Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
hardened/linux/amd64 vs default/linux/amd64/17.0/hardened?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 113
Location: Rome, NY

PostPosted: Sat Dec 02, 2017 10:45 pm    Post subject: hardened/linux/amd64 vs default/linux/amd64/17.0/hardened? Reply with quote

Little confused about the Nov 30th enews (" New 17.0 profiles in the Gentoo repository") as it relates to the non-17.0 hardened profiles....

  1. What's the difference between the default/linux/amd64/17.0/hardened and hardened/linux/amd64 profiles?
  2. Is hardened/linux/amd64 under the same 6-months-to-live as the 13.0 profiles?
  3. I'm on hardened/linux/amd64, should I be moving to the .../17.0/hardened in the short term?
Back to top
View user's profile Send private message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 86

PostPosted: Sun Dec 03, 2017 5:15 am    Post subject: Reply with quote

See this thread https://forums.gentoo.org/viewtopic-t-1062792-highlight-.html

Cheers
Back to top
View user's profile Send private message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 113
Location: Rome, NY

PostPosted: Sun Dec 03, 2017 1:14 pm    Post subject: Reply with quote

Direct link to what I assume brendlefly62 was referencing from Oct 25th: https://forums.gentoo.org/viewtopic-p-8134240.html#8134240

I'm so confused because default/linux/amd64/17.0/hardened was added just a few weeks before that (Oct 7th): https://github.com/gentoo/gentoo/commit/e3f1d1330ef365769d7f7bf699c9ee6946192244#diff-a8fa01e66f4ad5b78a37dcd2b31a79df

And it was just added to eselect 2-days ago, which doesn't seem like something that's "going away", but the profile discussion is muddled with the grsec kernel patches going away in that post.
Back to top
View user's profile Send private message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 86

PostPosted: Sun Dec 03, 2017 3:18 pm    Post subject: Reply with quote

Philippe23 - yes there are two parts to the thread above. My question there was about the future of hardened in gentoo's line of profiles. Short version of the answer was that it continues, but it is moved as you observed in your original post above. My take from 30 November news item was yes, migrate. I suppose the easy way to see the implications would be to use eselect and run emerge --info ( without actually merging anything of course)

I am also concerned about the security implications of the non-availability of grsec from upstream, but that is a separate issue

All that said, I to still have my original question about the future of hardened in Gentoo's line of profiles, and would like to know if we will continue to see it as hardened/arch as well as arch/17.0/hardened.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 11449

PostPosted: Sun Dec 03, 2017 6:11 pm    Post subject: Reply with quote

Philippe23 wrote:
I'm so confused because default/linux/amd64/17.0/hardened was added just a few weeks before that (Oct 7th): https://github.com/gentoo/gentoo/commit/e3f1d1330ef365769d7f7bf699c9ee6946192244#diff-a8fa01e66f4ad5b78a37dcd2b31a79df

And it was just added to eselect 2-days ago, which doesn't seem like something that's "going away", but the profile discussion is muddled with the grsec kernel patches going away in that post.
Disclaimer: I have no information about this beyond what I've picked up from the forums. My interpretation of the commit you linked is that it is simply adding a profile 17.0 counterpart to the older hardened profile 13.0, providing a forward migration path for hardened 13.0 users to go to 17.0 without removing hardened support. The hardened profile 13.0 will likely go away at the same time that the basic desktop/server 13.0 profiles go away, since it is built on them. Whether the Gentoo Hardened project will discontinue all of its hardened profiles is a good question that I cannot answer.
Back to top
View user's profile Send private message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 113
Location: Rome, NY

PostPosted: Sun Dec 03, 2017 7:33 pm    Post subject: Reply with quote

I switched to the new .../17.0/hardened profile and the only difference I ran into was that berkdb wasn't set (I have an explicit -gdbm, so that might be the default in .../17.0/hardened), and I had to enable tcpd, urandom, and session. Those were the only use flag changes. Seems that most of the core settings are the same (eg: hardened, pie, ssp).
Back to top
View user's profile Send private message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 86

PostPosted: Sun Dec 03, 2017 7:35 pm    Post subject: Reply with quote

Good info, Philippe23, and thanks, Hu. I appreciate the disclaimer; I have the same disclaimer and less expertise/experience than you, and what you say should happen makes sense to me, but it's not obvious the that "hardened/linux/amd64" would disappear with 13.0, nor that it was built on the 13.0 profiles as you say. It existed among the choices in eselect before 13.0 appeared there. In the profile directory tree, "hardened" previously showed up only as a "peer level" alternative to "default", and since I've been using Gentoo, I've not seen hardened appear as a subdirectory of the numbered release under "default" in the directory tree. (I.e. I've been a "hardened" user, rather than a "hardened 13.0 user" since the latter has not really been a profile option. See extract of "eselect profile list" below) Now it's showing up under 17.0 as an alternative to "desktop, selinux, developer, no-multilib, systemd, and x32 -- but it is ALSO still showing up at the top of the tree as an alternative to "default" -- will that continue to be the case? I suspect/hope not, but I want to ask (as I presume does Philippe23)

Code:
...
[1]   default/linux/amd64/13.0
[2]   default/linux/amd64/13.0/desktop
...
[12]  default/linux/amd64/17.0
...
[14]  default/linux/amd64/17.0/hardened
[15]  default/linux/amd64/17.0/desktop
...
[24]  hardened/linux/amd64
...

What I've been hoping to learn is that "hardened" is essentially being "mainlined" as an option under the numbered release for each arch, all under "default/linux" in the tree -- then maybe "default" would not be necessary as there would be no alternative to it. I.e. when every profile path starts "default/linux/<arch>" with no option for a "hardened/linux/<arch>" alternative, then the whole tree can move up to just begin with "linux/<arch>"

Cheers
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 379
Location: Umeå The north part of scandinavia

PostPosted: Thu Dec 07, 2017 3:27 am    Post subject: Reply with quote

The new Hardened 17.0 profile is using a a modular open system approach that can easily accommodate new profiles.
The main part of the profile is moved from hardened to features/hardened.
So now we just add sub profiles in the main default 17.0 profile. We have change some of the USE flag settings and set PaX makings to XATTR as default.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum