From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-81063-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id DDB74139694
	for <garchives@archives.gentoo.org>; Thu, 15 Jun 2017 14:39:31 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0FC4B21C1B7;
	Thu, 15 Jun 2017 14:39:26 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B78F621C097
	for <gentoo-dev@lists.gentoo.org>; Thu, 15 Jun 2017 14:39:25 +0000 (UTC)
Received: from [10.12.81.25] (nat-wlan-uzh-89-206-64-004.uzh.ch [89.206.64.4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: dev-zero)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 2C407341748;
	Thu, 15 Jun 2017 14:39:23 +0000 (UTC)
Subject: Re: [gentoo-dev] Hardening a default profile
To: Michael Brinkman <thygreatswaggedone@gmail.com>
References: <CAJ-1GrkKQch803nN9gjaFhUkZAiOtykCAYxeWGXUbeYij6LfMg@mail.gmail.com>
Cc: gentoo-dev@lists.gentoo.org
From: =?UTF-8?Q?Tiziano_M=c3=bcller?= <dev-zero@gentoo.org>
Message-ID: <57fd166c-c67d-0b18-f491-22714cf739ae@gentoo.org>
Date: Thu, 15 Jun 2017 16:39:18 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.1
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
In-Reply-To: <CAJ-1GrkKQch803nN9gjaFhUkZAiOtykCAYxeWGXUbeYij6LfMg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 8ea1a175-b213-4e61-929e-d3b56dfab0ee
X-Archives-Hash: 28f77368fe499121def89d42b5974861

Hi Michael

Am 11.06.2017 um 23:39 schrieb Michael Brinkman:
>  Hello, so I've been running Gentoo Hardened for a few years on my
> laptop, my desktop, and a server made from an older desktop.
> 
> Because of Grsecurity closing access to its source to non-subscribers,
> I decided that I would just try to stick with Gentoo-sources and
> harden the default profile and follow the KSSP guidelines to get as
> close as possible without losing the testing kernel.  Because of this,
> I no longer used the PaX features and decided switch to the default
> profile and enabling my own flags.

The security people probably have more insight, but I personally run by
default the hardened profile, also in combination with gentoo-sources if
there were too many compatibility issues with the software I had to run
on that specific machine.
So, from my point of view there is no reason to switch to the default
profile just because the grsec-kernel-patchset isn't open source anymore.

Best regards,
Tiziano