[arch-dev-public] providing grsecurity in [community]

Allan McRae allan at archlinux.org
Wed Apr 16 08:16:11 EDT 2014


On 16/04/14 21:36, Thomas Bächler wrote:
> Am 16.04.2014 12:21, schrieb Allan McRae:
>>>> Just submitted a patch to pacman that will allow setting capabilites in
>>>> the package() function.
>>>
>>> Since we want PAX support to remain optional, we'd still need hooks so
>>> that after each upgrade, a script can adjust the flags appropriately.
>>
>> Sure...   I really don't care about PAX (and think it should just be
>> packaged in a separate repo...).  I just wanted pacman to support
>> setting capabilities during packaging.
> 
> I am not sure that your patch will work at all due to limitations of
> fakeroot. I just tested this shortly, and fakeroot supports setting file
> capabilities using setcap, but not setting ACLs using setfacl.
> 
> So, support for extended attributes in fakeroot is incomplete at best.
> 
> 
> 
> A further look indicates that this may simply be stupidity on the side
> of fakeroot: it explicitly hardcodes ENOTSUP for acl_{s,g}et_f{ile,d},
> while the now implemented f{s,g}etxattr support should be sufficient in
> order to support ACLs entirely. I guess these acl overrides are remnants
> of the days when xattr support was missing.
> 
> Anyway, we need to fix fakeroot before this makepkg feature can be useful.
> 

Getting off-topic...   but only one package in our repos uses setfacl
(systemd on the journal directory) in its install script, and seven use
setcap.  Getting the majority case fixed is still worth including this
in my opinion.  We can deal with get/setfacl when fakeroot does
properly.  Any chance you can take that upstream?

Also, I really thought setcap would be used in more install scripts!

A



More information about the arch-dev-public mailing list