2017-05-02 19:23 GMT+02:00 "Tóth Attila" <at...@atoth.sote.hu>: > 2017.Május 2.(K) 18:59 időpontban Daniel Cegiełka ezt írta: >>> pax.?mark actually, since the eclass helper is called pax-mark. :) >>> I'd hold off on removing those for at least a few months, though. >>> >> >> If PAX_MPROTECT returns (KSPP?), then ebuilds will need to be >> 'paxmarked' again. Years of work and PaX support ends in the trash. > > I must aggree here. If there will be an alternative implementation marking > may regain its meaning. The same binaries need to be marked in some way or > another. I wouldn't simply dump it unless it would disturb some > functionality.
Even if PAX_MPROTECT somehow comes back to the kernel, there is no guarantee that it will be compatible with current PaX ELF header (elf_phdata->p_flags & PF_MPROTECT) or PAX_XATTR_FLAGS (PAX_MPROTECT==0x04000000). Next, the PaX functionality are added to the kernel gradually: one functionality per patch (eg. PAX_USERCOPY -> HARDEN_USERCOPY). This means that any future solution will not be compatible with current PaX support. Again: years of work and PaX support ends in the trash.
