[gentoo-user] Switching to a hardened profile and back again

[gentoo-user] Switching to a hardened profile and back again

[Grant]

A dev is asking me to switch to a hardened profile in order to test a
fix.  I'm happy to go through the process, but is there a chance my
laptop could be unusable after the switch?  If that happens I'll be in
real trouble.  Will I be able to switch back to a non-hardened profile
afterward?  I plan to follow this guide:

http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile

BTW, are emerge -e world and emerge -e system both necessary?  I
thought emerge -e world would rebuild everything.

- Grant

Re: [gentoo-user] Switching to a hardened profile and back again

[Michael Orlitzky]

On 03/15/2011 02:05 PM, Grant wrote:
> A dev is asking me to switch to a hardened profile in order to test a
> fix.  I'm happy to go through the process, but is there a chance my
> laptop could be unusable after the switch?  If that happens I'll be in
> real trouble.  Will I be able to switch back to a non-hardened profile
> afterward?  I plan to follow this guide:
> 
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
> 
> BTW, are emerge -e world and emerge -e system both necessary?  I
> thought emerge -e world would rebuild everything.

Switching to hardened is safe. The switch back should be, too, although
I haven't personally tried it. (Why would you switch back?)

You emerge system first, and then world so that your world is built by a
hardened toolchain. When you compile gcc/glibc with USE=hardened, it
gives them super powers.

Re: [gentoo-user] Switching to a hardened profile and back again

[Grant]

>> A dev is asking me to switch to a hardened profile in order to test a
>> fix.  I'm happy to go through the process, but is there a chance my
>> laptop could be unusable after the switch?  If that happens I'll be in
>> real trouble.  Will I be able to switch back to a non-hardened profile
>> afterward?  I plan to follow this guide:
>>
>> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
>>
>> BTW, are emerge -e world and emerge -e system both necessary?  I
>> thought emerge -e world would rebuild everything.
>
> Switching to hardened is safe. The switch back should be, too, although
> I haven't personally tried it. (Why would you switch back?)

I originally had my laptop on a hardened profile (I think it was a
couple laptops back) but there were so many problems I eventually gave
up.  I remember doing a lot of system reinstalling as I switched
profiles around.  I don't have time to reinstall my system right now
so I'm trying to be sure I can switch to hardened (and from hardened
if necessary) without reinstalling.

> You emerge system first, and then world so that your world is built by a
> hardened toolchain. When you compile gcc/glibc with USE=hardened, it
> gives them super powers.

Would 'emerge gcc glibc && emerge -e world' have the same affect?

- Grant

Re: [gentoo-user] Switching to a hardened profile and back again

[Michael Orlitzky]

On 03/15/2011 03:20 PM, Grant wrote:
>>> A dev is asking me to switch to a hardened profile in order to test a
>>> fix.  I'm happy to go through the process, but is there a chance my
>>> laptop could be unusable after the switch?  If that happens I'll be in
>>> real trouble.  Will I be able to switch back to a non-hardened profile
>>> afterward?  I plan to follow this guide:
>>>
>>> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
>>>
>>> BTW, are emerge -e world and emerge -e system both necessary?  I
>>> thought emerge -e world would rebuild everything.
>>
>> Switching to hardened is safe. The switch back should be, too, although
>> I haven't personally tried it. (Why would you switch back?)
> 
> I originally had my laptop on a hardened profile (I think it was a
> couple laptops back) but there were so many problems I eventually gave
> up.  I remember doing a lot of system reinstalling as I switched
> profiles around.  I don't have time to reinstall my system right now
> so I'm trying to be sure I can switch to hardened (and from hardened
> if necessary) without reinstalling.

If you don't run a hardened kernel, "sudo gcc-config 5" (assuming 5 is
the vanilla gcc on your machine...) will switch you back to the vanilla
gcc. No need to switch profiles or recompile anything.


