[gentoo-user] Is it possible to move from hardened profile?

[gentoo-user] Is it possible to move from hardened profile?

[czernitko]

[-- Attachment #1: Type: text/plain, Size: 352 bytes --]

Hello, I wonder whether it is possible to convert hardened desktop box into
box with non-hardened profile? I guess I would have to recompile world with
vanilla compiler (no hardening) and compile gentoo-sources kernel (no prob
with those), but how can I get clean, non-hardened profile for portage (if
it is even possible)?
Thanks for any clues,
Peter

[-- Attachment #2: Type: text/html, Size: 365 bytes --]

[gentoo-user] Re: Is it possible to move from hardened profile?

[walt]

On 01/14/2012 01:05 PM, czernitko wrote:
> Hello, I wonder whether it is possible to convert hardened desktop
> box into box with non-hardened profile? I guess I would have to
> recompile world with vanilla compiler (no hardening) and compile
> gentoo-sources kernel (no prob with those), but how can I get clean,
> non-hardened profile for portage (if it is even possible)? 

Short answer:  I have no idea :)  But I'd like to ask why you want to
dump the hardened profile.  Is there a significant disadvantage to
the hardening?  I've been wanting for awhile to try hardening but I'm
basically to lazy to Just Do It(TM).

Re: [gentoo-user] Re: Is it possible to move from hardened profile?

[Michael Orlitzky]

On 01/14/2012 04:56 PM, walt wrote:
> On 01/14/2012 01:05 PM, czernitko wrote:
>> Hello, I wonder whether it is possible to convert hardened desktop
>> box into box with non-hardened profile? I guess I would have to
>> recompile world with vanilla compiler (no hardening) and compile
>> gentoo-sources kernel (no prob with those), but how can I get clean,
>> non-hardened profile for portage (if it is even possible)?
>
> Short answer:  I have no idea :)  But I'd like to ask why you want to
> dump the hardened profile.  Is there a significant disadvantage to
> the hardening?  I've been wanting for awhile to try hardening but I'm
> basically to lazy to Just Do It(TM).
>

Virtualization is iffy if you're not careful which options you enable in 
the kernel.

Rarely, an upstream developer will do something weird in his code and it 
will break an unstable package.

They say the nvidia drivers don't work, but they do anyway.

Chances are, you won't notice any difference, but you'll gain a tiny bit 
of peace of mind.

Re: [gentoo-user] Re: Is it possible to move from hardened profile?

[Tanstaafl]

On 2012-01-14 5:25 PM, Michael Orlitzky <michael@orlitzky.com> wrote:
> On 01/14/2012 04:56 PM, walt wrote:
>> On 01/14/2012 01:05 PM, czernitko wrote:
>>> Hello, I wonder whether it is possible to convert hardened desktop
>>> box into box with non-hardened profile? I guess I would have to
>>> recompile world with vanilla compiler (no hardening) and compile
>>> gentoo-sources kernel (no prob with those), but how can I get clean,
>>> non-hardened profile for portage (if it is even possible)?
>>
>> Short answer:  I have no idea :)  But I'd like to ask why you want to
>> dump the hardened profile.  Is there a significant disadvantage to
>> the hardening?  I've been wanting for awhile to try hardening but I'm
>> basically to lazy to Just Do It(TM).

> Virtualization is iffy if you're not careful which options you enable in
> the kernel.

I've been meaning to as a similar (but reverse) question - which I'll do 
in a separate thread later, but...

Your reference to 'virtualizationis iffy' above... do you mean if you 
are going to run VMs on a hardened HOST? Or run a hardened machine as a 
VM? I had a problem trying to switch my Linode VM to the hardened 
profile, and ended up giving up on it...

Re: [gentoo-user] Re: Is it possible to move from hardened profile?

[czernitko]

[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]

Well, hardened profile really did add some peace of mind to me, very rarely
I found some app to be terminated thanks to stack smashing protection. I
would like to have safe working environment, but the incompatibility cost
me quite some time. Hardened would be the only choice for me if it was a
server solution, but for notebook workstation with KDE it is quite
inconvenient. ATI fglrx drivers have problems on hardened kernel (even with
GrSec and PAX disabled, just thanks to other hardened patches), VirtualBox
cannot be compiled using hardened gcc profile, when trying to emerge
wxMaxima some of its dependencies refuse to be compiled on hardened profile
(was it gnuplot? I am really not sure)... These are usually small amounts
of time which I have to invest, but there is quite a bunch of them. On
server I have no such problems and I am using hardened profile with lots of
security features turned on without problems, but on desktop workstation it
is quite a pain.
Anyway I have already creates a partition and in some free time I have been
installing Gentoo with default profile via chroot. When I have complete
environment and all my data moved, I'll try to convert the profile, just
out of curiosity...
Peter

[-- Attachment #2: Type: text/html, Size: 1239 bytes --]

Re: [gentoo-user] Re: Is it possible to move from hardened profile?

[Michael Orlitzky]

On 01/15/2012 08:36 AM, Tanstaafl wrote:
>
>> Virtualization is iffy if you're not careful which options you enable in
>> the kernel.
>
> I've been meaning to as a similar (but reverse) question - which I'll do
> in a separate thread later, but...
>
> Your reference to 'virtualizationis iffy' above... do you mean if you
> are going to run VMs on a hardened HOST? Or run a hardened machine as a
> VM? I had a problem trying to switch my Linode VM to the hardened
> profile, and ended up giving up on it...
>

I was talking about a hardened host. Fortunately, newer kernels will 
have a preset "virtualization" profile that you can select to set only 
the safe options. See this thread for the announcement:

http://archives.gentoo.org/gentoo-hardened/msg_4bfe02921ffff3c94d7ee59cdf8f3f38.xml

I personally have never run a hardened guest, but in that post he 
alludes to the fact there may also be issues there, "...but in some
cases applies even for the guest."

In either case, you would want to stick to the stable kernels, since new 
problems do crop up occasionally as new features are introduced.

Re: [gentoo-user] Re: Is it possible to move from hardened profile?

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1532 bytes --]

On Jan 15, 2012 10:33 PM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 01/15/2012 08:36 AM, Tanstaafl wrote:
>>
>>
>>> Virtualization is iffy if you're not careful which options you enable in
>>> the kernel.
>>
>>
>> I've been meaning to as a similar (but reverse) question - which I'll do
>> in a separate thread later, but...
>>
>> Your reference to 'virtualizationis iffy' above... do you mean if you
>> are going to run VMs on a hardened HOST? Or run a hardened machine as a
>> VM? I had a problem trying to switch my Linode VM to the hardened
>> profile, and ended up giving up on it...
>>
>
> I was talking about a hardened host. Fortunately, newer kernels will have
a preset "virtualization" profile that you can select to set only the safe
options. See this thread for the announcement:
>
>
http://archives.gentoo.org/gentoo-hardened/msg_4bfe02921ffff3c94d7ee59cdf8f3f38.xml
>
> I personally have never run a hardened guest, but in that post he alludes
to the fact there may also be issues there, "...but in some
> cases applies even for the guest."
>
> In either case, you would want to stick to the stable kernels, since new
problems do crop up occasionally as new features are introduced.
>

I have been running hardened unstable kernels as guests on top of VMware
vSphere and XenServer without any problems.

Except for that one time where something went horribly wrong, rendering
*everything* unusable. But that kernel was withdrawn and replaced with a
new revision within 24 hours.

Of course, YMMV.

Rgds,

[-- Attachment #2: Type: text/html, Size: 1999 bytes --]