| 1 |
On 12/23/2017 10:20 PM, Adam Carter wrote: |
| 2 |
> |
| 3 |
> So i'm wondering how much difference there is between hardened and |
| 4 |
> non-hardened profiles these days. |
| 5 |
> |
| 6 |
|
| 7 |
The hardened profiles ensure that PaX works by setting PAX_MARKINGS="XT" |
| 8 |
and by making sure that you don't disable xattr support in, say, |
| 9 |
coreutils. They also let you build gcc/glibc with USE=hardened, although |
| 10 |
what that actually does these days I'm not sure. |
| 11 |
|
| 12 |
Aside from that, the hardened profiles have less stuff enabled by |
| 13 |
default. The "desktop" portion is the worst offender there... |
| 14 |
|
| 15 |
$ cat profiles/targets/desktop/make.defaults |
| 16 |
|
| 17 |
# Copyright 1999-2017 Gentoo Foundation |
| 18 |
# Distributed under the terms of the GNU General Public License v2 |
| 19 |
|
| 20 |
USE="a52 aac acpi alsa bluetooth branding cairo cdda cdr consolekit |
| 21 |
cups dbus dri dts dvd dvdr emboss encode exif fam firefox flac gif |
| 22 |
glamor gpm gtk jpeg lcms ldap libnotify mad mng mp3 mp4 mpeg ogg |
| 23 |
opengl pango pdf png policykit ppds qt3support qt5 sdl spell startup- |
| 24 |
notification svg tiff truetype vorbis udev udisks unicode upower usb |
| 25 |
wxwidgets X xcb x264 xml xv xvid" |
| 26 |
|
| 27 |
That's as opposed to, |
| 28 |
|
| 29 |
$ cat profiles/features/hardened/make.defaults |
| 30 |
... |
| 31 |
USE="${USE} -berkdb -gdbm -tcpd" |
| 32 |
USE="${USE} -fortran" |
| 33 |
USE="${USE} -cli -session" |
| 34 |
USE="${USE} -dri" |
| 35 |
USE="${USE} -modules" |
Archives