On Thursday, July 14, 2011 18:52:04 Anthony G. Basile wrote: > 2) The choice of a hardened kernel is made by emergeing > hardened-sources, configuring, compiling, booting. There is no use flag > for this choice per se. That means that virtual/linux-sources would > remove the condition RDEPEND: > > hardened? ( =sys-kernel/hardened-sources-2.6* ) > > and simply replace it with > > =sys-kernel/hardened-sources-2.6*
i think this change can be made regardless of any other. the hardened-sources package always provides a kernel, so there is no need to require USE=hardened in order for this to satisfy the virtual. > 3) Since a hardened kernel can be configure with various flavors of > "pax" or "grsec" or "selinux", there should be useflags to reflect > userland needs to conform. There already is a "selinux" flag which is > set by selinux profiles. Currently we don't see a need for a "grsec" > flag, however, there is a need for a "pax" global use flag which we > propose calling "pax_kernel". (If nothing else to distinguish it from > app-arch/pax.) > > Userland binaries which will run under a pax enabled kernel may need > special treatment to run, or else they'll be killed by the kernel. The > best example here is an RWX mmapping. Although the ideal case is to > "fix the code" this is not always feasible and so binaries will still > need markings with paxctl -m. if `paxctl` is installed, then i say always run `paxctl` on the problematic binaries regardless of USE flags. have the hardened-sources package depend on paxctl, and then that takes care of the dependency. -mike
signature.asc
Description: This is a digitally signed message part.
