On 16/04/14 02:46 AM, Allan McRae wrote:
Which packages? We need the details.
For just the basics (most of PaX disabled), there's no external work required. It would be useful with just the kernel and userland tools in [community] and no extra work done on other packages. Enabling the PaX features requires marking a fairly long list of binaries with exceptions to the rules via the PaX extended attributes in the install scripts. For example, web browsers require memory that's both executable + writable (requiring an mprotect exception) and many programs are broken by stuff like the ASLR improvements due to depending on all kinds of undefined behaviour. The `paxctl` command for this is a 0.06MiB package with a single binary and man page, so the drawback would be the work required rather than any form of dependency bloat. It wouldn't be reasonable to report every case via the issue tracker, someone would actually have to be interested in systematically adding to to [core] and [extra] packages. If you want a nearly full list of the packages, you can look in the linux-pax-flags AUR package, which is a total hack adding the PaX xattrs when the user runs a command. Doing it that way means any upgrades are going to break everything until the user runs the script, so I'm just planning on leaving the features disabled at first. Pacman hooks would be a nicer solution than editing all the install scripts, but we don't have those :).