On 16/04/14 06:00 AM, Thomas Bächler wrote:
Am 16.04.2014 11:52, schrieb Allan McRae:
On 16/04/14 17:25, Daniel Micay wrote:
On 16/04/14 03:15 AM, Daniel Micay wrote:
Pacman hooks would be a nicer solution than editing all the install scripts, but we don't have those :).
It also wouldn't be nearly as bad if packages could store extended attributes, since the ugly install scripts could be avoided and paxctl would only be a make dependency. Packages like iputils already run into this issue due to using capabilities as a replacement for setuid.
Just submitted a patch to pacman that will allow setting capabilites in the package() function.
Since we want PAX support to remain optional, we'd still need hooks so that after each upgrade, a script can adjust the flags appropriately.
It would have no impact on people not using it, since it would just be a very short string set in the `user.pax.flags` xattr key. For example, `setfattr -n user.pax.flags -v "mr" "$pkgdir/usr/bin/foo"` to disable MPROTECT and RANDMMAP features (on chromium, firefox, etc.). Of course, I'm imagining a future utopia where a critical mass of developers / trusted users are interested in maintaining this kind of thing. For the near future, users would just keep using the scary linux-pax-flags package if they wanted to enable PaX via sysctl.