Mailing List Archive

Missing use flags from new profiles
I have moved PC's from 'hardened/linux/amd64' to
'default/linux/amd64/17.0/hardened' and 'hardened/linux/amd64/selinux'
to 'default/linux/amd64/17.0/hardened/selinux' and found it necessary to
add the following use flags to avoid countless re-emerges:

MISSING="berkdb gdbm tcpd ptpax session dri urandom"

Is this a deliberate change or are they actually missing?

Thanks,

Robert Sharp
Re: Missing use flags from new profiles [ In reply to ]
On 12/15/2017 06:09 AM, Robert Sharp wrote:
>
> MISSING="berkdb gdbm tcpd ptpax session dri urandom"
>
> Is this a deliberate change or are they actually missing?
>

These are all intentional, but perhaps with an unintended side effect.
The default/linux profile sets,

USE="berkdb crypt ipv6 ncurses nls pam readline ssl tcpd zlib"
...
USE="${USE} cli pcre session"

Most of those flags are unnecessary, so the hardened profile disables
them (to reduce the surface area for attack):

# Default starting set of USE flags for all default/linux profiles.
# We unset them so we get a clean use flag profile.
USE="${USE} -berkdb -gdbm -tcpd"
USE="${USE} -fortran"
USE="${USE} -cli -session"
USE="${USE} -dri"
USE="${USE} -modules"

What that's trying to accomplish is to undo the overzealous USE in the
default/linux profile, but unfortunately, the "-foo" flags (with the
default stacking order in portage) will override the IUSE="+foo"
defaults set in the ebuilds themselves. So, for example, dev-lang/php
sets IUSE="+cli +session", but they'll be disabled when using the
hardened profile.

USE=ptpax is something else entirely. By now, everyone should be using
the default xattr markings with PAX_MARKINGS=XT in make.conf (the new
profile does this for you). USE=ptpax was dropped by default because you
shouldn't need it any more.

At least for "modules" and "session", we will eventually drop them as
defaults so that everything works right again:

* https://bugs.gentoo.org/635720 (modules)
* https://bugs.gentoo.org/635742 (session)
Re: Missing use flags from new profiles [ In reply to ]
On 15/12/17 14:49, Michael Orlitzky wrote:
> On 12/15/2017 06:09 AM, Robert Sharp wrote:
>> MISSING="berkdb gdbm tcpd ptpax session dri urandom"
>>
>> Is this a deliberate change or are they actually missing?
>>
> These are all intentional, but perhaps with an unintended side effect.
> The default/linux profile sets,
>
> USE="berkdb crypt ipv6 ncurses nls pam readline ssl tcpd zlib"
> ...
> USE="${USE} cli pcre session"
>
> Most of those flags are unnecessary, so the hardened profile disables
> them (to reduce the surface area for attack):
>
> # Default starting set of USE flags for all default/linux profiles.
> # We unset them so we get a clean use flag profile.
> USE="${USE} -berkdb -gdbm -tcpd"
> USE="${USE} -fortran"
> USE="${USE} -cli -session"
> USE="${USE} -dri"
> USE="${USE} -modules"
>
> What that's trying to accomplish is to undo the overzealous USE in the
> default/linux profile, but unfortunately, the "-foo" flags (with the
> default stacking order in portage) will override the IUSE="+foo"
> defaults set in the ebuilds themselves. So, for example, dev-lang/php
> sets IUSE="+cli +session", but they'll be disabled when using the
> hardened profile.
>
> USE=ptpax is something else entirely. By now, everyone should be using
> the default xattr markings with PAX_MARKINGS=XT in make.conf (the new
> profile does this for you). USE=ptpax was dropped by default because you
> shouldn't need it any more.
>
> At least for "modules" and "session", we will eventually drop them as
> defaults so that everything works right again:
>
> *https://bugs.gentoo.org/635720 (modules)
> *https://bugs.gentoo.org/635742 (session)
>
So just to be sure I am doing the right thing, I should keep my MISSING
use flags excluding ptpax because that way the packages that use them by
default will be unchanged? I guess the more correct solution would be to
add per-package use flags so that I don't add them for packages that
have that flag but not by default? Seems like a bit more effort so I
probably won't bother unless there is a good reason to take that approach.

Thanks, Robert