[arch-dev-public] providing grsecurity in [community]
Thomas Bächler
thomas at archlinux.org
Wed Apr 16 07:36:11 EDT 2014
Am 16.04.2014 12:21, schrieb Allan McRae:
>>> Just submitted a patch to pacman that will allow setting capabilites in
>>> the package() function.
>>
>> Since we want PAX support to remain optional, we'd still need hooks so
>> that after each upgrade, a script can adjust the flags appropriately.
>
> Sure... I really don't care about PAX (and think it should just be
> packaged in a separate repo...). I just wanted pacman to support
> setting capabilities during packaging.
I am not sure that your patch will work at all due to limitations of
fakeroot. I just tested this shortly, and fakeroot supports setting file
capabilities using setcap, but not setting ACLs using setfacl.
So, support for extended attributes in fakeroot is incomplete at best.
A further look indicates that this may simply be stupidity on the side
of fakeroot: it explicitly hardcodes ENOTSUP for acl_{s,g}et_f{ile,d},
while the now implemented f{s,g}etxattr support should be sufficient in
order to support ACLs entirely. I guess these acl overrides are remnants
of the days when xattr support was missing.
Anyway, we need to fix fakeroot before this makepkg feature can be useful.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140416/9bb65c64/attachment.asc>
More information about the arch-dev-public
mailing list