Re: [gentoo-user] Switching to a hardened profile and back again
On Thu, 17 Mar 2011 00:28:54 +, Peter Humphrey wrote: IIRC, @system is not in @world unless you put it there yourself. (This might depend on your portage version, though). I'm sure I once saw a comment in a portage version that @system was being included in @world to preserve earlier behaviour. From man emerge: world encompasses both the selected and system sets -- Neil Bothwick What is a free gift ? Aren't all gifts free? signature.asc Description: PGP signature
[gentoo-user] 答复: [gentoo-user] Switching to a hardened profile and back again
-邮件原件- 发件人: Neil Bothwick [mailto:n...@digimed.co.uk] 发送时间: 2011-03-17 17:01 收件人: gentoo-user@lists.gentoo.org 主题: Re: [gentoo-user] Switching to a hardened profile and back again On Thu, 17 Mar 2011 00:28:54 +, Peter Humphrey wrote: IIRC, @system is not in @world unless you put it there yourself. (This might depend on your portage version, though). I'm sure I once saw a comment in a portage version that @system was being included in @world to preserve earlier behaviour. From man emerge: world encompasses both the selected and system sets -- Neil Bothwick What is a free gift ? Aren't all gifts free?
Re: [gentoo-user] Switching to a hardened profile and back again
Neil Bothwick writes: On Thu, 17 Mar 2011 00:28:54 +, Peter Humphrey wrote: IIRC, @system is not in @world unless you put it there yourself. (This might depend on your portage version, though). I'm sure I once saw a comment in a portage version that @system was being included in @world to preserve earlier behaviour. From man emerge: world encompasses both the selected and system sets BTW, this can be toggled by putting or not putting 'system' into /var/lib/portage/world_sets. Wonko
Re: [gentoo-user] Switching to a hardened profile and back again
On Thu, 17 Mar 2011 14:42:30 +0100, Alex Schuster wrote: From man emerge: world encompasses both the selected and system sets BTW, this can be toggled by putting or not putting 'system' into /var/lib/portage/world_sets. That was the case for a while with portage-2.2, but it appears that @system is now automatically part of @world. That's how I read the man page that says that @world encompasses @system, without any setting by the user. A new install no longer includes @system in world_sets. -- Neil Bothwick Philosophical error: Demonstrate the existence of a key to continue signature.asc Description: PGP signature
Re: [gentoo-user] Switching to a hardened profile and back again
Neil Bothwick wrote: On Thu, 17 Mar 2011 14:42:30 +0100, Alex Schuster wrote: From man emerge: world encompasses both the selected and system sets BTW, this can be toggled by putting or not putting 'system' into /var/lib/portage/world_sets. That was the case for a while with portage-2.2, but it appears that @system is now automatically part of @world. That's how I read the man page that says that @world encompasses @system, without any setting by the user. A new install no longer includes @system in world_sets. That appears to be true here. I have portage 2.2 installed and system is no longer in that file. It used to be but not anymore. I wonder how a person would override that if they needed to tho? Not sure why a person would but anyway. Dale :-) :-)
Re: [gentoo-user] Switching to a hardened profile and back again
On Thu, 17 Mar 2011 09:27:55 -0500, Dale wrote: That appears to be true here. I have portage 2.2 installed and system is no longer in that file. It used to be but not anymore. I wonder how a person would override that if they needed to tho? Not sure why a person would but anyway. cp /var/lib/portage/world /etc/portage/sets/my_world emerge @my_world -- Neil Bothwick I teleported home one night With Ron and Sid and Meg. Ron stole Meggie's heart away And I got Sidney's leg. signature.asc Description: PGP signature
Re: [gentoo-user] Switching to a hardened profile and back again
On 3/15/2011 2:05 PM, Grant wrote: A dev is asking me to switch to a hardened profile in order to test a fix. I'm happy to go through the process, but is there a chance my laptop could be unusable after the switch? If that happens I'll be in real trouble. Will I be able to switch back to a non-hardened profile afterward? I plan to follow this guide: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile First off, is there a reason you want to switch back to non-hardened? I run hardened on all my machines by default; almost every package in portage is now hardened-aware and builds/runs correctly. For those few that don't, there's paxctl and/or softmode (looking at you, openoffice) I've gone both ways with no real issues; though admittedly not on the same machine :) I'm assuming you're including a switch to a hardened kernel as part of this. That's the biggest possible source of problems: if you have a PAX-enabled kernel then all of your binaries need to be built by the hardened tool chain, or there is a decent chance they'll fail. Definitely follow the FAQ for the details, but the basic process should be: * switch profiles - hardened * emerge gcc glibc binutils * emerge @system * emerge @world * build then boot hardened kernel * test test test test test * boot non-hardened kernel * switch profiles - non-hardened * emerge gcc glibc binutils * emerge @system * emerge @world Note that the emerge @world emerges are definitely overkill time-wise but much, much safer and simpler unless you are very aware of what you're doing, what the packages are doing, how hardened's features interact, etc. Also, when building your PAX kernel, MAKE SURE YOU INCLUDE SOFTMODE SUPPORT That way, if something misbehaves and you can't fix it you can enable soft mode and PAX will stop killing things on you. BTW, are emerge -e world and emerge -e system both necessary? I thought emerge -e world would rebuild everything. IIRC, @system is not in @world unless you put it there yourself. (This might depend on your portage version, though). --Mike
Re: [gentoo-user] Switching to a hardened profile and back again
On Wednesday 16 March 2011 19:54:53 Mike Edenfield wrote: IIRC, @system is not in @world unless you put it there yourself. (This might depend on your portage version, though). I'm sure I once saw a comment in a portage version that @system was being included in @world to preserve earlier behaviour. -- Rgds Peter
[gentoo-user] Switching to a hardened profile and back again
A dev is asking me to switch to a hardened profile in order to test a fix. I'm happy to go through the process, but is there a chance my laptop could be unusable after the switch? If that happens I'll be in real trouble. Will I be able to switch back to a non-hardened profile afterward? I plan to follow this guide: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile BTW, are emerge -e world and emerge -e system both necessary? I thought emerge -e world would rebuild everything. - Grant
Re: [gentoo-user] Switching to a hardened profile and back again
On 03/15/2011 02:05 PM, Grant wrote: A dev is asking me to switch to a hardened profile in order to test a fix. I'm happy to go through the process, but is there a chance my laptop could be unusable after the switch? If that happens I'll be in real trouble. Will I be able to switch back to a non-hardened profile afterward? I plan to follow this guide: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile BTW, are emerge -e world and emerge -e system both necessary? I thought emerge -e world would rebuild everything. Switching to hardened is safe. The switch back should be, too, although I haven't personally tried it. (Why would you switch back?) You emerge system first, and then world so that your world is built by a hardened toolchain. When you compile gcc/glibc with USE=hardened, it gives them super powers.
Re: [gentoo-user] Switching to a hardened profile and back again
A dev is asking me to switch to a hardened profile in order to test a fix. I'm happy to go through the process, but is there a chance my laptop could be unusable after the switch? If that happens I'll be in real trouble. Will I be able to switch back to a non-hardened profile afterward? I plan to follow this guide: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile BTW, are emerge -e world and emerge -e system both necessary? I thought emerge -e world would rebuild everything. Switching to hardened is safe. The switch back should be, too, although I haven't personally tried it. (Why would you switch back?) I originally had my laptop on a hardened profile (I think it was a couple laptops back) but there were so many problems I eventually gave up. I remember doing a lot of system reinstalling as I switched profiles around. I don't have time to reinstall my system right now so I'm trying to be sure I can switch to hardened (and from hardened if necessary) without reinstalling. You emerge system first, and then world so that your world is built by a hardened toolchain. When you compile gcc/glibc with USE=hardened, it gives them super powers. Would 'emerge gcc glibc emerge -e world' have the same affect? - Grant
Re: [gentoo-user] Switching to a hardened profile and back again
On 03/15/2011 03:20 PM, Grant wrote: A dev is asking me to switch to a hardened profile in order to test a fix. I'm happy to go through the process, but is there a chance my laptop could be unusable after the switch? If that happens I'll be in real trouble. Will I be able to switch back to a non-hardened profile afterward? I plan to follow this guide: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile BTW, are emerge -e world and emerge -e system both necessary? I thought emerge -e world would rebuild everything. Switching to hardened is safe. The switch back should be, too, although I haven't personally tried it. (Why would you switch back?) I originally had my laptop on a hardened profile (I think it was a couple laptops back) but there were so many problems I eventually gave up. I remember doing a lot of system reinstalling as I switched profiles around. I don't have time to reinstall my system right now so I'm trying to be sure I can switch to hardened (and from hardened if necessary) without reinstalling. If you don't run a hardened kernel, sudo gcc-config 5 (assuming 5 is the vanilla gcc on your machine...) will switch you back to the vanilla gcc. No need to switch profiles or recompile anything. You emerge system first, and then world so that your world is built by a hardened toolchain. When you compile gcc/glibc with USE=hardened, it gives them super powers. Would 'emerge gcc glibc emerge -e world' have the same affect? There are a couple of other packages you're supposed to re-emerge along with gcc and glibc. Binutils was one, but I don't remember the whole list. Just suck it up and spend the extra hour to re-emerge system; that way, you're sure you haven't missed anything.