>> You emerge system first, and then world so that your world is built by a
>> hardened toolchain. When you compile gcc/glibc with USE=hardened, it
>> gives them super powers.
> 
> Would 'emerge gcc glibc && emerge -e world' have the same affect?

There are a couple of other packages you're supposed to re-emerge along
with gcc and glibc. Binutils was one, but I don't remember the whole
list. Just suck it up and spend the extra hour to re-emerge system; that
way, you're sure you haven't missed anything.

Re: [gentoo-user] Switching to a hardened profile and back again

[Alan McKinnon]

On 15/03/11 20:05, Grant wrote:
> A dev is asking me to switch to a hardened profile in order to test a
> fix.  I'm happy to go through the process, but is there a chance my
> laptop could be unusable after the switch?  If that happens I'll be in
> real trouble.  Will I be able to switch back to a non-hardened profile
> afterward?  I plan to follow this guide:
> 
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
> 
> BTW, are emerge -e world and emerge -e system both necessary?  I
> thought emerge -e world would rebuild everything.

emerge -e world does remerge everything, but not in the order you'd
expect. try it with -p, you'll see that glibc and gcc are near the end.

You want them at the beginning, so that the hardened system is built by
a compiler and libc that is hardened as well as the rest of the toolchain.

Now whereas a compiler can in theory be told to generate any kind of
code for anything, including hard code when it itself is not hard, can
you really be sure it actually will do that? Plus the rest of the
toolchain too.

The only certain way is to build a hardened toolchain then rebuild the
entire system with it.

emerge -e system ; emerge -e world is not the fastest route of minimal
compilation effort, but it sure is the easiest for the human in charge:
one line in bash, press enter, walk away.


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Switching to a hardened profile and back again

[Grant]

>>>> A dev is asking me to switch to a hardened profile in order to test a
>>>> fix.  I'm happy to go through the process, but is there a chance my
>>>> laptop could be unusable after the switch?  If that happens I'll be in
>>>> real trouble.  Will I be able to switch back to a non-hardened profile
>>>> afterward?  I plan to follow this guide:
>>>>
>>>> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
>>>>
>>>> BTW, are emerge -e world and emerge -e system both necessary?  I
>>>> thought emerge -e world would rebuild everything.
>>>
>>> Switching to hardened is safe. The switch back should be, too, although
>>> I haven't personally tried it. (Why would you switch back?)
>>
>> I originally had my laptop on a hardened profile (I think it was a
>> couple laptops back) but there were so many problems I eventually gave
>> up.  I remember doing a lot of system reinstalling as I switched
>> profiles around.  I don't have time to reinstall my system right now
>> so I'm trying to be sure I can switch to hardened (and from hardened
>> if necessary) without reinstalling.
>
> If you don't run a hardened kernel, "sudo gcc-config 5" (assuming 5 is
> the vanilla gcc on your machine...) will switch you back to the vanilla
> gcc. No need to switch profiles or recompile anything.

I do run a hardened kernel, but you're saying if I switch to gcc-5 I
should be able to test for a crash that was previously exhibited under
a hardened profile?

>>> You emerge system first, and then world so that your world is built by a
>>> hardened toolchain. When you compile gcc/glibc with USE=hardened, it
>>> gives them super powers.
>>
>> Would 'emerge gcc glibc && emerge -e world' have the same affect?
>
> There are a couple of other packages you're supposed to re-emerge along
> with gcc and glibc. Binutils was one, but I don't remember the whole
> list. Just suck it up and spend the extra hour to re-emerge system; that
> way, you're sure you haven't missed anything.

OK I'll emerge system first if it comes to that.

