Re: [gentoo-dev] hardened flavor of the developer profile
On 5/5/11 10:45 PM, Anthony G. Basile wrote: We simplified our profiles recently (last Oct-Nov 2010) You're referring to http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml, right? and I only listed hardened/linux/x86 in profiles.desc. You can manually set ln -s ../usr/portage/profiles/hardened/linux/x86/developer /etc/make.profile The only thing to be careful of is that there is a lot of cruft under the hardened profiles, some really old deprecated material that I have not yet cleared out. You really don't want to use one of that. Just watch out for any warning about deprecated profiles. Oh, it's a stable system so I wouldn't want to go that route then. Here's what I'm trying to do, maybe you'll have some advice how to do that the best way (or whether to do that at all): I'd like to move more of the hardened features to the defaults. A good start would be to make more developers use them, to detect hardened-related problems earlier, and avoid confusion like it works on my non-hardened system. Please note that even with hardened gcc one can select the vanilla specs, effectively disabling the hardened features. Hopefully my understanding is correct. A possible idea I was thinking about was to add the hardened profile as a parent of the developer profile... how does that sound to you? Is there some better way? signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] hardened flavor of the developer profile
On 05/06/2011 03:29 AM, Paweł Hajdan, Jr. wrote: On 5/5/11 10:45 PM, Anthony G. Basile wrote: We simplified our profiles recently (last Oct-Nov 2010) You're referring to http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml, right? Yes, that was one of several emails on the subject. and I only listed hardened/linux/x86 in profiles.desc. You can manually set ln -s ../usr/portage/profiles/hardened/linux/x86/developer /etc/make.profile The only thing to be careful of is that there is a lot of cruft under the hardened profiles, some really old deprecated material that I have not yet cleared out. You really don't want to use one of that. Just watch out for any warning about deprecated profiles. Oh, it's a stable system so I wouldn't want to go that route then. Here's what I'm trying to do, maybe you'll have some advice how to do that the best way (or whether to do that at all): I'd like to move more of the hardened features to the defaults. A good start would be to make more developers use them, to detect hardened-related problems earlier, and avoid confusion like it works on my non-hardened system. All the help we can get is welcomed! BTW, when it doesn't work on hardened, it usually means some bad coding practice that shouldn't be there in vanilla anyhow. Please note that even with hardened gcc one can select the vanilla specs, effectively disabling the hardened features. Hopefully my understanding is correct. Yes, but be aware that the rest of your system is compiled with at least the following 3 hardening features: 1) stack smashing protection, 2) position independent exec 3) hardening of internal glibc functions (-D_FORTIFY_SOURCES=2). You can switch to vanilla for the binary you are currently building, but it will still link against libs that have the above. Beyond the toolchain there is also kernel hardening. The two interact, but you can have one without the other. So it doesn't work on hardened may mean the kernel killed something or the toolchain did. A possible idea I was thinking about was to add the hardened profile as a parent of the developer profile... how does that sound to you? Is there some better way? The profiles are horribly complex. I would rather put hardened lower on the stacking order than customization at the level of developer, desktop, server etc. Try it and see what happens. Use this little script to see what order the profiles are being stacked in and remember that the lower ones take priority over the higher: #!/usr/bin/env python import portage for p in portage.settings.profiles: print p -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
[gentoo-dev] hardened flavor of the developer profile
