On 05/06/2011 03:29 AM, "Paweł Hajdan, Jr." wrote:
> On 5/5/11 10:45 PM, Anthony G. Basile wrote:
>> We simplified our profiles recently (last Oct-Nov 2010)
> You're referring to
> http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml,
> right?
>
Yes, that was one of several emails on the subject.
>> and I only
>> listed hardened/linux/x86 in profiles.desc. You can manually set
>>
>> ln -s ../usr/portage/profiles/hardened/linux/x86/developer
>> /etc/make.profile
>>
>> The only thing to be careful of is that there is a lot of cruft under
>> the hardened profiles, some really old deprecated material that I have
>> not yet cleared out. You really don't want to use one of that. Just
>> watch out for any warning about deprecated profiles.
> Oh, it's a stable system so I wouldn't want to go that route then.
>
> Here's what I'm trying to do, maybe you'll have some advice how to do
> that the best way (or whether to do that at all): I'd like to move more
> of the hardened features to the defaults. A good start would be to make
> more developers use them, to detect hardened-related problems earlier,
> and avoid confusion like "it works on my non-hardened system".
All the help we can get is welcomed! BTW, when "it doesn't work on
hardened", it usually means some bad coding practice that shouldn't be
there in vanilla anyhow.
> Please note that even with hardened gcc one can select the vanilla
> specs, effectively disabling the hardened features. Hopefully my
> understanding is correct.
Yes, but be aware that the rest of your system is compiled with at least
the following 3 hardening features: 1) stack smashing protection, 2)
position independent exec 3) hardening of internal glibc functions
(-D_FORTIFY_SOURCES=2). You can switch to vanilla for the binary you
are currently building, but it will still link against libs that have
the above.
Beyond the toolchain there is also kernel hardening. The two interact,
but you can have one without the other. So "it doesn't work on
hardened" may mean the kernel killed something or the toolchain did.
> A possible idea I was thinking about was to add the hardened profile as
> a parent of the developer profile... how does that sound to you? Is
> there some better way?
>
The profiles are horribly complex. I would rather put hardened lower on
the stacking order than customization at the level of "developer",
"desktop", "server" etc. Try it and see what happens. Use this little
script to see what order the profiles are being stacked in and remember
that the lower ones take priority over the higher:
#!/usr/bin/env python
import portage
for p in portage.settings.profiles:
print p
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
