Re: [gentoo-hardened] Profile switch: hardened to non-hardened?

["Javier J. Martínez Cabezón" <tazok.id0@gmail.com>]

In terms of userland, non hardened profile doesn't protect you at all
against buffer overflows, you are removing one important security
layer. SSP protects you against buffer overflows in terms that the
vulnerable application gets killed when the canary is modified before
the execution of the arbitrary code. PIE protects you against return
into libc attacks that doesn't need an executable stack. PaX is not
perfect and needs them as complementary solutions. For example I think
that RANDEXEC was removed from PaX time ago, one buffer overflow that
uses return into libc attack could be succesfully against one
non-hardened binary. Since skype is a network oriented software...

2008/12/25 Grant <emailgrant@gmail.com>:
>> Hardened profiles: Yes there's a difference, no you should not switch to
>> hardened/linux/${ARCH} at this time.
>
> Is hardened/x86/2.6 still available for new installations?  My other
> systems are amd64 but none of them list hardened/amd64/2.6.
>
>> You can get skype working by downloading or building gcc 4.1.x and pointing
>> LD_LIBRARY_PATH at the shared object directory when starting skype.  skype
>> won't be using hardened toolchain but since its closed source and you're
>> willing to switch the whole machine to non-hardened I figure you probably
>> don't mind. ;)
>>
>> Example:
>> 1. Download
>> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
>> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
>> 3. Run it:
>> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/"
>> skype
>>
>> If you only require VoIP capability and not skype specifically you might be
>> interested net-im/ekiga.
>
> Thank you very much for that, but I'm trying to simplify.  You see,
> I'm only a fake sysadmin.  Does using a hardened kernel with a
> non-hardened profile still offer good protection?
>
> - Grant
>
>>> > I've been able to do so; basically I switched over to the standard
>>> > profile, disabled selinux in the kernel, and re-emerged system for new
>>> > use flags. There were some other details but overall the process was
>>> > pretty painless, anyone ambitious enough to configure a hardened system
>>> > can probably handle the switch without much problem. Not that I'm
>>> > encouraging you to drop hardened (especially on a laptop that could be
>>> > exposed to random wifi networks ;-)
>>>
>>> Is there any difference between 1 and 8 here?  Should I switch to 8?
>>>
>>> # eselect profile list
>>> Available profile symlink targets:
>>>   [1]   hardened/x86/2.6 *
>>>   [2]   selinux/2007.0/x86
>>>   [3]   selinux/2007.0/x86/hardened
>>>   [4]   default/linux/x86/2008.0
>>>   [5]   default/linux/x86/2008.0/desktop
>>>   [6]   default/linux/x86/2008.0/developer
>>>   [7]   default/linux/x86/2008.0/server
>>>   [8]   hardened/linux/x86
>>>
>>> - Grant
>>>
>>> >> Can I switch my laptop's profile from a hardened one to a non-hardened
>>> >> one?  I thought this was impossible without a complete reinstall but
>>> >> folks on the gentoo-user list seem to think it's not a problem.
>>> >>
>>> >> - Grant
>
>