On 12/18/14 20:36, Matthew Thode wrote:
On 12/18/2014 07:09 PM, Anthony G. Basile wrote:
Hi fellow hardened devs:
I'm sorry for missing the meeting but things came up and the day got
hectic. It is an important meeting because we were to discuss:
1) what we want with toolchain.eclass - There is a move to get rid of
the eclas because it is "messy". This is probably a bad thing in
general and especially for hardened so we should discuss the pros and
cons and what we want.
2) what to do about tar and POSIX capabilities in the context of
building stage3's. Utilities like ping that used to be setuid to root
are now just using posix caps. But preserving xattrs with tar is
tricky. Since we dealt with this for the user.pax.* xattr namespace
jmbsvicetto asked us to look at security.capability. However, the issue
may now be mute because I just got a message from him that
tar --xattrs --xattrs-include=security.capability
--xattrs-include=user.* --acls -xjpvf
works to get us all the xattr goodies we need for hardened and gentoo in
general.
We should try to discuss 1 soon-ish before Cthulu awakens and madness
reigns in gentoo.
regarding 1: a refactoring is in order probably, but what are the
specific complaints?
mgorny doesn't like it and says its intrusive. I was not able to get
more out of him. See
https://www.marc.info/?l=gentoo-dev&m=141804148612262&w=2
regarding 2: The thing we need to ask is if we want to ask users to run
that to extract stage3 tarballs, instead of -xf and the like.
Also responding to Swift. Since we build the stage3's we decide what
xattrs get in there from what is set by the ebuilds --- "we" = any
gentoo dev via the ebuild he/she writes. The question then is up to us
what we want. Right now we are including only security.capability and
user.pax.flags. releng has adopted a blacklist policy where all xattrs
are excluded unless we specifically include them. So acls and selinux
are not included.
Note: this is just what gets into the stage3 tarball. Once unpacked,
the user is free to set whatever xattrs he/she wants.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
