On 10/14/15 11:48 PM, Mike Frysinger wrote:
USE=xattr is needed nowadays to support:
- filesystem caps (those things that let you drop set*id and generally
improves system security w/little to no runtime overhead)
- PaX file markings (replaces binutils ELF markings)
- selinux
we actually have USE=filecaps on by default already, and catalyst
hard requires tar[xattr] in order to work. the hardened profile
also package.use.force's this flag on for some core packages.
not too many packages actually utilize this flag, and when they do,
it's to pull in the attr package which clocks in at <200 KiB. the
runtime overhead tends to be low to non-existent as xattrs tend to
be used only when requested.
when support is not available in the FS or kernel, packages should
generally fall back gracefully.
anyone opposed to flipping this flag on by default ?
do it. the only problem i see coming is kernel configurations which
don't have xattrs set. this can happen on embedded boards where its
difficult/impossible to swap out kernels (like some of the stuff i
have). fcaps.eclass has intelligence for this. i'll look again at
pax-utils.eclass and make sure there is enough error checking to deal
with kernel/filesystems that can't handle xattrs. i remember some issue
with scanfelf's exit code which caused some problem, but we can talk
about that later when i've refreshed the issue in my head.
reference:
https://bugs.gentoo.org/506198
https://bugs.gentoo.org/556408
-mike
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
