1 |
On 3/15/2011 2:05 PM, Grant wrote: |
2 |
> A dev is asking me to switch to a hardened profile in order to test a |
3 |
> fix. I'm happy to go through the process, but is there a chance my |
4 |
> laptop could be unusable after the switch? If that happens I'll be in |
5 |
> real trouble. Will I be able to switch back to a non-hardened profile |
6 |
> afterward? I plan to follow this guide: |
7 |
> |
8 |
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile |
9 |
|
10 |
First off, is there a reason you want to switch back to non-hardened? I |
11 |
run hardened on all my machines by default; almost every package in |
12 |
portage is now hardened-aware and builds/runs correctly. For those few |
13 |
that don't, there's paxctl and/or softmode (looking at you, openoffice) |
14 |
|
15 |
I've gone both ways with no real issues; though admittedly not on the |
16 |
same machine :) |
17 |
|
18 |
I'm assuming you're including a switch to a hardened kernel as part of |
19 |
this. That's the biggest possible source of problems: if you have a |
20 |
PAX-enabled kernel then all of your binaries need to be built by the |
21 |
hardened tool chain, or there is a decent chance they'll fail. |
22 |
|
23 |
Definitely follow the FAQ for the details, but the basic process should be: |
24 |
|
25 |
* switch profiles -> hardened |
26 |
* emerge gcc glibc binutils |
27 |
* emerge @system |
28 |
* emerge @world |
29 |
* build then boot hardened kernel |
30 |
|
31 |
* <test test test test test> |
32 |
|
33 |
* boot non-hardened kernel |
34 |
* switch profiles -> non-hardened |
35 |
* emerge gcc glibc binutils |
36 |
* emerge @system |
37 |
* emerge @world |
38 |
|
39 |
Note that the emerge @world emerges are definitely overkill time-wise |
40 |
but much, much safer and simpler unless you are very aware of what |
41 |
you're doing, what the packages are doing, how hardened's features |
42 |
interact, etc. |
43 |
|
44 |
Also, when building your PAX kernel, |
45 |
|
46 |
MAKE SURE YOU INCLUDE SOFTMODE SUPPORT |
47 |
|
48 |
That way, if something misbehaves and you can't fix it you can enable |
49 |
soft mode and PAX will stop killing things on you. |
50 |
|
51 |
> BTW, are emerge -e world and emerge -e system both necessary? I |
52 |
> thought emerge -e world would rebuild everything. |
53 |
|
54 |
IIRC, @system is not in @world unless you put it there yourself. (This |
55 |
might depend on your portage version, though). |
56 |
|
57 |
--Mike |