Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
hardened desktop
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
katfish
Tux's lil' helper
Tux's lil' helper


Joined: 14 Nov 2011
Posts: 147

PostPosted: Mon Nov 03, 2014 11:32 am    Post subject: hardened desktop Reply with quote

Since I successfully build my server with PaX and RBACS enabled,
I wanna make use of the hardened toolchain and Pax on my notebook as well.

As building and running the hardened kernel is as easy as the standard kernel,
I'm not sure about the tool chain and the desktop related stuff like console and policy kit.

When I emerge world -uDNt with the hardened profile (hardened/linux/amd64),
Portage wants to rebuild some essential packages without console and polkit...

Code:
[ebuild   R    ] mate-extra/mate-power-manager-1.8.0-r1  USE="applet -gnome-keyring -man -policykit* {-test} -unique" 3262 KiB
[ebuild   R    ] mate-base/mate-applets-1.8.0-r1  USE="X ipv6 networkmanager -policykit*" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" 6750 KiB
[ebuild   R    ] mate-base/mate-settings-daemon-1.8.1  USE="X pulseaudio -debug -libnotify* -policykit* -smartcard" 765 KiB
[ebuild   R    ] sys-block/gparted-0.19.0  USE="-btrfs -dmraid -f2fs -fat -hfs -jfs -kde -mdadm -ntfs -policykit* -reiser4 -reiserfs -xfs" 2028 KiB
[ebuild   R    ] app-admin/mate-system-tools-1.8.0::gentoo [1.8.0::mate-overlay] USE="nfs samba -caja -policykit*" 4237 KiB
[nomerge       ] mate-base/mate-applets-1.8.0-r1  USE="X ipv6 networkmanager -policykit*" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7"
[ebuild   R    ] net-misc/modemmanager-1.2.0-r1:0/1  USE="introspection qmi -mbim -policykit* -qmi-newest -vala" 1277 KiB
[ebuild   R   #] gnome-base/gconf-3.2.6-r3:2  USE="introspection -debug -ldap -policykit*" ABI_X86="(64) (-32) (-x32)" PYTHON_TARGETS="python2_7" 1524 KiB
[nomerge       ] x11-misc/colord-1.2.1-r1:0/2  USE="gusb introspection policykit udev -examples -extra-print-profiles -scanner -systemd -vala"

Code:

[ebuild   R    ] mate-extra/mate-screensaver-1.8.0  USE="X opengl pam -consolekit* -debug -libnotify* -systemd" 4755 KiB
[ebuild   R    ] net-misc/networkmanager-0.9.8.10-r1  USE="avahi connection-sharing dhcpcd gnutls introspection modemmanager ppp wext wifi -bluetooth* -consolekit* -dhclient -nss -resolvconf -systemd {-test} -vala" 1969 KiB
[ebuild   R    ]  sys-auth/pambase-20120417-r3  USE="cracklib sha512 -consolekit* -debug -gnome-keyring -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc (-selinux) -systemd" 4 KiB
[ebuild   R    ] x11-apps/xdm-1.1.11-r3  USE="ipv6 pam -consolekit* -xdm-auth" 437 KiB


full output of emerge world: https://binarysignals.net/gentoo/emerge_with_hardened_profile_enabled.log

So my question is, what happens to my desktop actuality when I apply the profile.
Do I have to login via startx, will I lose the networkmanager and have to mount usb-drives by hand?

my kernel config: https://binarysignals.net/gentoo/linux-3.16.5-hardened.config
emerge --info: https://binarysignals.net/gentoo/emerge.info

Thanks in advance ;) [/code]
Back to top
View user's profile Send private message
jpc22
Apprentice
Apprentice


Joined: 29 Jan 2012
Posts: 195

PostPosted: Tue Nov 18, 2014 4:50 am    Post subject: Reply with quote

Basicaly your system will begin to pull in packages and install them with the defaults options that have been set for the hardened profile.

Some programs are harder to get working with hardened on certain hardware or with some combination of programs, but just switching to hardened is not going to break as many things as if you were to enable selinux grsec pax and all the other availlable security features at the same time.

Those features basicaly lock many things till you unlock them because you need them. (example: lost usb wireless mice support when i dumbly activated all of those)

If you dont install something preventing you to mount drives automounting should still work.


as for graphical login manager, i cant say, im trying to get it to work on a fresh hardened install for the first time. (doing abuild for my bro and he wants it) personally i dont mind startx from shell.
I dont however think that it is impossible to have graphical login on hardened, might take extra config and workarounds.

Hardened kernels dont play nice with proprietary nvidia drivers, so if you go that route you will likely have to use nouveau.


In doubt make a stage4 before trying in case you want to revert back or mess up something really bad.

