FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 05-05-2011, 04:00 PM
Jeremy Olexa
 
Default hardened flavor of the developer profile

On Thu, 05 May 2011 17:23:51 +0200, Paweł Hajdan, Jr. wrote:

Currently I'm using the default/linux/x86/10.0/developer profile, but
I'd like to switch to hardened on my developer system to catch more
issues.


However, eselect profile list only displays one hardened profile for
me:


$ eselect profile list
Available profile symlink targets:
<snip>

I'm using eselect-1.2.11.

When listing the profiles directory in CVS, the hardened profile
seems

to have developer and other sub-profiles:

ph@localhost ~/gentoo-x86/profiles $ ls -l hardened/linux/x86/
total 48
<snip>

Any ideas how to get a hardened+developer profile?


Those profiles that you are seeking are *not* listed in
PORTDIR/profiles/profiles.desc which is why they don't show up in
eselect output. This means that repoman does not check those profiles at
all. I am curious as to how much value they actually have With that
being said, eselect is NOT the only way to set your profile, you can
just as easily create a symlink.

-Jeremy
 
Old 05-05-2011, 08:45 PM
"Anthony G. Basile"
 
Default hardened flavor of the developer profile

On 05/05/2011 12:00 PM, Jeremy Olexa wrote:
> On Thu, 05 May 2011 17:23:51 +0200, Paweł Hajdan, Jr. wrote:
>> Currently I'm using the default/linux/x86/10.0/developer profile, but
>> I'd like to switch to hardened on my developer system to catch more
>> issues.
>>
>> However, eselect profile list only displays one hardened profile for me:
>>
>> $ eselect profile list
>> Available profile symlink targets:
>> <snip>
>>
>> I'm using eselect-1.2.11.
>>
>> When listing the profiles directory in CVS, the hardened profile seems
>> to have developer and other sub-profiles:
>>
>> ph@localhost ~/gentoo-x86/profiles $ ls -l hardened/linux/x86/
>> total 48
>> <snip>
>>
>> Any ideas how to get a hardened+developer profile?
>
> Those profiles that you are seeking are *not* listed in
> PORTDIR/profiles/profiles.desc which is why they don't show up in
> eselect output. This means that repoman does not check those profiles
> at all. I am curious as to how much value they actually have With
> that being said, eselect is NOT the only way to set your profile, you
> can just as easily create a symlink.
> -Jeremy
>

We simplified our profiles recently (last Oct-Nov 2010) and I only
listed hardened/linux/x86 in profiles.desc. You can manually set

ln -s ../usr/portage/profiles/hardened/linux/x86/developer
/etc/make.profile

The only thing to be careful of is that there is a lot of cruft under
the hardened profiles, some really old deprecated material that I have
not yet cleared out. You really don't want to use one of that. Just
watch out for any warning about deprecated profiles.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 05-06-2011, 07:29 AM
"Paweł Hajdan, Jr."
 
Default hardened flavor of the developer profile

On 5/5/11 10:45 PM, Anthony G. Basile wrote:
> We simplified our profiles recently (last Oct-Nov 2010)

You're referring to
http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml,
right?

> and I only
> listed hardened/linux/x86 in profiles.desc. You can manually set
>
> ln -s ../usr/portage/profiles/hardened/linux/x86/developer
> /etc/make.profile
>
> The only thing to be careful of is that there is a lot of cruft under
> the hardened profiles, some really old deprecated material that I have
> not yet cleared out. You really don't want to use one of that. Just
> watch out for any warning about deprecated profiles.

Oh, it's a stable system so I wouldn't want to go that route then.

Here's what I'm trying to do, maybe you'll have some advice how to do
that the best way (or whether to do that at all): I'd like to move more
of the hardened features to the defaults. A good start would be to make
more developers use them, to detect hardened-related problems earlier,
and avoid confusion like "it works on my non-hardened system".

Please note that even with hardened gcc one can select the vanilla
specs, effectively disabling the hardened features. Hopefully my
understanding is correct.

A possible idea I was thinking about was to add the hardened profile as
a parent of the developer profile... how does that sound to you? Is
there some better way?
 
Old 05-06-2011, 10:52 AM
"Anthony G. Basile"
 
Default hardened flavor of the developer profile

On 05/06/2011 03:29 AM, "Paweł Hajdan, Jr." wrote:
> On 5/5/11 10:45 PM, Anthony G. Basile wrote:
>> We simplified our profiles recently (last Oct-Nov 2010)
> You're referring to
> http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml,
> right?
>

Yes, that was one of several emails on the subject.

>> and I only
>> listed hardened/linux/x86 in profiles.desc. You can manually set
>>
>> ln -s ../usr/portage/profiles/hardened/linux/x86/developer
>> /etc/make.profile
>>
>> The only thing to be careful of is that there is a lot of cruft under
>> the hardened profiles, some really old deprecated material that I have
>> not yet cleared out. You really don't want to use one of that. Just
>> watch out for any warning about deprecated profiles.
> Oh, it's a stable system so I wouldn't want to go that route then.
>
> Here's what I'm trying to do, maybe you'll have some advice how to do
> that the best way (or whether to do that at all): I'd like to move more
> of the hardened features to the defaults. A good start would be to make
> more developers use them, to detect hardened-related problems earlier,
> and avoid confusion like "it works on my non-hardened system".

All the help we can get is welcomed! BTW, when "it doesn't work on
hardened", it usually means some bad coding practice that shouldn't be
there in vanilla anyhow.

> Please note that even with hardened gcc one can select the vanilla
> specs, effectively disabling the hardened features. Hopefully my
> understanding is correct.

Yes, but be aware that the rest of your system is compiled with at least
the following 3 hardening features: 1) stack smashing protection, 2)
position independent exec 3) hardening of internal glibc functions
(-D_FORTIFY_SOURCES=2). You can switch to vanilla for the binary you
are currently building, but it will still link against libs that have
the above.

Beyond the toolchain there is also kernel hardening. The two interact,
but you can have one without the other. So "it doesn't work on
hardened" may mean the kernel killed something or the toolchain did.

> A possible idea I was thinking about was to add the hardened profile as
> a parent of the developer profile... how does that sound to you? Is
> there some better way?
>

The profiles are horribly complex. I would rather put hardened lower on
the stacking order than customization at the level of "developer",
"desktop", "server" etc. Try it and see what happens. Use this little
script to see what order the profiles are being stacked in and remember
that the lower ones take priority over the higher:

#!/usr/bin/env python

import portage
for p in portage.settings.profiles:
print p



--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 

Thread Tools




All times are GMT. The time now is 07:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org