- Grant

Re: [gentoo-user] Switching to a hardened profile and back again

[Michael Orlitzky]

On 03/15/2011 04:28 PM, Grant wrote:
>>>>> A dev is asking me to switch to a hardened profile in order to test a
>>>>> fix.  I'm happy to go through the process, but is there a chance my
>>>>> laptop could be unusable after the switch?  If that happens I'll be in
>>>>> real trouble.  Will I be able to switch back to a non-hardened profile
>>>>> afterward?  I plan to follow this guide:
>>>>>
>>>>> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
>>>>>
>>>>> BTW, are emerge -e world and emerge -e system both necessary?  I
>>>>> thought emerge -e world would rebuild everything.
>>>>
>>>> Switching to hardened is safe. The switch back should be, too, although
>>>> I haven't personally tried it. (Why would you switch back?)
>>>
>>> I originally had my laptop on a hardened profile (I think it was a
>>> couple laptops back) but there were so many problems I eventually gave
>>> up.  I remember doing a lot of system reinstalling as I switched
>>> profiles around.  I don't have time to reinstall my system right now
>>> so I'm trying to be sure I can switch to hardened (and from hardened
>>> if necessary) without reinstalling.
>>
>> If you don't run a hardened kernel, "sudo gcc-config 5" (assuming 5 is
>> the vanilla gcc on your machine...) will switch you back to the vanilla
>> gcc. No need to switch profiles or recompile anything.
> 
> I do run a hardened kernel, but you're saying if I switch to gcc-5 I
> should be able to test for a crash that was previously exhibited under
> a hardened profile?
> 

I think (completely unscientifically) that most of the day-to-day
problems are caused by the hardening features in the kernel rather than
by GCC's hardening features.

When you compile a hardened GCC, you also get the vanilla, unhardened
GCC installed. So if you see e.g. a compile failure using hardened GCC,
you can just switch to the vanilla GCC to see if that fixes it. On my
machine,

  $ sudo gcc-config -l
   [1] x86_64-pc-linux-gnu-4.4.5 *
   [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
   [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
   [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp
   [5] x86_64-pc-linux-gnu-4.4.5-vanilla

it's the fifth option.

Summary: if you have problems on hardened, you can always switch to
vanilla GCC and reboot to a non-hardened kernel. You don't have to
recompile anything or switch profiles again.

Re: [gentoo-user] Switching to a hardened profile and back again

[Dale]

Alan McKinnon wrote:
>
> emerge -e world does remerge everything, but not in the order you'd
> expect. try it with -p, you'll see that glibc and gcc are near the end.
>
> You want them at the beginning, so that the hardened system is built by
> a compiler and libc that is hardened as well as the rest of the toolchain.
>
> Now whereas a compiler can in theory be told to generate any kind of
> code for anything, including hard code when it itself is not hard, can
> you really be sure it actually will do that? Plus the rest of the
> toolchain too.
>
> The only certain way is to build a hardened toolchain then rebuild the
> entire system with it.
>
> emerge -e system ; emerge -e world is not the fastest route of minimal
> compilation effort, but it sure is the easiest for the human in charge:
> one line in bash, press enter, walk away.
>
>    

This may be a good time to use the script off the forums.  I used it a 
few weeks or so ago and it worked great.  It certainly does things in a 
different order than portage.

Dale

:-)  :-)

Re: [gentoo-user] Switching to a hardened profile and back again

[Mike Edenfield]

On 3/15/2011 2:05 PM, Grant wrote:
> A dev is asking me to switch to a hardened profile in order to test a
> fix.  I'm happy to go through the process, but is there a chance my
> laptop could be unusable after the switch?  If that happens I'll be in
> real trouble.  Will I be able to switch back to a non-hardened profile
> afterward?  I plan to follow this guide:
> 
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile

First off, is there a reason you want to switch back to non-hardened? I
run hardened on all my machines by default; almost every package in
portage is now hardened-aware and builds/runs correctly. For those few
that don't, there's paxctl and/or softmode (looking at you, openoffice)

I've gone both ways with no real issues; though admittedly not on the
same machine :)

I'm assuming you're including a switch to a hardened kernel as part of
this. That's the biggest possible source of problems: if you have a
PAX-enabled kernel then all of your binaries need to be built by the
hardened tool chain, or there is a decent chance they'll fail.

Definitely follow the FAQ for the details, but the basic process should be:

* switch profiles -> hardened
* emerge gcc glibc binutils
* emerge @system
* emerge @world
* build then boot hardened kernel

* <test test test test test>

* boot non-hardened kernel
* switch profiles -> non-hardened
* emerge gcc glibc binutils
* emerge @system
* emerge @world

Note that the emerge @world emerges are definitely overkill time-wise
but much, much safer and simpler unless you are very aware of what
you're doing, what the packages are doing, how hardened's features
interact, etc.

Also, when building your PAX kernel,

MAKE SURE YOU INCLUDE SOFTMODE SUPPORT

That way, if something misbehaves and you can't fix it you can enable
soft mode and PAX will stop killing things on you.

> BTW, are emerge -e world and emerge -e system both necessary?  I
> thought emerge -e world would rebuild everything.

IIRC, @system is not in @world unless you put it there yourself. (This
might depend on your portage version, though).

--Mike

Re: [gentoo-user] Switching to a hardened profile and back again

[Peter Humphrey]

On Wednesday 16 March 2011 19:54:53 Mike Edenfield wrote:

> IIRC, @system is not in @world unless you put it there yourself. (This
> might depend on your portage version, though).

I'm sure I once saw a comment in a portage version that @system was being 
included in @world to preserve earlier behaviour.

-- 
Rgds
Peter

Re: [gentoo-user] Switching to a hardened profile and back again

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 482 bytes --]

On Thu, 17 Mar 2011 00:28:54 +0000, Peter Humphrey wrote:

> > IIRC, @system is not in @world unless you put it there yourself. (This
> > might depend on your portage version, though).
> 
> I'm sure I once saw a comment in a portage version that @system was
> being included in @world to preserve earlier behaviour.
> 

From man emerge:

  "world encompasses both the selected and system sets"


-- 
Neil Bothwick

What is a "free" gift ? Aren't all gifts free?


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] 答复: [gentoo-user] Switching to a hardened profile and back again

[yokee]

-----邮件原件-----
发件人: Neil Bothwick [mailto:neil@digimed.co.uk] 
发送时间: 2011-03-17 17:01
收件人: gentoo-user@lists.gentoo.org
主题: Re: [gentoo-user] Switching to a hardened profile and back again

On Thu, 17 Mar 2011 00:28:54 +0000, Peter Humphrey wrote:

> > IIRC, @system is not in @world unless you put it there yourself. 
> > (This might depend on your portage version, though).
> 
> I'm sure I once saw a comment in a portage version that @system was 
> being included in @world to preserve earlier behaviour.
> 

From man emerge:

  "world encompasses both the selected and system sets"


--
Neil Bothwick

What is a "free" gift ? Aren't all gifts free?

Re: [gentoo-user] Switching to a hardened profile and back again

[Alex Schuster]

Neil Bothwick writes:

> On Thu, 17 Mar 2011 00:28:54 +0000, Peter Humphrey wrote:
> > > IIRC, @system is not in @world unless you put it there yourself.
> > > (This might depend on your portage version, though).
> > 
> > I'm sure I once saw a comment in a portage version that @system was
> > being included in @world to preserve earlier behaviour.
> 
> From man emerge:
> 
>   "world encompasses both the selected and system sets"

BTW, this can be toggled by putting or not putting 'system' into 
/var/lib/portage/world_sets.

	Wonko

Re: [gentoo-user] Switching to a hardened profile and back again

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 633 bytes --]

On Thu, 17 Mar 2011 14:42:30 +0100, Alex Schuster wrote:

> > From man emerge:
> > 
> >   "world encompasses both the selected and system sets"  
> 
> BTW, this can be toggled by putting or not putting 'system' into 
> /var/lib/portage/world_sets.

