> In terms of userland, non hardened profile doesn't protect you at all
> against buffer overflows, you are removing one important security
> layer. SSP protects you against buffer overflows in terms that the
> vulnerable application gets killed when the canary is modified before
> the execution of the arbitrary code. PIE protects you against return
> into libc attacks that doesn't need an executable stack. PaX is not
> perfect and needs them as complementary solutions. For example I think
> that RANDEXEC was removed from PaX time ago, one buffer overflow that
> uses return into libc attack could be succesfully against one
> non-hardened binary. Since skype is a network oriented software...
In what situations is a hardened kernel useful?
- Grant
>>> Hardened profiles: Yes there's a difference, no you should not switch to
>>> hardened/linux/${ARCH} at this time.
>>
>> Is hardened/x86/2.6 still available for new installations? My other
>> systems are amd64 but none of them list hardened/amd64/2.6.
>>
>>> You can get skype working by downloading or building gcc 4.1.x and pointing
>>> LD_LIBRARY_PATH at the shared object directory when starting skype. skype
>>> won't be using hardened toolchain but since its closed source and you're
>>> willing to switch the whole machine to non-hardened I figure you probably
>>> don't mind. ;)
>>>
>>> Example:
>>> 1. Download
>>> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
>>> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
>>> 3. Run it:
>>> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/"
>>> skype
>>>
>>> If you only require VoIP capability and not skype specifically you might be
>>> interested net-im/ekiga.
>>
>> Thank you very much for that, but I'm trying to simplify. You see,
>> I'm only a fake sysadmin. Does using a hardened kernel with a
>> non-hardened profile still offer good protection?
>>
>> - Grant
>>
>>>> > I've been able to do so; basically I switched over to the standard
>>>> > profile, disabled selinux in the kernel, and re-emerged system for new
>>>> > use flags. There were some other details but overall the process was
>>>> > pretty painless, anyone ambitious enough to configure a hardened system
>>>> > can probably handle the switch without much problem. Not that I'm
>>>> > encouraging you to drop hardened (especially on a laptop that could be
>>>> > exposed to random wifi networks ;-)
>>>>
>>>> Is there any difference between 1 and 8 here? Should I switch to 8?
>>>>
>>>> # eselect profile list
>>>> Available profile symlink targets:
>>>> [1] hardened/x86/2.6 *
>>>> [2] selinux/2007.0/x86
>>>> [3] selinux/2007.0/x86/hardened
>>>> [4] default/linux/x86/2008.0
>>>> [5] default/linux/x86/2008.0/desktop
>>>> [6] default/linux/x86/2008.0/developer
>>>> [7] default/linux/x86/2008.0/server
>>>> [8] hardened/linux/x86
>>>>
>>>> - Grant
>>>>
>>>> >> Can I switch my laptop's profile from a hardened one to a non-hardened
>>>> >> one? I thought this was impossible without a complete reinstall but
>>>> >> folks on the gentoo-user list seem to think it's not a problem.
>>>> >>
>>>> >> - Grant