Re: [gentoo-user] Switching to a hardened profile and back again
On 15/03/11 20:05, Grant wrote: A dev is asking me to switch to a hardened profile in order to test a fix. I'm happy to go through the process, but is there a chance my laptop could be unusable after the switch? If that happens I'll be in real trouble. Will I be able to switch back to a non-hardened profile afterward? I plan to follow this guide: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile BTW, are emerge -e world and emerge -e system both necessary? I thought emerge -e world would rebuild everything. emerge -e world does remerge everything, but not in the order you'd expect. try it with -p, you'll see that glibc and gcc are near the end. You want them at the beginning, so that the hardened system is built by a compiler and libc that is hardened as well as the rest of the toolchain. Now whereas a compiler can in theory be told to generate any kind of code for anything, including hard code when it itself is not hard, can you really be sure it actually will do that? Plus the rest of the toolchain too. The only certain way is to build a hardened toolchain then rebuild the entire system with it. emerge -e system ; emerge -e world is not the fastest route of minimal compilation effort, but it sure is the easiest for the human in charge: one line in bash, press enter, walk away. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Switching to a hardened profile and back again
A dev is asking me to switch to a hardened profile in order to test a fix. I'm happy to go through the process, but is there a chance my laptop could be unusable after the switch? If that happens I'll be in real trouble. Will I be able to switch back to a non-hardened profile afterward? I plan to follow this guide: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile BTW, are emerge -e world and emerge -e system both necessary? I thought emerge -e world would rebuild everything. Switching to hardened is safe. The switch back should be, too, although I haven't personally tried it. (Why would you switch back?) I originally had my laptop on a hardened profile (I think it was a couple laptops back) but there were so many problems I eventually gave up. I remember doing a lot of system reinstalling as I switched profiles around. I don't have time to reinstall my system right now so I'm trying to be sure I can switch to hardened (and from hardened if necessary) without reinstalling. If you don't run a hardened kernel, sudo gcc-config 5 (assuming 5 is the vanilla gcc on your machine...) will switch you back to the vanilla gcc. No need to switch profiles or recompile anything. I do run a hardened kernel, but you're saying if I switch to gcc-5 I should be able to test for a crash that was previously exhibited under a hardened profile? You emerge system first, and then world so that your world is built by a hardened toolchain. When you compile gcc/glibc with USE=hardened, it gives them super powers. Would 'emerge gcc glibc emerge -e world' have the same affect? There are a couple of other packages you're supposed to re-emerge along with gcc and glibc. Binutils was one, but I don't remember the whole list. Just suck it up and spend the extra hour to re-emerge system; that way, you're sure you haven't missed anything. OK I'll emerge system first if it comes to that. - Grant
Re: [gentoo-user] Switching to a hardened profile and back again
On 03/15/2011 04:28 PM, Grant wrote: A dev is asking me to switch to a hardened profile in order to test a fix. I'm happy to go through the process, but is there a chance my laptop could be unusable after the switch? If that happens I'll be in real trouble. Will I be able to switch back to a non-hardened profile afterward? I plan to follow this guide: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile BTW, are emerge -e world and emerge -e system both necessary? I thought emerge -e world would rebuild everything. Switching to hardened is safe. The switch back should be, too, although I haven't personally tried it. (Why would you switch back?) I originally had my laptop on a hardened profile (I think it was a couple laptops back) but there were so many problems I eventually gave up. I remember doing a lot of system reinstalling as I switched profiles around. I don't have time to reinstall my system right now so I'm trying to be sure I can switch to hardened (and from hardened if necessary) without reinstalling. If you don't run a hardened kernel, sudo gcc-config 5 (assuming 5 is the vanilla gcc on your machine...) will switch you back to the vanilla gcc. No need to switch profiles or recompile anything. I do run a hardened kernel, but you're saying if I switch to gcc-5 I should be able to test for a crash that was previously exhibited under a hardened profile? I think (completely unscientifically) that most of the day-to-day problems are caused by the hardening features in the kernel rather than by GCC's hardening features. When you compile a hardened GCC, you also get the vanilla, unhardened GCC installed. So if you see e.g. a compile failure using hardened GCC, you can just switch to the vanilla GCC to see if that fixes it. On my machine, $ sudo gcc-config -l [1] x86_64-pc-linux-gnu-4.4.5 * [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp [5] x86_64-pc-linux-gnu-4.4.5-vanilla it's the fifth option. Summary: if you have problems on hardened, you can always switch to vanilla GCC and reboot to a non-hardened kernel. You don't have to recompile anything or switch profiles again.
Re: [gentoo-user] Switching to a hardened profile and back again
Alan McKinnon wrote: emerge -e world does remerge everything, but not in the order you'd expect. try it with -p, you'll see that glibc and gcc are near the end. You want them at the beginning, so that the hardened system is built by a compiler and libc that is hardened as well as the rest of the toolchain. Now whereas a compiler can in theory be told to generate any kind of code for anything, including hard code when it itself is not hard, can you really be sure it actually will do that? Plus the rest of the toolchain too. The only certain way is to build a hardened toolchain then rebuild the entire system with it. emerge -e system ; emerge -e world is not the fastest route of minimal compilation effort, but it sure is the easiest for the human in charge: one line in bash, press enter, walk away. This may be a good time to use the script off the forums. I used it a few weeks or so ago and it worked great. It certainly does things in a different order than portage. Dale :-) :-)
