Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 516158 (paxctl-directly)

Summary: [TRACKER] packages should call pax-mark via the pax-utils.eclass and not call paxctl or paxctl-ng directly
Product: Gentoo Linux Reporter: Anthony Basile <blueness>
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED FIXED    
Severity: normal CC: bertrand, pageexec
Priority: Normal Keywords: Tracker
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 515582, 517000, 532244    
Bug Blocks: 427888    

Description Anthony Basile gentoo-dev 2014-07-03 11:03:24 UTC 
paxctl only does PT_PAX and not XATTR_PAX markings.  paxctl-ng (from the sys-apps/elfix package) does do both, but can be built to do only one or the other.  Finally XATTR_PAX markings can be also done via setattr.  pax-mark from the pax-utils.eclass has the intelligence to best decide which to use and so one should not call any of these directly.

In cases where pax-mark is not appropriate, eg in build systems, then paxmark.sh (also from sys-apps/elfix) should be used which provides the same intelligence as the eclass.

This is a tracker, so please open new bugs for each individual package.

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-11 03:51:30 UTC 
can we close this since we have no dependencies open?
Comment 2 Anthony Basile gentoo-dev 2014-12-11 14:28:00 UTC 
(In reply to Matthew Thode ( prometheanfire ) from comment #1)
> can we close this since we have no dependencies open?

did you grep the tree to check? if yes, do it.
Comment 3 Jason Zaman gentoo-dev 2014-12-11 15:19:09 UTC 
I just grepped through and filed bugs / fixed the one that was maint-needed.

Mono is the only outstanding one that is wrong.

there are a few old ebuilds still in the tree that use paxctl directly (wine and icedtea) but both have later versions that are fixed and at the same keywords, do we care about the old versions?
Comment 4 Anthony Basile gentoo-dev 2014-12-11 16:24:50 UTC 
(In reply to Jason Zaman from comment #3)
> I just grepped through and filed bugs / fixed the one that was maint-needed.
> 
> Mono is the only outstanding one that is wrong.
> 
> there are a few old ebuilds still in the tree that use paxctl directly (wine
> and icedtea) but both have later versions that are fixed and at the same
> keywords, do we care about the old versions?

what a grep misses is build systems that use paxctl rather than paxmark.sh.  Let's leave this open for a while.
Comment 5 Doug Goldstein (RETIRED) gentoo-dev 2018-03-11 05:40:23 UTC 
Can you define "a while"? 3+ years good enough?