Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hardened desktop profile?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
moisespedro
n00b
n00b


Joined: 01 Jan 2014
Posts: 71

PostPosted: Wed Feb 26, 2014 2:41 pm    Post subject: Hardened desktop profile? Reply with quote

Hi, I was thinking about switching to a hardened gentoo but there is no hardened desktop profile. Why not?
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 241
Location: Strasbourg, france.

PostPosted: Wed Feb 26, 2014 3:36 pm    Post subject: Reply with quote

See: https://bugs.gentoo.org/show_bug.cgi?id=492312 and https://blogs.gentoo.org/blueness/2014/02/07/the-gentoo-profile-stacking-problem/

You could use what's discussed in the bug report's comments: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=155e204497757a78f06367d7ebe99da92e786ffa
Back to top
View user's profile Send private message
moisespedro
n00b
n00b


Joined: 01 Jan 2014
Posts: 71

PostPosted: Wed Feb 26, 2014 5:09 pm    Post subject: Reply with quote

Oh, thanks for the link. Found it a bit complicated :oops:
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 241
Location: Strasbourg, france.

PostPosted: Wed Feb 26, 2014 5:16 pm    Post subject: Reply with quote

If I were you, I'd go and ask the people involved in the project as to what the best course of action would be.
#gentoo-hardened on irc (freenode). And then come back and tell us :)
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Thu Jun 26, 2014 1:15 pm    Post subject: Reply with quote

Is changing a Desktop machine from default/linux/amd64/13.0/desktop to default/linux/amd64/13.0/selinux or even hardened/linux/amd64/selinux appropriate and worth the effort? Any performance drawbacks? Do I need to follow the complete SELinux handbook?
Just curious that there is only sys-kernel/hardened-sources without Gentoo patches (?) but definitly without other patches I need, as I'm using sys-kernel/ck-sources right now and would even like to combine that with sys-kernel/aufs-sources. So maybe hardened sources is not that flexible for feature rich desktops?
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
Tractor Girl
Apprentice
Apprentice


Joined: 16 May 2013
Posts: 159

PostPosted: Thu Jun 26, 2014 10:14 pm    Post subject: Reply with quote

The question is: are you familiar with selinux? If not, it can be pretty frustrating thing.
If you want only Selinux, it is present in every kernel sources - you don't need to switch to hardened-sources to use it. What you probably want in that case is default/linux/amd64/13.0/selinux profile, to make sure that you'll have proper support during compilation and all the policies.
But keep in mind that selinux is just a MAC and nothing more.
On the other hand hardened profiles and hardened-sources offer MUCH more security features.
And saying that, if you switch to hardened-sources, and you're not selinux guru, it's probably much more reasonable to use grsecurity's RBAC as a MAC instead of selinux.

In my opinion there's not much sense in switching from default/desktop to default/selinux if you're not completely in love in selinux.
On the contrary switching to hardened profile is perfectly reasonable. If you love selinux, choose hardened/selinux, if not, choose regular hardened profile and use Grsecurity's RBAC as MAC (it has nice learning mode).
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 140
Location: Berlin (Germany)

PostPosted: Thu Jun 26, 2014 11:04 pm    Post subject: Reply with quote

There are many ways to a hardened system. First you should think about what you actually want. There are many options that don't require each other:
1. SELinux - it's a MAC system and requires some dedication to get into. If you're not willing to invest some time I'd advise against it. It requires a special profile and a bunch of kernel options. There are also other implementations of the LSM interface like AppAmor or Tomoyo. They use different approaches than SELinux to achive a similar goal.
2. A hardened profile - this one is a little bit tricky. It activates and deactivates certain useflags (most prominent is the 'hardened' flag). You mainly get a hardened toolchain from it (which will make certain userland vulnerabilites harder to exploit. Note: the hardened profile has nothing to do with SELinux - there are hardened and non-hardened SELinux profiles.
3. hardened-sources - they introduce PaX and grsecurity as configurable options. You should note that even with every PaX/grsec-feature disabled you can experience behaviour that a vanilla kernel doesn't show because the patch is very invasive. On the other hand this patch is imho the strong point of a hardened system and even if there is a performance loss involved I'd strongly recommend to use it if you want a hardened system. grsecurity also includes RBAC which is a MAC system like SELinux but in contrast to it it doesn't implement the LSM interface and therefore can be used in combination with SELinux or one of the other LSM implementations.

You see: you can harden your system by either one of this options or by a combination of it (which from a security standpoint would be the recommended choice). You'll have to decide what to use.
Switching to a hardened profile will be the easiest thing with no or nearly no breakage. The other options may require some adjustments and effort depending on your setup.

Concerning the question why there are no hardened desktop profiles (anymore) - the way profiles work (the stack) leads to breakage in certain situations and hardened and desktop was such a situation. Since the desktop profiles doesn't do much more that setting a basic set of desktop related useflags I'd recommend to switch to a hardened profile and select the useflags manually (via make.conf). There are some flags that shouldn't be enabled (at least if PaX is used - this is for example jit).
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Fri Jun 27, 2014 7:34 am    Post subject: Reply with quote

N8Fear wrote:
Switching to a hardened profile will be the easiest thing with no or nearly no breakage. The other options may require some adjustments and effort depending on your setup.
Thank you both for that clarification. I'm going for that option for now.
Hm, what do I want to achieve. I mainly fear user land exploits by non-Portage applications (mostly java). Portage stuff is checksum checked but even on official sources there are often exploits possible.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
HerrSchafer
Tux's lil' helper
Tux's lil' helper


Joined: 18 May 2011
Posts: 139

PostPosted: Fri Aug 22, 2014 3:55 pm    Post subject: Reply with quote

Hi! I'm also having my first time with hardened gentoo. First thing I've noticed was a HUGE increase of compiling time (one whole night wasn't enough to install the DE).I think it is because the toolchain was modified to produce hardened packages, so I wonder there must be a lot of flags set/unset deeper than a normal profile and this is the cause of slow compiling. Am I right? Is the overall performance also so affected?
I've read a lot about hardened gentoo and AFAIK I'm not bounded to use SELinux. Right?
_________________
“Long is the way, and hard, that out of hell leads up to light.”
― John Milton
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Mon Mar 02, 2015 8:51 am    Post subject: Reply with quote

HerrSchafer wrote:
...First thing I've noticed was a HUGE increase of compiling time (one whole night wasn't enough to install the DE).I think it is because the toolchain was modified to produce hardened packages, so I wonder there must be a lot of flags set/unset deeper than a normal profile and this is the cause of slow compiling. Am I right? Is the overall performance also so affected?
Interesting question, does anybody know?
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Mon Mar 02, 2015 4:04 pm    Post subject: Reply with quote

I've switched to the hardened profile and kernels a few months ago on all of my desktops, servers, and laptop. I haven't noticed any difference in compile time. Run-time definitely seems the same as before. I have not timed anything, but I have not noticed as a daily user of the systems.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum