* [gentoo-user] hardened vs desktop [not found] <a315a667-f04b-4be8-89dc-59305a5553ef.ref@yahoo.com> @ 2023-11-13 10:19 ` ralfconn 2023-11-13 12:12 ` Michael Orlitzky 2023-11-13 13:22 ` Peter Böhm 0 siblings, 2 replies; 5+ messages in thread From: ralfconn @ 2023-11-13 10:19 UTC (permalink / raw To: gentoo-user@lists.gentoo.org Hello, I've been running the desktop profile for years. Now I'm thinking to switch to the hardened. Since there is no 'hardened desktop' profile, the hint I found online is to note the current desktop USEs, switch to hardened and add the USEs not found there, but I wonder if it is really the best option. Comparing the two profiles, hardened seems a sub-set of desktop with the addition of: cet hardened pie ssp xtpax It seems to me easier to add these to the desktop rather the other way round. Any gotcha's I am missing? thanks raffaele ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] hardened vs desktop 2023-11-13 10:19 ` [gentoo-user] hardened vs desktop ralfconn @ 2023-11-13 12:12 ` Michael Orlitzky 2023-11-13 13:22 ` Peter Böhm 1 sibling, 0 replies; 5+ messages in thread From: Michael Orlitzky @ 2023-11-13 12:12 UTC (permalink / raw To: gentoo-user On Mon, 2023-11-13 at 11:19 +0100, ralfconn wrote: > > It seems to me easier to add these to the desktop rather the other way > round. Any gotcha's I am missing? > There are a few other things in profiles/features/hardened that you should copy -- particularly the gcc USE flags -- but basically, you're right. These days the hardened profiles don't add much. The main thing they "add" is the lack of unnecessary features enabled by default in a desktop profile. It's a tedious process, but turning on the features you need one at a time in package.use will eventually result in a smaller attack surface than enabling them all at once in the desktop profile's make.defaults. Of course you could do that the other way around, too, starting from a desktop profile and disabling them one at a time. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] hardened vs desktop 2023-11-13 10:19 ` [gentoo-user] hardened vs desktop ralfconn 2023-11-13 12:12 ` Michael Orlitzky @ 2023-11-13 13:22 ` Peter Böhm 2023-11-13 16:43 ` ralfconn 1 sibling, 1 reply; 5+ messages in thread From: Peter Böhm @ 2023-11-13 13:22 UTC (permalink / raw To: gentoo-user, ralfconn Am Montag, 13. November 2023, 11:19:26 CET schrieb ralfconn: > Hello, > > I've been running the desktop profile for years. Now I'm thinking to > switch to the hardened. Since there is no 'hardened desktop' profile, > the hint I found online is to note the current desktop USEs, switch to > hardened and add the USEs not found there, but I wonder if it is really > the best option. Comparing the two profiles, hardened seems a sub-set of > desktop with the addition of: > > cet > hardened > pie > ssp > xtpax > > It seems to me easier to add these to the desktop rather the other way > round. Any gotcha's I am missing? Yes, you are missing that the best solution is: Make a new profile which contains both profiles. See more here: https://forums.gentoo.org/viewtopic-p-8694188.html#8694188 (And you have to start with a hardened stage3) Many greetings, Peter P.S.: Maybe read also the first note from this article: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/ Kernel_Hardening_with_KSPP ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] hardened vs desktop 2023-11-13 13:22 ` Peter Böhm @ 2023-11-13 16:43 ` ralfconn 2023-11-13 19:03 ` Peter Böhm 0 siblings, 1 reply; 5+ messages in thread From: ralfconn @ 2023-11-13 16:43 UTC (permalink / raw To: Peter Böhm, gentoo-user Il 13/11/23 14:22, Peter Böhm ha scritto: > Am Montag, 13. November 2023, 11:19:26 CET schrieb ralfconn: >> Hello, >> >> I've been running the desktop profile for years. Now I'm thinking to >> switch to the hardened. Since there is no 'hardened desktop' profile, >> the hint I found online is to note the current desktop USEs, switch to >> hardened and add the USEs not found there, but I wonder if it is really >> the best option. Comparing the two profiles, hardened seems a sub-set of >> desktop with the addition of: >> >> cet >> hardened >> pie >> ssp >> xtpax >> >> It seems to me easier to add these to the desktop rather the other way >> round. Any gotcha's I am missing? > Yes, you are missing that the best solution is: Make a new profile which > contains both profiles. See more here: > > https://forums.gentoo.org/viewtopic-p-8694188.html#8694188 > > (And you have to start with a hardened stage3) Looks like a good alternative, thanks. Following the post I created the local profile 'hardened-desktop' and confirmed the USEs are the combination of the two profiles. I suppose the added benefit of this new profile is that it will inherit the changes eventually done to the parent profiles by the gentoo developers, correct? > P.S.: Maybe read also the first note from this article: > > https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP Thanks, this requires a bit more of study on my side which I'll certainly do as a second step. BTW, hardened-sources is no longer available so KSPP might be the only option. raffaele ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] hardened vs desktop 2023-11-13 16:43 ` ralfconn @ 2023-11-13 19:03 ` Peter Böhm 0 siblings, 0 replies; 5+ messages in thread From: Peter Böhm @ 2023-11-13 19:03 UTC (permalink / raw To: gentoo-user, ralfconn Am Montag, 13. November 2023, 17:43:01 CET schrieb ralfconn: > [...] I suppose the added benefit of this new > profile is that it will inherit the changes eventually done to the > parent profiles by the gentoo developers, correct? YES ! You surely know that some use-flags can also be set for individual packages (and not globally; e.g. for some time this was true for use-flag "wayland"). You will get all these now automatically with your combined profile. Peter ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-11-13 19:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <a315a667-f04b-4be8-89dc-59305a5553ef.ref@yahoo.com>
2023-11-13 10:19 ` [gentoo-user] hardened vs desktop ralfconn
2023-11-13 12:12 ` Michael Orlitzky
2023-11-13 13:22 ` Peter Böhm
2023-11-13 16:43 ` ralfconn
2023-11-13 19:03 ` Peter Böhm
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox