From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 62D6513855F for ; Mon, 7 Sep 2015 18:28:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 028EC142A1; Mon, 7 Sep 2015 18:27:55 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B4116E07F4 for ; Mon, 7 Sep 2015 18:27:53 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id DBC2F3406C7 for ; Mon, 7 Sep 2015 18:27:52 +0000 (UTC) Subject: Re: [gentoo-user] Anyone running a hardened profile? To: gentoo-user@lists.gentoo.org References: <20150906131517.52e8d6a0@a6> <55ECB8D3.1080501@gentoo.org> <20150907191004.19395757@hal9000.localdomain> From: Michael Orlitzky X-Enigmail-Draft-Status: N1110 Message-ID: <55EDD71A.1060707@gentoo.org> Date: Mon, 7 Sep 2015 14:27:38 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20150907191004.19395757@hal9000.localdomain> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: efbf6149-aaea-485d-b93b-26ec7f25ae6e X-Archives-Hash: 2d74e05d17177d1c36cf0254aaf80812 On 09/07/2015 01:10 PM, wabenbau@gmail.com wrote: > Michael Orlitzky wrote: > > I don't think so (but maybe I'm wrong). You have to compile your entire > system with a hardened toolchain to get full hardened support (SSP and > maybe some other things). I think, to go back to a "normal state", you > have to recompile everything again with a non hardened toolchain. > GCC 4.8 already defaults to -fstack-protector, but you do need to recompile to get -fstack-protector-all and you're right that you would need to recompile again to make it go away. The full SSP is considered safe though, and only slows things down a bit. For PaX, the markings may exist on your filesystem, but if you switch to a non-hardened kernel they cease to have any effect. Grsec just goes away.