Gentoo Archives: gentoo-user

From: Mike Edenfield <kutulu@××××××.org>
To: gentoo-user@l.g.o
Cc: Grant <emailgrant@×××××.com>
Subject: Re: [gentoo-user] Switching to a hardened profile and back again
Date: Wed, 16 Mar 2011 19:56:36
Message-Id: 4D81158D.9000801@kutulu.org
In Reply to: [gentoo-user] Switching to a hardened profile and back again by Grant
1 On 3/15/2011 2:05 PM, Grant wrote:
2 > A dev is asking me to switch to a hardened profile in order to test a
3 > fix. I'm happy to go through the process, but is there a chance my
4 > laptop could be unusable after the switch? If that happens I'll be in
5 > real trouble. Will I be able to switch back to a non-hardened profile
6 > afterward? I plan to follow this guide:
7 >
8 > http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
9
10 First off, is there a reason you want to switch back to non-hardened? I
11 run hardened on all my machines by default; almost every package in
12 portage is now hardened-aware and builds/runs correctly. For those few
13 that don't, there's paxctl and/or softmode (looking at you, openoffice)
14
15 I've gone both ways with no real issues; though admittedly not on the
16 same machine :)
17
18 I'm assuming you're including a switch to a hardened kernel as part of
19 this. That's the biggest possible source of problems: if you have a
20 PAX-enabled kernel then all of your binaries need to be built by the
21 hardened tool chain, or there is a decent chance they'll fail.
22
23 Definitely follow the FAQ for the details, but the basic process should be:
24
25 * switch profiles -> hardened
26 * emerge gcc glibc binutils
27 * emerge @system
28 * emerge @world
29 * build then boot hardened kernel
30
31 * <test test test test test>
32
33 * boot non-hardened kernel
34 * switch profiles -> non-hardened
35 * emerge gcc glibc binutils
36 * emerge @system
37 * emerge @world
38
39 Note that the emerge @world emerges are definitely overkill time-wise
40 but much, much safer and simpler unless you are very aware of what
41 you're doing, what the packages are doing, how hardened's features
42 interact, etc.
43
44 Also, when building your PAX kernel,
45
46 MAKE SURE YOU INCLUDE SOFTMODE SUPPORT
47
48 That way, if something misbehaves and you can't fix it you can enable
49 soft mode and PAX will stop killing things on you.
50
51 > BTW, are emerge -e world and emerge -e system both necessary? I
52 > thought emerge -e world would rebuild everything.
53
54 IIRC, @system is not in @world unless you put it there yourself. (This
55 might depend on your portage version, though).
56
57 --Mike

Replies

Subject Author
Re: [gentoo-user] Switching to a hardened profile and back again Peter Humphrey <peter@××××××××××××××.org>