From 3e147210722ae228ee59dd9ccba211a8b0c1be8c Mon Sep 17 00:00:00 2001 From: Ned Ludd Date: Wed, 24 May 2006 16:11:57 +0000 Subject: - More updates from Kevin Q bug 131779 ; document the stricter feature along with the QA_* handling svn path=/main/trunk/; revision=3410 --- bin/misc-functions.sh | 2 +- man/ebuild.5 | 32 ++++++++++++++++++++++++++++++++ man/make.conf.5 | 17 +++++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh index 4b545ab29..1a2f1b3f2 100755 --- a/bin/misc-functions.sh +++ b/bin/misc-functions.sh @@ -133,7 +133,7 @@ install_qa_check() { [[ -n ${QA_STRICT_EXECSTACK} ]] && QA_EXECSTACK="" qa_var="QA_WX_LOAD_${ARCH}" [[ -n ${!qa_var} ]] && QA_WX_LOAD=${!qa_var} - [[ -n ${QA_STRICT_EXECSTACK} ]] && QA_WX_LOAD="" + [[ -n ${QA_STRICT_WX_LOAD} ]] && QA_WX_LOAD="" export QA_EXECSTACK QA_WX_LOAD f=$(scanelf -qyRF '"%e %p"' "${D}" | grep -v 'usr/lib/debug/') ;; diff --git a/man/ebuild.5 b/man/ebuild.5 index 0cbad639e..053702a8b 100644 --- a/man/ebuild.5 +++ b/man/ebuild.5 @@ -342,6 +342,38 @@ This variable should only be used when a package provides a virtual target. For example, blackdown-jdk and sun-jdk provide \fIvirtual/jdk\fR. This allows for packages to depend on \fIvirtual/jdk\fR rather than on blackdown or sun specifically. +.SH "QA CONTROL VARIABLES" +.TP +.B USAGE NOTES +Several QA variables are provided which allow an ebuild to manipulate some +of the QA checks performed by portage. Use of these variables in ebuilds +should be kept to an absolute minimum otherwise they defeat the purpose +of the QA checks, and their use is subject to agreement of the QA team. +They are primarily intended for use by ebuilds that install closed-source +binary objects that cannot be altered. +.br +Note that objects that violate these rules may fail on some architectures. +.TP +\fBQA_TEXTRELS\fR +This variable can be set to a list of file paths, relative to the image +directory, of files that contain text relocations that cannot be eliminated. +The paths may contain regular expressions. +.br +This variable is intended to be used on closed-source binary objects that +cannot be altered. +.TP +\fBQA_EXECSTACK\fR +This should contain a list of file paths, relative to the image directory, of +objects that require executable stack in order to run. +The paths may contain regular expressions. +.br +This variable is intended to be used on objects that truly need executable +stack (i.e. not those marked to need it which in fact do not). +.TP +\fBQA_WX_LOAD\fR +This should contain a list of file paths, relative to the image directory, of +files that contain writable and executable segments. These are rare. +The paths may contain regular expressions. .SH "PORTAGE DECLARATIONS" .TP .B inherit diff --git a/man/make.conf.5 b/man/make.conf.5 index 51ce5efaa..ea0262fb2 100644 --- a/man/make.conf.5 +++ b/man/make.conf.5 @@ -231,6 +231,11 @@ stored for later use by various debuggers. Have portage react strongly to conditions that have the potential to be dangerous (like missing or incorrect Manifests). .TP +.B stricter +Have portage react strongly to conditions that may conflict with system +security provisions (for example textrels, executable stack). Read about +the \fIQA_STRICT_*\fR variables in \fBmake.conf\fR(5). +.TP .B suidctl Before merging packages to the live filesystem, automatically strip setuid bits from any file that is not listed in \fI/etc/portage/suidctl.conf\fR. @@ -342,6 +347,18 @@ This variable contains the command used for resuming package sources that have been partially downloaded. It should be defined using the same format as \fBFETCHCOMMAND\fR. .TP +\fBQA_STRICT_EXECSTACK = \fI"set"\fR +Set this to cause portage to ignore any \fIQA_EXECSTACK\fR override +settings from ebuilds. See also \fBebuild\fR(5). +.TP +\fBQA_STRICT_WX_LOAD = \fI"set"\fR +Set this to cause portage to ignore any \fIQA_WX_LOAD\fR override +settings from ebuilds. See also \fBebuild\fR(5). +.TP +\fBQA_STRICT_TEXTRELS = \fI"set"\fR +Set this to cause portage to ignore any \fIQA_TEXTREL\fR override +settings from ebuilds. See also \fBebuild\fR(5). +.TP \fBROOT\fR = \fI[path]\fR Use \fBROOT\fR to specify the target root filesystem to be used for merging packages or ebuilds. All \fBRDEPEND\fR and \fBPDEPEND\fR will be installed -- cgit v1.2.3-1-g7c22