[arch-dev-public] providing grsecurity in [community]

Thomas Bächler thomas at archlinux.org
Wed Apr 16 07:36:11 EDT 2014

Am 16.04.2014 12:21, schrieb Allan McRae:
>>> Just submitted a patch to pacman that will allow setting capabilites in
>>> the package() function.
>> Since we want PAX support to remain optional, we'd still need hooks so
>> that after each upgrade, a script can adjust the flags appropriately.
> Sure...   I really don't care about PAX (and think it should just be
> packaged in a separate repo...).  I just wanted pacman to support
> setting capabilities during packaging.

I am not sure that your patch will work at all due to limitations of
fakeroot. I just tested this shortly, and fakeroot supports setting file
capabilities using setcap, but not setting ACLs using setfacl.

So, support for extended attributes in fakeroot is incomplete at best.

A further look indicates that this may simply be stupidity on the side
of fakeroot: it explicitly hardcodes ENOTSUP for acl_{s,g}et_f{ile,d},
while the now implemented f{s,g}etxattr support should be sufficient in
order to support ACLs entirely. I guess these acl overrides are remnants
of the days when xattr support was missing.

Anyway, we need to fix fakeroot before this makepkg feature can be useful.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140416/9bb65c64/attachment.asc>

More information about the arch-dev-public mailing list