[gentoo-dev] hardened flavor of the developer profile

[gentoo-dev] hardened flavor of the developer profile

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 1703 bytes --]

Currently I'm using the default/linux/x86/10.0/developer profile, but
I'd like to switch to hardened on my developer system to catch more issues.

However, eselect profile list only displays one hardened profile for me:

$ eselect profile list
Available profile symlink targets:
  [1]   default/linux/x86/10.0
  [2]   default/linux/x86/10.0/desktop
  [3]   default/linux/x86/10.0/desktop/gnome
  [4]   default/linux/x86/10.0/desktop/kde
  [5]   default/linux/x86/10.0/developer *
  [6]   default/linux/x86/10.0/server
  [7]   hardened/linux/x86
  [8]   selinux/2007.0/x86
  [9]   selinux/2007.0/x86/hardened
  [10]  selinux/v2refpolicy/x86
  [11]  selinux/v2refpolicy/x86/desktop
  [12]  selinux/v2refpolicy/x86/developer
  [13]  selinux/v2refpolicy/x86/hardened
  [14]  selinux/v2refpolicy/x86/server

I'm using eselect-1.2.11.

When listing the profiles directory in CVS, the hardened profile seems
to have developer and other sub-profiles:

ph@localhost ~/gentoo-x86/profiles $ ls -l hardened/linux/x86/
total 48
drwxr-xr-x 7 ph users 4096 Feb 17 07:57 10.0
drwxr-xr-x 2 ph users 4096 May  5 11:41 CVS
drwxr-xr-x 3 ph users 4096 Nov 28 17:48 desktop
drwxr-xr-x 3 ph users 4096 Nov 28 17:48 developer
-rw-r--r-- 1 ph users 1030 Feb 17 07:57 make.defaults
drwxr-xr-x 3 ph users 4096 Apr 25 21:25 minimal
drwxr-xr-x 3 ph users 4096 Nov 28 17:48 no-nptl
-rw-r--r-- 1 ph users  492 May 21  2010 package.mask
-rw-r--r-- 1 ph users  381 Mar 13 10:16 package.use.mask
-rw-r--r-- 1 ph users   58 Mar  4 10:17 parent
drwxr-xr-x 3 ph users 4096 Nov 28 17:48 server
-rw-r--r-- 1 ph users  315 Sep 30  2009 use.mask

Any ideas how to get a hardened+developer profile?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 194 bytes --]

Re: [gentoo-dev] hardened flavor of the developer profile

[Jeremy Olexa]

On Thu, 05 May 2011 17:23:51 +0200, Paweł Hajdan, Jr. wrote:
> Currently I'm using the default/linux/x86/10.0/developer profile, but
> I'd like to switch to hardened on my developer system to catch more 
> issues.
>
> However, eselect profile list only displays one hardened profile for 
> me:
>
> $ eselect profile list
> Available profile symlink targets:
> <snip>
>
> I'm using eselect-1.2.11.
>
> When listing the profiles directory in CVS, the hardened profile 
> seems
> to have developer and other sub-profiles:
>
> ph@localhost ~/gentoo-x86/profiles $ ls -l hardened/linux/x86/
> total 48
> <snip>
>
> Any ideas how to get a hardened+developer profile?

Those profiles that you are seeking are *not* listed in 
PORTDIR/profiles/profiles.desc which is why they don't show up in 
eselect output. This means that repoman does not check those profiles at 
all. I am curious as to how much value they actually have ;) With that 
being said, eselect is NOT the only way to set your profile, you can 
just as easily create a symlink.
-Jeremy

Re: [gentoo-dev] hardened flavor of the developer profile

[Anthony G. Basile]

On 05/05/2011 12:00 PM, Jeremy Olexa wrote:
> On Thu, 05 May 2011 17:23:51 +0200, Paweł Hajdan, Jr. wrote:
>> Currently I'm using the default/linux/x86/10.0/developer profile, but
>> I'd like to switch to hardened on my developer system to catch more
>> issues.
>>
>> However, eselect profile list only displays one hardened profile for me:
>>
>> $ eselect profile list
>> Available profile symlink targets:
>> <snip>
>>
>> I'm using eselect-1.2.11.
>>
>> When listing the profiles directory in CVS, the hardened profile seems
>> to have developer and other sub-profiles:
>>
>> ph@localhost ~/gentoo-x86/profiles $ ls -l hardened/linux/x86/
>> total 48
>> <snip>
>>
>> Any ideas how to get a hardened+developer profile?
>
> Those profiles that you are seeking are *not* listed in
> PORTDIR/profiles/profiles.desc which is why they don't show up in
> eselect output. This means that repoman does not check those profiles
> at all. I am curious as to how much value they actually have ;) With
> that being said, eselect is NOT the only way to set your profile, you
> can just as easily create a symlink.
> -Jeremy
>

