reduced to just doing >>> XATTR_PAX markings. >>> >>> One step at a time ;) >> >> Okay, that sounds reasonable. And as paxctl is a small program, it >> doesn't hurt to have it around on XATTR_PAX-only systems even though >> it's not needed. >> >> But there's still an issue. According to [1], 15 packages still depend >> on or invoke paxctl directly. One example is dev-lisp/sbcl, which needs >> pax markings at one point right in the middle of the build process and >> therefore can't use the pax eclass, at least not in a simple way. This >> doesn't work on systems like mine which don't respect PT_PAX flags. >> >> I'm currently working on a patch for sbcl (there are selinux-related >> issues as well), but please have a look at the other ebuilds. >> >> [1] $ echo /usr/portage/*/*/*.ebuild|xargs -n1000 grep -P >> 'paxctl(?!-ng)'|cut -d: -f1 >> >> >> Regards, >> Luis Ressel >> > > Yep open a tracker bug for packages that invoke paxctl directly, and > attach that to the main tracker bug, bug #427888. > Actually I'll do it. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197