Currently I'm using the default/linux/x86/10.0/developer profile, but I'd like to switch to hardened on my developer system to catch more issues. However, eselect profile list only displays one hardened profile for me: $ eselect profile list Available profile symlink targets: [1] default/linux/x86/10.0 [2] default/linux/x86/10.0/desktop [3] default/linux/x86/10.0/desktop/gnome [4] default/linux/x86/10.0/desktop/kde [5] default/linux/x86/10.0/developer * [6] default/linux/x86/10.0/server [7] hardened/linux/x86 [8] selinux/2007.0/x86 [9] selinux/2007.0/x86/hardened [10] selinux/v2refpolicy/x86 [11] selinux/v2refpolicy/x86/desktop [12] selinux/v2refpolicy/x86/developer [13] selinux/v2refpolicy/x86/hardened [14] selinux/v2refpolicy/x86/server I'm using eselect-1.2.11. When listing the profiles directory in CVS, the hardened profile seems to have developer and other sub-profiles: ph@localhost ~/gentoo-x86/profiles $ ls -l hardened/linux/x86/ total 48 drwxr-xr-x 7 ph users 4096 Feb 17 07:57 10.0 drwxr-xr-x 2 ph users 4096 May 5 11:41 CVS drwxr-xr-x 3 ph users 4096 Nov 28 17:48 desktop drwxr-xr-x 3 ph users 4096 Nov 28 17:48 developer -rw-r--r-- 1 ph users 1030 Feb 17 07:57 make.defaults drwxr-xr-x 3 ph users 4096 Apr 25 21:25 minimal drwxr-xr-x 3 ph users 4096 Nov 28 17:48 no-nptl -rw-r--r-- 1 ph users 492 May 21 2010 package.mask -rw-r--r-- 1 ph users 381 Mar 13 10:16 package.use.mask -rw-r--r-- 1 ph users 58 Mar 4 10:17 parent drwxr-xr-x 3 ph users 4096 Nov 28 17:48 server -rw-r--r-- 1 ph users 315 Sep 30 2009 use.mask Any ideas how to get a hardened+developer profile? signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] hardened flavor of the developer profile
On Thu, 05 May 2011 17:23:51 +0200, Paweł Hajdan, Jr. wrote: Currently I'm using the default/linux/x86/10.0/developer profile, but I'd like to switch to hardened on my developer system to catch more issues. However, eselect profile list only displays one hardened profile for me: $ eselect profile list Available profile symlink targets: snip I'm using eselect-1.2.11. When listing the profiles directory in CVS, the hardened profile seems to have developer and other sub-profiles: ph@localhost ~/gentoo-x86/profiles $ ls -l hardened/linux/x86/ total 48 snip Any ideas how to get a hardened+developer profile? Those profiles that you are seeking are *not* listed in PORTDIR/profiles/profiles.desc which is why they don't show up in eselect output. This means that repoman does not check those profiles at all. I am curious as to how much value they actually have ;) With that being said, eselect is NOT the only way to set your profile, you can just as easily create a symlink. -Jeremy
Re: [gentoo-dev] hardened flavor of the developer profile
On 05/05/2011 12:00 PM, Jeremy Olexa wrote: On Thu, 05 May 2011 17:23:51 +0200, Paweł Hajdan, Jr. wrote: Currently I'm using the default/linux/x86/10.0/developer profile, but I'd like to switch to hardened on my developer system to catch more issues. However, eselect profile list only displays one hardened profile for me: $ eselect profile list Available profile symlink targets: snip I'm using eselect-1.2.11. When listing the profiles directory in CVS, the hardened profile seems to have developer and other sub-profiles: ph@localhost ~/gentoo-x86/profiles $ ls -l hardened/linux/x86/ total 48 snip Any ideas how to get a hardened+developer profile? Those profiles that you are seeking are *not* listed in PORTDIR/profiles/profiles.desc which is why they don't show up in eselect output. This means that repoman does not check those profiles at all. I am curious as to how much value they actually have ;) With that being said, eselect is NOT the only way to set your profile, you can just as easily create a symlink. -Jeremy We simplified our profiles recently (last Oct-Nov 2010) and I only listed hardened/linux/x86 in profiles.desc. You can manually set ln -s ../usr/portage/profiles/hardened/linux/x86/developer /etc/make.profile The only thing to be careful of is that there is a lot of cruft under the hardened profiles, some really old deprecated material that I have not yet cleared out. You really don't want to use one of that. Just watch out for any warning about deprecated profiles. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535