| 1 |
On 05/06/2011 03:29 AM, "Paweł Hajdan, Jr." wrote: |
| 2 |
> On 5/5/11 10:45 PM, Anthony G. Basile wrote: |
| 3 |
>> We simplified our profiles recently (last Oct-Nov 2010) |
| 4 |
> You're referring to |
| 5 |
> http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml, |
| 6 |
> right? |
| 7 |
> |
| 8 |
|
| 9 |
Yes, that was one of several emails on the subject. |
| 10 |
|
| 11 |
>> and I only |
| 12 |
>> listed hardened/linux/x86 in profiles.desc. You can manually set |
| 13 |
>> |
| 14 |
>> ln -s ../usr/portage/profiles/hardened/linux/x86/developer |
| 15 |
>> /etc/make.profile |
| 16 |
>> |
| 17 |
>> The only thing to be careful of is that there is a lot of cruft under |
| 18 |
>> the hardened profiles, some really old deprecated material that I have |
| 19 |
>> not yet cleared out. You really don't want to use one of that. Just |
| 20 |
>> watch out for any warning about deprecated profiles. |
| 21 |
> Oh, it's a stable system so I wouldn't want to go that route then. |
| 22 |
> |
| 23 |
> Here's what I'm trying to do, maybe you'll have some advice how to do |
| 24 |
> that the best way (or whether to do that at all): I'd like to move more |
| 25 |
> of the hardened features to the defaults. A good start would be to make |
| 26 |
> more developers use them, to detect hardened-related problems earlier, |
| 27 |
> and avoid confusion like "it works on my non-hardened system". |
| 28 |
|
| 29 |
All the help we can get is welcomed! BTW, when "it doesn't work on |
| 30 |
hardened", it usually means some bad coding practice that shouldn't be |
| 31 |
there in vanilla anyhow. |
| 32 |
|
| 33 |
> Please note that even with hardened gcc one can select the vanilla |
| 34 |
> specs, effectively disabling the hardened features. Hopefully my |
| 35 |
> understanding is correct. |
| 36 |
|
| 37 |
Yes, but be aware that the rest of your system is compiled with at least |
| 38 |
the following 3 hardening features: 1) stack smashing protection, 2) |
| 39 |
position independent exec 3) hardening of internal glibc functions |
| 40 |
(-D_FORTIFY_SOURCES=2). You can switch to vanilla for the binary you |
| 41 |
are currently building, but it will still link against libs that have |
| 42 |
the above. |
| 43 |
|
| 44 |
Beyond the toolchain there is also kernel hardening. The two interact, |
| 45 |
but you can have one without the other. So "it doesn't work on |
| 46 |
hardened" may mean the kernel killed something or the toolchain did. |
| 47 |
|
| 48 |
> A possible idea I was thinking about was to add the hardened profile as |
| 49 |
> a parent of the developer profile... how does that sound to you? Is |
| 50 |
> there some better way? |
| 51 |
> |
| 52 |
|
| 53 |
The profiles are horribly complex. I would rather put hardened lower on |
| 54 |
the stacking order than customization at the level of "developer", |
| 55 |
"desktop", "server" etc. Try it and see what happens. Use this little |
| 56 |
script to see what order the profiles are being stacked in and remember |
| 57 |
that the lower ones take priority over the higher: |
| 58 |
|
| 59 |
#!/usr/bin/env python |
| 60 |
|
| 61 |
import portage |
| 62 |
for p in portage.settings.profiles: |
| 63 |
print p |
| 64 |
|
| 65 |
|
| 66 |
|
| 67 |
-- |
| 68 |
Anthony G. Basile, Ph.D. |
| 69 |
Gentoo Linux Developer [Hardened] |
| 70 |
E-Mail : blueness@g.o |
| 71 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 72 |
GnuPG ID : D0455535 |
Archives