That was the case for a while with portage-2.2, but it appears that
@system is now automatically part of @world. That's how I read the man
page that says that @world encompasses @system, without any setting by the
user. A new install no longer includes @system in world_sets.


-- 
Neil Bothwick

Philosophical error: Demonstrate the existence of a key to continue

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Switching to a hardened profile and back again

[Dale]

Neil Bothwick wrote:
> On Thu, 17 Mar 2011 14:42:30 +0100, Alex Schuster wrote:
>
>    
>>>  From man emerge:
>>>
>>>    "world encompasses both the selected and system sets"
>>>        
>> BTW, this can be toggled by putting or not putting 'system' into
>> /var/lib/portage/world_sets.
>>      
> That was the case for a while with portage-2.2, but it appears that
> @system is now automatically part of @world. That's how I read the man
> page that says that @world encompasses @system, without any setting by the
> user. A new install no longer includes @system in world_sets.
>
>
>    

That appears to be true here.  I have portage 2.2 installed and system 
is no longer in that file.  It used to be but not anymore.

I wonder how a person would override that if they needed to tho?  Not 
sure why a person would but anyway.

Dale

:-)  :-)

Re: [gentoo-user] Switching to a hardened profile and back again

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 519 bytes --]

On Thu, 17 Mar 2011 09:27:55 -0500, Dale wrote:

> That appears to be true here.  I have portage 2.2 installed and system 
> is no longer in that file.  It used to be but not anymore.
> 
> I wonder how a person would override that if they needed to tho?  Not 
> sure why a person would but anyway.

cp /var/lib/portage/world /etc/portage/sets/my_world
emerge @my_world


-- 
Neil Bothwick

"I teleported home one night
With Ron and Sid and Meg.
Ron stole Meggie's heart away
And I got Sidney's leg."

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: Switching to a hardened profile and back again

[Francesco Talamona]

On Thursday 17 March 2011, Neil Bothwick wrote:
> cp /var/lib/portage/world /etc/portage/sets/my_world
> emerge @my_world

Neil, this is simply wonderful :)
Thanks
	FT
-- 
Linux Version 2.6.38-gentoo, Compiled #1 SMP PREEMPT Wed Mar 16 20:03:24 
CET 2011
Two 1GHz AMD Athlon 64 Processors, 4GB RAM, 4019.38 Bogomips Total
aemaeth

Re: [gentoo-user] Re: Switching to a hardened profile and back again

[klondike]

[-- Attachment #1: Type: text/plain, Size: 1749 bytes --]

Going to try to settle and clarify things once and for all.

You can switch back to non hardened if needed, make sure you have your
old non hardened kernel as an option on your bootloader just in case as
that will disable most hardening features (including PIE), so your
system will only have SSP as source of possible troubles.

The steps on the FAQ have been agreeded by the whole hardened team on
meetings, and there are reasons for them:
You need to emerge gcc and glibc on the first stage to make sure they
include any hardening needed since they are patched (at least gcc is and
glibc includes the SSP code).
You need to emerge then system for two reasons, first because if
something fails going back will be easier, then because some of the
system libraries and tools have hardening patches.
Finally you need to emerge the whole world to make sure all the packages
(even system ones) are built and linked with hardened features and
libraries.
In a similar way you can repeat the above steps again after going back
to your preferred non hardened profile.
Also remind that any changes from hardened to non hardened and viceversa
must be made on a non hardened kernel.

Tip: generate binary packages for world before jumping to hardened as
that will make recovery easier in case the change fails and will speed
up going back a lot.

BTW: for those of you who haven't noticed we added the --keep-going flag
to the system and world emerges so the system keeps trying to build if
any of the packages fails, in that case filling a bug would be a good idea.

Not more to say, if you need to run in softmode just follow the FAQ but
then PaX will be mostly disabled so it is an almost not hardened kernel
meanwhile.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]