We simplified our profiles recently (last Oct-Nov 2010) and I only
listed hardened/linux/x86 in profiles.desc.  You can manually set

    ln -s ../usr/portage/profiles/hardened/linux/x86/developer
/etc/make.profile

The only thing to be careful of is that there is a lot of cruft under
the hardened profiles, some really old deprecated material that I have
not yet cleared out.  You really don't want to use one of that.  Just
watch out for any warning about deprecated profiles.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535

Re: [gentoo-dev] hardened flavor of the developer profile

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 1431 bytes --]

On 5/5/11 10:45 PM, Anthony G. Basile wrote:
> We simplified our profiles recently (last Oct-Nov 2010)

You're referring to
http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml,
right?

> and I only
> listed hardened/linux/x86 in profiles.desc.  You can manually set
> 
>     ln -s ../usr/portage/profiles/hardened/linux/x86/developer
> /etc/make.profile
> 
> The only thing to be careful of is that there is a lot of cruft under
> the hardened profiles, some really old deprecated material that I have
> not yet cleared out.  You really don't want to use one of that.  Just
> watch out for any warning about deprecated profiles.

Oh, it's a stable system so I wouldn't want to go that route then.

Here's what I'm trying to do, maybe you'll have some advice how to do
that the best way (or whether to do that at all): I'd like to move more
of the hardened features to the defaults. A good start would be to make
more developers use them, to detect hardened-related problems earlier,
and avoid confusion like "it works on my non-hardened system".

Please note that even with hardened gcc one can select the vanilla
specs, effectively disabling the hardened features. Hopefully my
understanding is correct.

A possible idea I was thinking about was to add the hardened profile as
a parent of the developer profile... how does that sound to you? Is
there some better way?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 194 bytes --]

Re: [gentoo-dev] hardened flavor of the developer profile

[Anthony G. Basile]

On 05/06/2011 03:29 AM, "Paweł Hajdan, Jr." wrote:
> On 5/5/11 10:45 PM, Anthony G. Basile wrote:
>> We simplified our profiles recently (last Oct-Nov 2010)
> You're referring to
> http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml,
> right?
>

Yes, that was one of several emails on the subject.

>> and I only
>> listed hardened/linux/x86 in profiles.desc.  You can manually set
>>
>>     ln -s ../usr/portage/profiles/hardened/linux/x86/developer
>> /etc/make.profile
>>
>> The only thing to be careful of is that there is a lot of cruft under
>> the hardened profiles, some really old deprecated material that I have
>> not yet cleared out.  You really don't want to use one of that.  Just
>> watch out for any warning about deprecated profiles.
> Oh, it's a stable system so I wouldn't want to go that route then.
>
> Here's what I'm trying to do, maybe you'll have some advice how to do
> that the best way (or whether to do that at all): I'd like to move more
> of the hardened features to the defaults. A good start would be to make
> more developers use them, to detect hardened-related problems earlier,
> and avoid confusion like "it works on my non-hardened system".

All the help we can get is welcomed!  BTW, when "it doesn't work on
hardened", it usually means some bad coding practice that shouldn't be
there in vanilla anyhow.

> Please note that even with hardened gcc one can select the vanilla
> specs, effectively disabling the hardened features. Hopefully my
> understanding is correct.

Yes, but be aware that the rest of your system is compiled with at least
the following 3 hardening features: 1) stack smashing protection, 2)
position independent exec 3) hardening of internal glibc functions
(-D_FORTIFY_SOURCES=2).  You can switch to vanilla for the binary you
are currently building, but it will still link against libs that have
the above.

Beyond the toolchain there is also kernel hardening.  The two interact,
but you can have one without the other.  So "it doesn't work on
hardened" may mean the kernel killed something or the toolchain did.

> A possible idea I was thinking about was to add the hardened profile as
> a parent of the developer profile... how does that sound to you? Is
> there some better way?
>

The profiles are horribly complex.  I would rather put hardened lower on
the stacking order than customization at the level of "developer",
"desktop", "server" etc.  Try it and see what happens.  Use this little
script to see what order the profiles are being stacked in and remember
that the lower ones take priority over the higher:

#!/usr/bin/env python

import portage
for p in portage.settings.profiles:
    print p



-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535