On Thu, Oct 15, 2015 at 10:57:45AM +0200, Tobias Klausmann wrote: > Hi! > > On Wed, 14 Oct 2015, Mike Frysinger wrote: > > anyone opposed to flipping this flag on by default ? > > > > reference: > > https://bugs.gentoo.org/506198 > > https://bugs.gentoo.org/556408 > > No objection, but a bit of a datapoint. I use btrfs on one of my > machines, and that filesystem (apparently) does not support > XATTR_PAX markings. So on every update I get some packages with > message like these:
I used to run hardened on btrfs and it worked fine. pax xattrs are in the user namespace (user.pax.flags) which isnt protected (unlike eg. security.*). I dont remember doing anything special to enable xattrs on btrfs, most of the newer FSs have them enabled by default. Can you try this: # getfattr -d -m- /bin/ping security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= # setfattr -n user.test -v "foo" ./ping # setfattr -n user.pax.flags -v "me" ./ping # getfattr -d -m- /bin/ping security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= user.pax.flags="me" user.test="foo" If this works then something else is causing those messages and we should look into it further. > > >>> Messages generated for package app-emulation/qemu-2.4.0.1 by process 2675 > >>> on 20151013-150646 CEST: > > LOG: install > Failed to set XATTR_PAX markings -me qemu-system-aarch64. > Failed to set XATTR_PAX markings -me qemu-system-alpha. > Failed to set XATTR_PAX markings -me qemu-system-i386. > Failed to set XATTR_PAX markings -me qemu-system-x86_64. > Failed to set XATTR_PAX markings -me qemu-aarch64. > Failed to set XATTR_PAX markings -me qemu-alpha. > Failed to set XATTR_PAX markings -me qemu-i386. > Failed to set XATTR_PAX markings -me qemu-x86_64. > > Two things about this: the message is not really useful, unless I > know what -me does. Also, I never requested anything PaX-ish, I > just don't want to to have SUID binaries when I can avoid it. Not that it matters since you dont run hardened, but "m" means "disable mprotext" and "e" means "disable trampoline emulation". -- Jason > > By now the messages are just an annoyance/spam to me, but I > suspect this may be more of a problem for people who have lower > pain thresholds. > > Regards, > Tobias > > -- > "Sendmail is the sort of tool that gave UNIX its bad reputation." > -- _System Performance Tuning_ >
