On 10/22/2013 07:49 PM, Rick "Zero_Chaos" Farina wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/22/2013 01:56 PM, Anthony G. Basile wrote:
On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/21/2013 03:00 PM, Magnus Granberg wrote:
Agenda
1.0 New Devloper
2.0 Toolchain
3.0 Kernel/Grsec/Pax
3.1 Use pax_kernel
The USE=pax_kernel is used for two reasons. One reason is XYZ needs to
be done or pax kills the build/test. The second reason is XYZ needs to
be done to build against a hardened kernel.
It is wrong to build anything against the kernel api except as defined
in /usr/include/linux, hardened or not. We have lots of ebuild which
look at the kernel source tree in /usr/src/linux and build against it.
These are broken. The kernel source tree exposes many internal
structures which are subject to change without notice, not the least of
which afflicted iptables for the longest time.
By extension, no ebuild should build against a hardened kernel source
tree. USE=pax_kernel should never mean "XYZ needs to be done to build
against a hardened kernel". It should only be used to mean "the ELFs
provided by this package *may* be run under a kernel with pax memory
protection enforced." If its a question of an out of source tree
kernel module being built and requiring a patch, eg constification, then
some other solution needs to be found.
What ebuilds are we talking about here that fit the later category?
Kernel modules such as nvidia-drivers, which I'm confident are allowed
to build against the kernel sources.
- -Zero
Out of source tree kernel modules can (and often must) build against
/usr/src/linux. My comments were about userland.
Anyhow, back to the original issue, can't some local use flag be used
here to say apply the constify patch? We don't want to polute the
meaning of USE=pax_kernel.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
