1 |
On 05/06/2011 03:29 AM, "Paweł Hajdan, Jr." wrote: |
2 |
> On 5/5/11 10:45 PM, Anthony G. Basile wrote: |
3 |
>> We simplified our profiles recently (last Oct-Nov 2010) |
4 |
> You're referring to |
5 |
> http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml, |
6 |
> right? |
7 |
> |
8 |
|
9 |
Yes, that was one of several emails on the subject. |
10 |
|
11 |
>> and I only |
12 |
>> listed hardened/linux/x86 in profiles.desc. You can manually set |
13 |
>> |
14 |
>> ln -s ../usr/portage/profiles/hardened/linux/x86/developer |
15 |
>> /etc/make.profile |
16 |
>> |
17 |
>> The only thing to be careful of is that there is a lot of cruft under |
18 |
>> the hardened profiles, some really old deprecated material that I have |
19 |
>> not yet cleared out. You really don't want to use one of that. Just |
20 |
>> watch out for any warning about deprecated profiles. |
21 |
> Oh, it's a stable system so I wouldn't want to go that route then. |
22 |
> |
23 |
> Here's what I'm trying to do, maybe you'll have some advice how to do |
24 |
> that the best way (or whether to do that at all): I'd like to move more |
25 |
> of the hardened features to the defaults. A good start would be to make |
26 |
> more developers use them, to detect hardened-related problems earlier, |
27 |
> and avoid confusion like "it works on my non-hardened system". |
28 |
|
29 |
All the help we can get is welcomed! BTW, when "it doesn't work on |
30 |
hardened", it usually means some bad coding practice that shouldn't be |
31 |
there in vanilla anyhow. |
32 |
|
33 |
> Please note that even with hardened gcc one can select the vanilla |
34 |
> specs, effectively disabling the hardened features. Hopefully my |
35 |
> understanding is correct. |
36 |
|
37 |
Yes, but be aware that the rest of your system is compiled with at least |
38 |
the following 3 hardening features: 1) stack smashing protection, 2) |
39 |
position independent exec 3) hardening of internal glibc functions |
40 |
(-D_FORTIFY_SOURCES=2). You can switch to vanilla for the binary you |
41 |
are currently building, but it will still link against libs that have |
42 |
the above. |
43 |
|
44 |
Beyond the toolchain there is also kernel hardening. The two interact, |
45 |
but you can have one without the other. So "it doesn't work on |
46 |
hardened" may mean the kernel killed something or the toolchain did. |
47 |
|
48 |
> A possible idea I was thinking about was to add the hardened profile as |
49 |
> a parent of the developer profile... how does that sound to you? Is |
50 |
> there some better way? |
51 |
> |
52 |
|
53 |
The profiles are horribly complex. I would rather put hardened lower on |
54 |
the stacking order than customization at the level of "developer", |
55 |
"desktop", "server" etc. Try it and see what happens. Use this little |
56 |
script to see what order the profiles are being stacked in and remember |
57 |
that the lower ones take priority over the higher: |
58 |
|
59 |
#!/usr/bin/env python |
60 |
|
61 |
import portage |
62 |
for p in portage.settings.profiles: |
63 |
print p |
64 |
|
65 |
|
66 |
|
67 |
-- |
68 |
Anthony G. Basile, Ph.D. |
69 |
Gentoo Linux Developer [Hardened] |
70 |
E-Mail : blueness@g.o |
71 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
72 |
GnuPG ID : D0455535 |