Re: Solaris security extensions

[Sad Clouds <cryintothebluesky%gmail.com@localhost>]

On Wed, 27 May 2020 11:24:55 +0200
Clausen, Jörn <joern.clausen%uni-bielefeld.de@localhost> wrote:

> My original question was not "what is the best security method". I
> think Oracle's security extensions make sense and are not something
> to use "instead" of other methods, but "in addition". To broaden my
> question: I would expect other OSes to come up with similar methods.
> Should pkgsrc consider a mechanism to add such features (i.e. as
> default in mk/platform/*.mk), that can be switched off globally or
> per packet, if desired. And if the answer to this question is "yes",
> what has to be done to the toolchain to support this? Perl's handling
> of linker flags is probably one problem. I also tried compiling
> security/openssl, and it failed in a different way. Maybe the few
> packages that did compile so far all used libtool, and all others
> tend to have problems, I'm not sure.

Fair enough. Any additional security measures are beneficial. I guess
in the short term if you struggle to build packages with those
extensions enabled, running binaries in a zone could mitigate some of
the threats.

I'm still not sure if it makes sense to have it in pkgsrc mk files.
It seems some extensions will work with some code, some won't, some
extensions are specific to some SPARC hardware. This could get quite
messy with large number of packages. Ideally you would build all
binaries normally without any magic linker flags, etc. Later you would
audit the binaries and use a special tool like sxadm to tag them,
enabling/disabling specific extensions. Not sure if this is possible on
Solaris.

If you're not sure why some packages are failing to build, I would
suggest you investigate that first. Maybe there is a quick workaround
that doesn't require hacking pkgsrc mk files. For example, sometimes
LD_FLAGS are not picked up by makefiles, but Solaris has LD_OPTIONS
which is far more reliable. Try that.