Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Maxim Kammerer <mk@×××.su>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] New Kconfig structure in hardened-sources-3.4.4-r1
Date: Mon, 30 Jul 2012 00:02:14
Message-Id: CAHsXYDDcHoQzcHdU_Vh_oYwQnKSKjAbN8g85jZDr7h94EWpbOg@mail.gmail.com
In Reply to: [gentoo-hardened] New Kconfig structure in hardened-sources-3.4.4-r1 by "Anthony G. Basile"
1 On Sun, Jul 1, 2012 at 11:04 PM, Anthony G. Basile <blueness@g.o> wrote:
2 > 1. Gone are Gentoo's predefined HARDENED_SERVER, HARDENED_DESKTOP and
3 > HARDENED_VIRTUALIZATION. There is no need for them anymore as they are
4 > pretty much subsumed under the above. With some minor differences:
5 >
6 > HARDENED_SERVER => Type=Server, Priority=Security, Virt=None
7 > HARDENED_DESKTOP => Type=Desktop, Priority=Security, Virt=None
8 > HARDENED_VIRTUALIZATION => Type=Server, Priority=Security Virt=<mixed>
9
10 I played a bit with the new settings in the latest unstable hardened
11 x86 kernel today (in an attempt to squash a NULL deref bug, will send
12 another email about that), and the new approach seemed very confusing
13 to me. It has many overlapping options (VMware or VirtualBox?), the
14 ultimate effect of which is not clear (what if I want to use both
15 VMs?). In addition, all these options only have effect for new kernel
16 configuration (probably not even an oldconfig), since they only affect
17 defaults. Afterwards, they just sit there (interfering with other
18 settings, see below). In the old approach, I found
19 HARDENED_VIRTUALIZATION to be a very robust choice that actually
20 enforced most settings that I have carefully chosen previously. In the
21 new approach, I just switched to GRKERNSEC_CONFIG_CUSTOM after a
22 while.
23
24 > 2. I've tried to keep the Gentoo GIDs where possible. There is one bug that
25 > I've noticed, which I'm passing to upstream. Toggling "Invert GID option"
26 > under TPE does not toggle between our trusted (GID=10) and our untrusted
27 > (GID=100) values. You can change them manually, but since in Gentoo we want
28 > to keep our GIDs in line [1], we need to change upstream's default values to
29 > ours.
30
31 GRKERNSEC_CONFIG_AUTO interferes with that — a trusted group is shown
32 as "untrusted". In addition, groups for disabled settings (like
33 GRKERNSEC_SYMLINKOWN) are also shown.
34
35 --
36 Maxim Kammerer
37 Liberté Linux: http://dee.su/liberte

Replies

Subject Author
Re: [gentoo-hardened] New Kconfig structure in hardened-sources-3.4.4-r1 Maxim Kammerer <mk@×××.su>
Report Message
Find on MARC Find on Google Groups