From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-62708-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E9C841381F3
	for <garchives@archives.gentoo.org>; Sat,  7 Sep 2013 06:36:36 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 1CAF8E0B3A;
	Sat,  7 Sep 2013 06:36:32 +0000 (UTC)
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 2ABAFE0B2A
	for <gentoo-dev@lists.gentoo.org>; Sat,  7 Sep 2013 06:36:30 +0000 (UTC)
Received: by mail-wg0-f47.google.com with SMTP id f12so3607642wgh.26
        for <gentoo-dev@lists.gentoo.org>; Fri, 06 Sep 2013 23:36:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=P2dsLvGe6AH1ElvMfMi8w+DUPZ+2yIaW+waMBsyMxZY=;
        b=KFBtTfhQIUAQPXluHH4Y3bHDi0idDOvA1r2VGupmyN5WKAdQSmRuqvwDMsKhtpyO0o
         Xh0QocJVCSyrUZLKOTra5WLXmtBXqdrEScT6MY6piOV5ANNhXDxrEs8FhPRegZZQS698
         rCllDNOhl6XUKo8B/XtUmXdvZEIvQEdqJEUu35Vh25TDvI5IOrieJuefR4HQtahUSKZ9
         IH2d0efYmYScOYSTlWuRMA24AmLn8s/De0wkylnU/9Q8lt3TJqvUTlF9t2BTIP3qoFXy
         4NMmKVLekpNO0otuEXoXxsFhHLA5Cylna/QvSJ5q4ycG/NKmfN1mppCO+S74Pqcuhlnc
         Afmw==
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
X-Received: by 10.180.198.115 with SMTP id jb19mr1175835wic.28.1378535789565;
 Fri, 06 Sep 2013 23:36:29 -0700 (PDT)
Received: by 10.194.47.235 with HTTP; Fri, 6 Sep 2013 23:36:29 -0700 (PDT)
In-Reply-To: <522AA218.8000005@gentoo.org>
References: <2258190.ks74ypJstN@devil>
	<201309050706.13467.vapier@gentoo.org>
	<522AA218.8000005@gentoo.org>
Date: Sat, 7 Sep 2013 06:36:29 +0000
Message-ID: <CAPzaAnShE6W_Vy=f-FbpE=8ZhHRmib6OjEb=HgtTecg0krcoHg@mail.gmail.com>
Subject: Re: [gentoo-dev] Re: Improve the security of the default profile
From: Parker Schmitt <pjschmittgentoo@gmail.com>
To: gentoo-dev@lists.gentoo.org
Content-Type: multipart/alternative; boundary=047d7b624e7e0c1c5104e5c56085
X-Archives-Salt: 1c17b519-0622-4235-ad31-f90da6fe357f
X-Archives-Hash: b1ea358b2f5903bac9128725badf72cb

--047d7b624e7e0c1c5104e5c56085
Content-Type: text/plain; charset=ISO-8859-1

Perhaps a hardened desktop profile might be nice. Possibly even an selinux
profile with the popular WMs. From what I remember users of the server
profile are given a warning to switch to hardened though it would be nice
to add hardened options to other "specialized" profiles.


On Sat, Sep 7, 2013 at 3:48 AM, Rick "Zero_Chaos" Farina <
zerochaos@gentoo.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/05/2013 07:06 AM, Mike Frysinger wrote:
> > On Thursday 05 September 2013 06:13:28 Agostino Sarubbo wrote:
> >> during an irc debate, me and other people just noticed that the default
> >> profile could use more flags to enhance the security.
> >>
> >> An hint is here:
> >> https://wiki.ubuntu.com/ToolChain/CompilerFlags
> >>
> >> Please argue about what we _don't_ use.
> >
> > the only thing we don't use by default is SSP.  and we have hardened for
> that.
> >
> > fairly certain the other flags we've been using in Gentoo for years.
> > -mike
> >
>
> Since I don't see this in the profile and I know almost nothing about
> how the toolchain works, perhaps you could grace us with how to see the
> fact that "we've been using in Gentoo for years" :-)
>
> Thanks,
> Zero
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.20 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJSKqIYAAoJEKXdFCfdEflKCwkP/Rdlo2rk+g8qyfB9SlsFgoP0
> 4b+/qkB8WmwNBEURhR7kwF/SJa6kh0BOcorz33e/YO4jayn/yW1ve36HrKOGR52G
> 56oNWWtRYzsiscObpOVxf+JM9EMm2RVrhfM1Z9FIP8pTFS8gj31fR8caPJssjUGv
> xl0wSUahs1+q44xOX+NB+7y47nhrjwfq2OTUHsekMdOWt43MoLp86qEMJKlPFG9a
> djEpkshTpE2pZZMQ8jGGASmITcWlHhuipeWkwDCblcxMMCWgFr+CfovEqJXeoz5I
> jI4rtpe4QNl7QA+eXY1fygiAiVgx15BYq2SIBC51AluvVgaYRw8ANr8qSUhCakXM
> Af49vhzp8/Id3/aytOrllprucPHTICMARKbYhAJyGtfJtKkQ3iGHHOlrIN2ufnrO
> gO/EZUqb+NRlHrv845a0HQA3zmYDNBJw5zu6GymV4aMsUcVQE/uSbqAZ7BxuWlV2
> LxLvE9pn48WvcvBYp4R36DRQg955D34GKI1VRojgESsyLIgq4Q0wLjarY1fsG4O/
> iUZRyXOI5erVCiOGey42kCr19fw1ta35XtKrEQPwWJkb2na1RB7PHbGBdVBlU/Lq
> mLAWFSCwocg+wNBuBWcpJlFdLV4eQYxSqyTqeFdxYBv9qxvqqLzkGUxqDy8L4bAT
> KglCdavI5Y2UBcFuv4/w
> =yb4E
> -----END PGP SIGNATURE-----
>
>

--047d7b624e7e0c1c5104e5c56085
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Perhaps a hardened desktop profile might be nice. Possibly=
 even an selinux profile with the popular WMs. From what I remember users o=
f the server profile are given a warning to switch to hardened though it wo=
uld be nice to add hardened options to other &quot;specialized&quot; profil=
es.<br>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Sat,=
 Sep 7, 2013 at 3:48 AM, Rick &quot;Zero_Chaos&quot; Farina <span dir=3D"lt=
r">&lt;<a href=3D"mailto:zerochaos@gentoo.org" target=3D"_blank">zerochaos@=
gentoo.org</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<div><div class=3D"h5"><br>
On 09/05/2013 07:06 AM, Mike Frysinger wrote:<br>
&gt; On Thursday 05 September 2013 06:13:28 Agostino Sarubbo wrote:<br>
&gt;&gt; during an irc debate, me and other people just noticed that the de=
fault<br>
&gt;&gt; profile could use more flags to enhance the security.<br>
&gt;&gt;<br>
&gt;&gt; An hint is here:<br>
&gt;&gt; <a href=3D"https://wiki.ubuntu.com/ToolChain/CompilerFlags" target=
=3D"_blank">https://wiki.ubuntu.com/ToolChain/CompilerFlags</a><br>
&gt;&gt;<br>
&gt;&gt; Please argue about what we _don&#39;t_ use.<br>
&gt;<br>
&gt; the only thing we don&#39;t use by default is SSP. =A0and we have hard=
ened for that.<br>
&gt;<br>
&gt; fairly certain the other flags we&#39;ve been using in Gentoo for year=
s.<br>
&gt; -mike<br>
&gt;<br>
<br>
</div></div>Since I don&#39;t see this in the profile and I know almost not=
hing about<br>
how the toolchain works, perhaps you could grace us with how to see the<br>
fact that &quot;we&#39;ve been using in Gentoo for years&quot; :-)<br>
<br>
Thanks,<br>
Zero<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.20 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href=3D"http://www.enigmail.net/=
" target=3D"_blank">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJSKqIYAAoJEKXdFCfdEflKCwkP/Rdlo2rk+g8qyfB9SlsFgoP0<br>
4b+/qkB8WmwNBEURhR7kwF/SJa6kh0BOcorz33e/YO4jayn/yW1ve36HrKOGR52G<br>
56oNWWtRYzsiscObpOVxf+JM9EMm2RVrhfM1Z9FIP8pTFS8gj31fR8caPJssjUGv<br>
xl0wSUahs1+q44xOX+NB+7y47nhrjwfq2OTUHsekMdOWt43MoLp86qEMJKlPFG9a<br>
djEpkshTpE2pZZMQ8jGGASmITcWlHhuipeWkwDCblcxMMCWgFr+CfovEqJXeoz5I<br>
jI4rtpe4QNl7QA+eXY1fygiAiVgx15BYq2SIBC51AluvVgaYRw8ANr8qSUhCakXM<br>
Af49vhzp8/Id3/aytOrllprucPHTICMARKbYhAJyGtfJtKkQ3iGHHOlrIN2ufnrO<br>
gO/EZUqb+NRlHrv845a0HQA3zmYDNBJw5zu6GymV4aMsUcVQE/uSbqAZ7BxuWlV2<br>
LxLvE9pn48WvcvBYp4R36DRQg955D34GKI1VRojgESsyLIgq4Q0wLjarY1fsG4O/<br>
iUZRyXOI5erVCiOGey42kCr19fw1ta35XtKrEQPwWJkb2na1RB7PHbGBdVBlU/Lq<br>
mLAWFSCwocg+wNBuBWcpJlFdLV4eQYxSqyTqeFdxYBv9qxvqqLzkGUxqDy8L4bAT<br>
KglCdavI5Y2UBcFuv4/w<br>
=3Dyb4E<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>

--047d7b624e7e0c1c5104e5c56085--