building with "CLANG"

Isaac (.ike) Levy ike at blackskyresearch.net
Tue Jan 15 05:03:12 UTC 2013 

Hi Guys,

I can't bring myself to top-post on a BSD list, 

And I'm in a particularly verbose mood as I debug an unrelated nasty mess,

On Jan 14, 2013, at 9:30 PM, other at ahhyes.net wrote:

> 
> 
> Hi Alexus, 
> 
> I could, but it's going to be time consuming. There is
> almost no clues (even with a google search) on what this option does. I
> am waiting to know if I can safely keep going the way I am and not have
> any serious problems. I updated the base OS ok, I just reinstalled world
> for one of my jails and ran mergemaster also to update it. Didn't have
> any major issues however I noticed the NO_FSCHG= business in the
> article. 
> 
> Would be nice if someone could document what the hell
> NO_FSCHG= does.. 
> 

In-deed!

--
Deal is, after groking some source, I *believe* this signals clang not to set particular files with the immutable 'schg' flag when installing world to your $DESTDIR.

Please try following up with the page author.
(Perhaps jump in the Clang IRC channel listed on the page, and try to ask the wiki page author?)

--
If I am correct:
I've not been down the clang jails path yet, (exciting!), but I'm assuming this is a new convenience feature tossed in, with interesting ramifications…

The old days with jail:
/rm -rf /path/to/jail/dir
- This would fail without first recursively un-setting the schg immutable flags on files in the filesystem.
(UNIX newbs hit list, make new friends, and learn the power of chflags(1))

So, NO_FSCHG is either extremely convenient, or extremely dangerous- depending on what kind of packets reach your jailed interface…

Why does this matter with jail(8)?

With this convenience, much (if not all) of the functionally of the '-s' flag in jail(8) is lost !

     -s securelevel

	     Set the kern.securelevel MIB entry to the specified value inside
	     the newly created jail.  This is deprecated and is equivalent to
	     setting the securelevel parameter.

--
This fun, goes way back, http://seann.herdejurgen.com/resume/samag.com/html/v10/i05/a4.htm

Basically, one could fork bomb the machine, rendering all jailed systems useless- and BSD Secure Levels + login.conf in the jails were the ultimate fix.

Except back then, we didn't have the -s flag, (had to reboot a machine into a higher secure level to get this kind of protection, pretty inflexible, so it was rarely applied).

Rocket-
.ike
 



<snip>
>>> I recently tried to give CLANG a go with
> rebuilding the system (9.0-RELEASE to 9.1-RELEASE). Having read:
> https://wiki.freebsd.org/BuildingFreeBSDWithClang [1] everything seems
> to be working ok.
>>> 
>>> I noticed something in the document that got me
> concerned:
>>> 
>>> # Don't forget this when using Jails!
>>> NO_FSCHG=
>>> 
> 
>>> There is a suggestion to add the above to src.conf -- Can someone
> please explain what this does? Having forgotten to do this, am I going
> to have any major problems?
>>> 
>>> Alex.

More information about the freebsd-jail mailing list