Hardened is just a matter of mre config to get things to play nicely with each other in your system.
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 140
Location: Berlin (Germany)

PostPosted: Tue Nov 18, 2014 10:08 am    Post subject: Reply with quote

If you really want to switch from a non-hardened to a hardened profile you should do the following:
1. switch to hardened profile
2. rebuild gcc, glibc (or other libc - whatever you use) and binutils
3. switch to hardened gcc version (gcc-config -l, use the one that has no nopie, nossp, nopiessp or vanilla - the one without suffix is the actual hardened one)
4. rebuild gcc, glibc and binutils again (this is optional, but recommended, because you make sure that everything works and builds against you hardened toolchain
5. emerge -evDN @world (this rebuilds everything with the hardened toolchain - in theory there are packages that don't need to be rebuild (mostly the non-C/non-C++ ones), but there is no way that I know that you can select just the ones that need to be rebuild).

Done - you can test your system with checksec.sh (--proc-all after reboot) to see that it's actually hardened.
Back to top
View user's profile Send private message
229566
Tux's lil' helper
Tux's lil' helper


Joined: 16 Aug 2010
Posts: 127

PostPosted: Tue Nov 18, 2014 11:38 am    Post subject: Reply with quote

jpc22 wrote:
Hardened kernels dont play nice with proprietary nvidia drivers, so if you go that route you will likely have to use nouveau.


That has been something I read once that got stuck in my mind preventing me to switch over to hardened, years ago. But seeing that things like Fedora and CentOS can have the nvidia driver and they're hardened + SELinux, is that still the case today? Is it perhaps that some features would have to be excluded for nvidia to play well with the hardened kernel and userland?

I'd really like to have both.
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 140
Location: Berlin (Germany)

PostPosted: Tue Nov 18, 2014 12:36 pm    Post subject: Reply with quote

Hardened userland and nvidia is no problem at all. The problems arose from Pax/grsec + nvidia.
Afaik you have to paxmark half of your system (which greatly reduces security, even though it'll likely still be more secure than vanilla), to get X to work. IIRC there was some progress in recent times, though.
Back to top
View user's profile Send private message
Gentoo64
n00b
n00b


Joined: 21 Oct 2011
Posts: 52
Location: ::

PostPosted: Tue Nov 18, 2014 2:24 pm    Post subject: Reply with quote

[quote="N8Fear"]Hardened userland and nvidia is no problem at all. The problems arose from Pax/grsec + nvidia.
Afaik you have to paxmark half of your system (which greatly reduces security, even though it'll likely still be more secure than vanilla), to get X to work. IIRC there was some progress in recent times, though.[/quote]

It works fine with Nvidia, you need to unmask the X USE flag on nvidia-drivers using /etc/portage/profile/use.mask -X, and need to disable opengl on couple of packages like cairo in order to not have to pax -m a ton of stuff X related (opengl is the killer on hardened, will always need -m). I've had a hardened desktop with apparmor and all the hardening in kernel on running for years and really rarely run into any problems. Couple of things need pax -m as I came across them, also be careful of some of the kernel security options, a couple of them can interfere with systemd, zfs and no doubt a load of other stuff but it's pretty easy to figure out with Gentoo being minimal so errors will normally stand out and be quite obvious.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Tue Nov 18, 2014 4:22 pm    Post subject: Reply with quote

Gentoo64 wrote:
and need to disable opengl on couple of packages like cairo

But do you still get acceptable speed if e.g. you view of movie?
On one of my systems, I had success to use the nvidia kernerl driver and nouveau userland.
However, on another system also nouveau userland is too broken to be used.
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 140
Location: Berlin (Germany)

PostPosted: Tue Nov 18, 2014 7:13 pm    Post subject: Reply with quote

Gentoo64 wrote:

...and need to disable opengl on couple of packages like cairo in order to not have to pax -m a ton of stuff X related (opengl is the killer on hardened, will always need -m).


For my boxes with intel graphics I don't need to paxmark opengl stuff - so that's not really true.
Back to top
View user's profile Send private message
Gentoo64
n00b
n00b


Joined: 21 Oct 2011
Posts: 52
Location: ::

PostPosted: Thu Nov 20, 2014 11:01 pm    Post subject: Reply with quote

[quote="mv"][quote="Gentoo64"]and need to disable opengl on couple of packages like cairo[/quote]
But do you still get acceptable speed if e.g. you view of movie?
On one of my systems, I had success to use the nvidia kernerl driver and nouveau userland.
However, on another system also nouveau userland is too broken to be used.[/quote]

Yeah all runs completely fine. I use mpv with vdpau and haven't had to pax -m anything.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Fri Nov 21, 2014 5:03 am    Post subject: Reply with quote

@Gentoo64

Please enable bbcode in your profile, so your quote tags (et al) don't look like crap. ;)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum