From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 516AD158089 for ; Mon, 13 Nov 2023 13:22:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A013A2BC029; Mon, 13 Nov 2023 13:22:38 +0000 (UTC) Received: from mout.web.de (mout.web.de [212.227.15.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D734F2BC019 for ; Mon, 13 Nov 2023 13:22:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=s29768273; t=1699881749; x=1700486549; i=peter.bo@web.de; bh=YrtdkCqZYz3aYbJF4Byl8Z3XJZD9HhjU0bbC8hw+D6g=; h=X-UI-Sender-Class:From:To:Subject:Date:In-Reply-To:References; b=HoenXhylJvtrcEd1BPhfzlNoOFn6TlnFDj5seLL9Eok0hhZ2lMh+bwXDbjKJAR/k IJaWJ4fDg5rm30dHrQjx3wzyXo61f1J7+delgv1m2b/Etu4uPymf111fXs7HKal2g amGUz3P8lRCWzLONrxTBLX+4Ygy6Gl5h5M8xvYDGTmYUXS78gDlI6a8jmxmKpf3FC Mj4/h9Oy9j+4HX/+j7X5STjpz46Jk+yrZG4pMchIWMsniV56n+Fm877/HWh3PDhB5 TcT15FgxuCvx4772n4ndRchOaO9dVkrQdhJO0cf5dLvelfPbK1qfwWt7Qh9kSp3KU +3k20pZHEvoGWXc74w== X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6 Received: from sun.localnet ([87.143.226.74]) by smtp.web.de (mrweb006 [213.165.67.108]) with ESMTPSA (Nemesis) id 1MLijs-1ql02n1guG-00HqO9; Mon, 13 Nov 2023 14:22:29 +0100 From: Peter =?ISO-8859-1?Q?B=F6hm?= To: gentoo-user@lists.gentoo.org, ralfconn Subject: Re: [gentoo-user] hardened vs desktop Date: Mon, 13 Nov 2023 14:22:28 +0100 Message-ID: <5727375.DvuYhMxLoT@sun> In-Reply-To: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" X-Provags-ID: V03:K1:GNIDZiu6X0ZQ4s+Q0s/8JaFUYO01S2UsYA28F00mrYYQ3R6EEqF hjkkXc6minQBJH912Nz0fF9Nd4l+mKuqwyk4lyWF3hXzU+rY14PNXvO1qEJ85uH/fSg+RTZ V+2Tb2ABWP+bgJPtim0/80Y0l33RMAgynOzG/zGqJiWSKGM7AWp5CaE/EHDWwRDNDGElDzU fPxZbMJkVoT0CzfuQQGxw== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:qeE9fORwjj8=;k+hVAt429uh+LwUuwpdsVQaQNud U2TsqnCMMbgMh0fsqpKjieORUZKzraJvm8FlvNt1YOYvxbnzuasdeAPU+zc4zsdJ7fyXNBrAg /bG88i7013gUby63f9X3wJeoNmgkkSSVyDIsjSV6jZm8zRCldYzNSJ8A2U2sk3JvQCm6FAnrf 0B6J2GrAgKvdA16zHVPGftYSBCwyuyEwkVrdqYQg8QK+JZAAZkqSpelqDVnZ6uK6W4rGdTwiT 0u7aTo7NDE1Cfu/mSdIqlwHfycBbmZ+hjHaUhbPwywSKGUrDPZnbzHPXdFMoWO/cw+GrPjPhc Mvy2gYCn9C61GMGx2oCfajGJ4CWWoOQIfgDnSY746LQ15oYpfcOJgLnMxmUWyZB0/yZqU5W2m tOMPWBglt8Okj8c3Yu5X7EfO2puPLX8gtCIaBEoY72FDbuuLz+hqAR5MnarR+VVhZkU4yS1HO AxKLZC/kOxFlPXHN/K4iUxWcNtcio2DsVogg6XUaHBFYn3nSXDEarW9WJpCUGN7LYHUn4NOvY IntEz3YZamBrYoXxRfx8vDR2dJsSZ06eVYHuKOtqSMbF2Y6W4p5XsxW4s47Ffg9wtHM7Wc3kl k9cuGGhPOuubcCRBZBp64CwX0sYVuPVtp0XXP7DTV6Jj/LMi1aeXYa0MXGxCDDwJDoJXN4moB WFt+lUnnyy2kgPdVuN7tvUplvAblYSc2P9E/XViUchEci/KChG/kPAQAfkPKWHyYdbJSWkyhk M0yScj3bXXzpoH2K4xJQ3whJ1abFIgK3gPe/iTKqWaIPW3ibFK7MC8MADILhur2TWbbAgX/tu FsYNjBqyn6zu0MQrFXDrtGvBL22C49iP3R/xhYkxXQJL1TrF1Zhxy4/h83cVOAy9jpcxJq1tT M2UvNzgiH0wJEDcBYxoNJhwbwMib5EDmWLShVLubMQ15DN19GOhYTi+hVusYHjJGTHEqNak8S ohlYMR0BGnVrfeoaLmFPdrJQMj8= X-Archives-Salt: 9e88cc59-5a7d-41ea-afc1-9a35d56b72f8 X-Archives-Hash: 6783a12b8f5f87eca57cc971fad2e7b7 Am Montag, 13. November 2023, 11:19:26 CET schrieb ralfconn: > Hello, > > I've been running the desktop profile for years. Now I'm thinking to > switch to the hardened. Since there is no 'hardened desktop' profile, > the hint I found online is to note the current desktop USEs, switch to > hardened and add the USEs not found there, but I wonder if it is really > the best option. Comparing the two profiles, hardened seems a sub-set of > desktop with the addition of: > > cet > hardened > pie > ssp > xtpax > > It seems to me easier to add these to the desktop rather the other way > round. Any gotcha's I am missing? Yes, you are missing that the best solution is: Make a new profile which contains both profiles. See more here: https://forums.gentoo.org/viewtopic-p-8694188.html#8694188 (And you have to start with a hardened stage3) Many greetings, Peter P.S.: Maybe read also the first note from this article: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/ Kernel_Hardening_with_KSPP