Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo and hardened profile
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Fulgurance
Guru
Guru


Joined: 15 Feb 2017
Posts: 552

PostPosted: Thu May 11, 2017 6:11 pm    Post subject: Gentoo and hardened profile Reply with quote

Hello, i have question, i have seen hardened gentoo profile is very good for add more security on PC.
Is it sufficient to switch profile and update all, or is it difficult to switch normal profile to hardened profile ? (i have by default plasma multilib profile)
Back to top
View user's profile Send private message
roboto
Apprentice
Apprentice


Joined: 15 Feb 2017
Posts: 156
Location: My IP address.

PostPosted: Thu May 11, 2017 7:25 pm    Post subject: Reply with quote

The hardened profile starts with a hardened stage3 tarball.

So if you're on the default profile, then you can't switch to hardened unless you reinstall and get the hardened stage3 tarball.
_________________
Answers please.

The true hater of man expects nothing from him and is indiscriminate to his works.
-Ayn Rand
Quote:
Dude. Minus 30 credibility points.

Yep
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Fri May 12, 2017 1:09 am    Post subject: Reply with quote

roboto: could you provide a citation for that claim? My understanding was that the only commonly requested transition that requires a full reinstall is a switch from no-multilib to multilib. Switching into hardened will doubtless require considerable rebuilding, but I thought that transition was possible in-place without a reinstall.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Fri May 12, 2017 7:30 am    Post subject: Reply with quote

Fulgurance,

Hardened is in several pieces. The kernel, the toolchain and your apps.
The toolchain builds your apps so that nasty things happening can be detected.
The kernel kills the apps reported to be doing nasty things, so you need all the bits.

The biggest change is the addition of ssp and pie by default.
That's stack smashing protection (ssp) and position independent executables (pie).

You should be able to switch (I've not done it) but if you have any static libraries, they will all need to be rebuilt for pie.
A rough outline of the process would be
Switch profiles and fix your USE flags.
Rebuild your toolchain so you have a hardened toolchain.
Select the hardened toolchain
Rebuild everything else.
Don't forget the hardened-sources kernel.

The down side is that some packages expect to do things that hardened won't permit. These packages won't run on a properly hardened system.
However, you can use pax marking to effectively turn hardening off for these packages.

If you want to try a hardened desktop, the "Belgian Crispy Waffle Edition" liveDVD is all hardened.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum