[gentoo-user] hardened vs desktop

[gentoo-user] hardened vs desktop

[ralfconn]

Hello,

I've been running the desktop profile for years. Now I'm thinking to 
switch to the hardened. Since there is no 'hardened desktop' profile, 
the hint I found online is to note the current desktop USEs, switch to 
hardened and add the USEs not found there, but I wonder if it is really 
the best option. Comparing the two profiles, hardened seems a sub-set of 
desktop with the addition of:

cet
hardened
pie
ssp
xtpax

It seems to me easier to add these to the desktop rather the other way 
round. Any gotcha's I am missing?

thanks

raffaele

Re: [gentoo-user] hardened vs desktop

[Michael Orlitzky]

On Mon, 2023-11-13 at 11:19 +0100, ralfconn wrote:
> 
> It seems to me easier to add these to the desktop rather the other way 
> round. Any gotcha's I am missing?
> 

There are a few other things in profiles/features/hardened that you
should copy -- particularly the gcc USE flags -- but basically, you're
right. These days the hardened profiles don't add much. The main thing
they "add" is the lack of unnecessary features enabled by default in a
desktop profile.

It's a tedious process, but turning on the features you need one at a
time in package.use will eventually result in a smaller attack surface
than enabling them all at once in the desktop profile's make.defaults.
Of course you could do that the other way around, too, starting from a
desktop profile and disabling them one at a time.

Re: [gentoo-user] hardened vs desktop

[Peter Böhm]

Am Montag, 13. November 2023, 11:19:26 CET schrieb ralfconn:
> Hello,
>
> I've been running the desktop profile for years. Now I'm thinking to
> switch to the hardened. Since there is no 'hardened desktop' profile,
> the hint I found online is to note the current desktop USEs, switch to
> hardened and add the USEs not found there, but I wonder if it is really
> the best option. Comparing the two profiles, hardened seems a sub-set of
> desktop with the addition of:
>
> cet
> hardened
> pie
> ssp
> xtpax
>
> It seems to me easier to add these to the desktop rather the other way
> round. Any gotcha's I am missing?

Yes, you are missing that the best solution is: Make a new profile which
contains both profiles. See more here:

https://forums.gentoo.org/viewtopic-p-8694188.html#8694188

(And you have to start with a hardened stage3)

Many greetings,
Peter

P.S.: Maybe read also the first note from this article:

https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/
Kernel_Hardening_with_KSPP

Re: [gentoo-user] hardened vs desktop

[ralfconn]

Il 13/11/23 14:22, Peter Böhm ha scritto:
> Am Montag, 13. November 2023, 11:19:26 CET schrieb ralfconn:
>> Hello,
>>
>> I've been running the desktop profile for years. Now I'm thinking to
>> switch to the hardened. Since there is no 'hardened desktop' profile,
>> the hint I found online is to note the current desktop USEs, switch to
>> hardened and add the USEs not found there, but I wonder if it is really
>> the best option. Comparing the two profiles, hardened seems a sub-set of
>> desktop with the addition of:
>>
>> cet
>> hardened
>> pie
>> ssp
>> xtpax
>>
>> It seems to me easier to add these to the desktop rather the other way
>> round. Any gotcha's I am missing?
> Yes, you are missing that the best solution is: Make a new profile which
> contains both profiles. See more here:
>
> https://forums.gentoo.org/viewtopic-p-8694188.html#8694188
>
> (And you have to start with a hardened stage3)
Looks like a good alternative, thanks. Following the post I created the 
local profile 'hardened-desktop' and confirmed the USEs are the 
combination of the two profiles. I suppose the added benefit of this new 
profile is that it will inherit the changes eventually done to the 
parent profiles by the gentoo developers, correct?
> P.S.: Maybe read also the first note from this article:
>
> https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP

Thanks, this requires a bit more of study on my side which I'll 
certainly do as a second step. BTW, hardened-sources is no longer 
available so KSPP might be the only option.

raffaele

Re: [gentoo-user] hardened vs desktop

[Peter Böhm]

Am Montag, 13. November 2023, 17:43:01 CET schrieb ralfconn:

> [...]  I suppose the added benefit of this new
> profile is that it will inherit the changes eventually done to the
> parent profiles by the gentoo developers, correct?

YES ! You surely know that some use-flags can also be set for individual
packages (and not globally; e.g. for some time this was true for use-flag
"wayland").

You will get all these now automatically with your combined profile.

Peter