From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OwgCY-00081H-OQ for garchives@archives.gentoo.org; Fri, 17 Sep 2010 19:02:27 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D66BEE0833 for ; Fri, 17 Sep 2010 19:02:23 +0000 (UTC) Received: from rekin26.go2.pl (rekin26.go2.pl [193.17.41.76]) by pigeon.gentoo.org (Postfix) with ESMTP id ECE3FE0779 for ; Fri, 17 Sep 2010 18:50:18 +0000 (UTC) Received: from rekin26.go2.pl (unknown [10.0.0.2]) by rekin26.go2.pl (Postfix) with ESMTP id 17FD035D7EB for ; Fri, 17 Sep 2010 20:50:18 +0200 (CEST) Received: from unknown (unknown [10.0.0.42]) by rekin26.go2.pl (Postfix) with SMTP for ; Fri, 17 Sep 2010 20:50:18 +0200 (CEST) Received: from cpc5-rdng22-2-0-cust539.15-3.cable.virginmedia.com [82.0.214.28] by poczta.o2.pl with ESMTP id ftKCGl; Fri, 17 Sep 2010 20:50:17 +0200 From: Radoslaw Madej To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel Date: Fri, 17 Sep 2010 19:50:17 +0100 User-Agent: KMail/1.13.3 (Linux/2.6.34.6-grsec; KDE/4.4.3; x86_64; ; ) References: <201009022343.33281.radegand@o2.pl> <4C92A9B8.8000607@edgehp.net> In-Reply-To: <4C92A9B8.8000607@edgehp.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201009171950.17147.radegand@o2.pl> X-O2-Trust: 2, 63 X-O2-SPF: neutral X-Archives-Salt: 64b3fa2c-4a77-41a5-bcf1-20359d71da31 X-Archives-Hash: 0db403a98b9b95b02108e1457fec0fed On Friday 17 September 2010 00:35:20 you wrote: > I've been running my servers for years on hardened Gentoo, but I always > figured it would be too problematic for my deskside and laptop machines. > > Is this true? Have things gotten better, and is it perfectly reasonable > to run hardened Gentoo for general purpose use? > > Two problem factors... My family likes YouTube and the like, and for my > job I have to run proprietary binary-only software. (Silicon CAD tools) > > Thanks, > Dale Pontius Hi, IMHO, short answer: if you don't need to run binary video drivers and Flash, hardened desktop will be just fine... Longer answer: I'd say it's a matter of risk management :) ..and available resources (time mainly). Flash is an issue (security-wise but also getting it to work with hardened :D), but then again - you could always use different browser with flash and without hardened stuff (for example Opera will run it fine on grsec kernel with mprotect disabled and you can't harden it anyway) and lock it down using RBAC? Or simply use VM for that? Again, depends how far you want/have to go to mitigate the risk... Back to your original question - personally I believe in hardened desktop ;] I'm running three of these (one laptop) and more or less everything works (running KDE4) but yes, you need to compromise few things sometimes...Flash/Gnash is a nightmare...getting X11 to works sometimes too, all depending on your card, nvidia binary stopped working ages ago (not sure if it works now), nouveau breaks every now and then regardless of hardened ;) so you're left out with fairly stable nv drivers but no 3D accel...from my experience ATI seems to be more hardened friendly (OS driver, binary probably not). I'm soon to try the Intel chipset - hopefully it will be better! (or fixable at least ;)). Not sure if this helps, but there you go - my two cents ;) BTW - maybe it would be worth documenting somewhere issues with hardened- gentoo desktops? I'll have plenty to share! ;) Regards, Radek