1 |
On Sun, Jul 1, 2012 at 11:04 PM, Anthony G. Basile <blueness@g.o> wrote: |
2 |
> 1. Gone are Gentoo's predefined HARDENED_SERVER, HARDENED_DESKTOP and |
3 |
> HARDENED_VIRTUALIZATION. There is no need for them anymore as they are |
4 |
> pretty much subsumed under the above. With some minor differences: |
5 |
> |
6 |
> HARDENED_SERVER => Type=Server, Priority=Security, Virt=None |
7 |
> HARDENED_DESKTOP => Type=Desktop, Priority=Security, Virt=None |
8 |
> HARDENED_VIRTUALIZATION => Type=Server, Priority=Security Virt=<mixed> |
9 |
|
10 |
I played a bit with the new settings in the latest unstable hardened |
11 |
x86 kernel today (in an attempt to squash a NULL deref bug, will send |
12 |
another email about that), and the new approach seemed very confusing |
13 |
to me. It has many overlapping options (VMware or VirtualBox?), the |
14 |
ultimate effect of which is not clear (what if I want to use both |
15 |
VMs?). In addition, all these options only have effect for new kernel |
16 |
configuration (probably not even an oldconfig), since they only affect |
17 |
defaults. Afterwards, they just sit there (interfering with other |
18 |
settings, see below). In the old approach, I found |
19 |
HARDENED_VIRTUALIZATION to be a very robust choice that actually |
20 |
enforced most settings that I have carefully chosen previously. In the |
21 |
new approach, I just switched to GRKERNSEC_CONFIG_CUSTOM after a |
22 |
while. |
23 |
|
24 |
> 2. I've tried to keep the Gentoo GIDs where possible. There is one bug that |
25 |
> I've noticed, which I'm passing to upstream. Toggling "Invert GID option" |
26 |
> under TPE does not toggle between our trusted (GID=10) and our untrusted |
27 |
> (GID=100) values. You can change them manually, but since in Gentoo we want |
28 |
> to keep our GIDs in line [1], we need to change upstream's default values to |
29 |
> ours. |
30 |
|
31 |
GRKERNSEC_CONFIG_AUTO interferes with that — a trusted group is shown |
32 |
as "untrusted". In addition, groups for disabled settings (like |
33 |
GRKERNSEC_SYMLINKOWN) are also shown. |
34 |
|
35 |
-- |
36 |
Maxim Kammerer |
37 |
Liberté Linux: http://dee.su/liberte |