Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[gentoo-dev] Proposed update to pax-utils.eclass
2 views
Skip to first unread message
Anthony G. Basile
Mar 17, 2013, 8:30:02 AM3/17/13
to
Hi everyone,
The hardened team has been working on getting PaX markings moved to
Extended Attributes rather then putting them in a program header of the
ELF binaries [1]. The motivation here is that this is a generally safer
way of doing PaX markings since mangling an ELF binary can break things [2].
The last step in the process is getting an eclass on the tree which does
both xattr as well as elf phdr based PaX markings. We've been testing
one for a while and we think we've clobbered all the bugs. The eclass
deviates significantly from the one on the tree, so a I'm not sure a
diff is the best way to present it. The current version is on the
hardened-dev overay [3]. It also makes use of a new utility called
paxctl-ng which does what paxctl did but also with xattr [4].
You may want to look at some documentation too. A updated discussion of
PaX which includes xattr stuff is at [5]. A migration guide is at [6].
Please review. We are in no rush to get this done, so if you find bugs
or have concerns, add blockers to the tracker [1].
Ref.
[1] https://bugs.gentoo.org/show_bug.cgi?id=427888
[2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668
[3]
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f
[4] This is part of the sys-apps/elfix package. The repo is at
http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary
[5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml
[6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blue...@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
The hardened team has been working on getting PaX markings moved to
Extended Attributes rather then putting them in a program header of the
ELF binaries [1]. The motivation here is that this is a generally safer
way of doing PaX markings since mangling an ELF binary can break things [2].
The last step in the process is getting an eclass on the tree which does
both xattr as well as elf phdr based PaX markings. We've been testing
one for a while and we think we've clobbered all the bugs. The eclass
deviates significantly from the one on the tree, so a I'm not sure a
diff is the best way to present it. The current version is on the
hardened-dev overay [3]. It also makes use of a new utility called
paxctl-ng which does what paxctl did but also with xattr [4].
You may want to look at some documentation too. A updated discussion of
PaX which includes xattr stuff is at [5]. A migration guide is at [6].
Please review. We are in no rush to get this done, so if you find bugs
or have concerns, add blockers to the tracker [1].
Ref.
[1] https://bugs.gentoo.org/show_bug.cgi?id=427888
[2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668
[3]
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f
[4] This is part of the sys-apps/elfix package. The repo is at
http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary
[5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml
[6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blue...@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
Anthony G. Basile
Mar 24, 2013, 8:30:02 PM3/24/13
to
pax-utils.eclass? See Ref [3] above for the code. I'll wait a couple
more days and then do it.
Gilles Dartiguelongue
Mar 27, 2013, 8:40:03 AM3/27/13
to
Le dimanche 24 mars 2013 à 20:20 -0400, Anthony G. Basile a écrit :
> Last call, does anyone have a problem with me updating the
> pax-utils.eclass? See Ref [3] above for the code. I'll wait a couple
> more days and then do it.
looks like last conditional branch for XT marking in pax-mark function
> Last call, does anyone have a problem with me updating the
> pax-utils.eclass? See Ref [3] above for the code. I'll wait a couple
> more days and then do it.
is not using the proper variables (pt_* instead ot xt_*).
The PAX_MARKINGS variable is not documented with eclass documentation
markup, it should at least get an "@INTERNAL" if this is not supposed to
be modified by eclass users.
_pax_list_files can receive documentation this way as well.
You should probably try to avoid mixing [[ ]] and [ ] in the eclass. [ ]
seems to be less used here so just have everything [[ ]] and drop the
useless quoting that came with [ ].
The rest looks fine.
--
Gilles Dartiguelongue <e...@gentoo.org>
Gentoo
Alec Warner
Mar 27, 2013, 11:30:02 AM3/27/13
to
-A
0 new messages