[gentoo-user] Switching to a hardened profile and back again

Post by Grant
A dev is asking me to switch to a hardened profile in order to test a
fix. I'm happy to go through the process, but is there a chance my
laptop could be unusable after the switch? If that happens I'll be in
real trouble. Will I be able to switch back to a non-hardened profile
http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
BTW, are emerge -e world and emerge -e system both necessary? I
thought emerge -e world would rebuild everything.

Switching to hardened is safe. The switch back should be, too, although
I haven't personally tried it. (Why would you switch back?)

You emerge system first, and then world so that your world is built by a
hardened toolchain. When you compile gcc/glibc with USE=hardened, it
gives them super powers.

Grant

2011-03-15 19:30:02 UTC

Switching to hardened is safe. The switch back should be, too, although
I haven't personally tried it. (Why would you switch back?)

I originally had my laptop on a hardened profile (I think it was a
couple laptops back) but there were so many problems I eventually gave
up. I remember doing a lot of system reinstalling as I switched
profiles around. I don't have time to reinstall my system right now
so I'm trying to be sure I can switch to hardened (and from hardened
if necessary) without reinstalling.

Post by Michael Orlitzky
You emerge system first, and then world so that your world is built by a
hardened toolchain. When you compile gcc/glibc with USE=hardened, it
gives them super powers.

Would 'emerge gcc glibc && emerge -e world' have the same affect?

- Grant

Michael Orlitzky

2011-03-15 19:40:02 UTC

Switching to hardened is safe. The switch back should be, too, although
I haven't personally tried it. (Why would you switch back?)

If you don't run a hardened kernel, "sudo gcc-config 5" (assuming 5 is
the vanilla gcc on your machine...) will switch you back to the vanilla
gcc. No need to switch profiles or recompile anything.

Post by Michael Orlitzky
You emerge system first, and then world so that your world is built by a
hardened toolchain. When you compile gcc/glibc with USE=hardened, it
gives them super powers.

Would 'emerge gcc glibc && emerge -e world' have the same affect?

There are a couple of other packages you're supposed to re-emerge along
with gcc and glibc. Binutils was one, but I don't remember the whole
list. Just suck it up and spend the extra hour to re-emerge system; that
way, you're sure you haven't missed anything.

Grant

2011-03-15 20:40:01 UTC

Switching to hardened is safe. The switch back should be, too, although
I haven't personally tried it. (Why would you switch back?)

If you don't run a hardened kernel, "sudo gcc-config 5" (assuming 5 is
the vanilla gcc on your machine...) will switch you back to the vanilla
gcc. No need to switch profiles or recompile anything.

I do run a hardened kernel, but you're saying if I switch to gcc-5 I
should be able to test for a crash that was previously exhibited under
a hardened profile?

Post by Michael Orlitzky
You emerge system first, and then world so that your world is built by a
hardened toolchain. When you compile gcc/glibc with USE=hardened, it
gives them super powers.

Would 'emerge gcc glibc && emerge -e world' have the same affect?

OK I'll emerge system first if it comes to that.

- Grant

Michael Orlitzky

2011-03-15 21:10:02 UTC

Switching to hardened is safe. The switch back should be, too, although
I haven't personally tried it. (Why would you switch back?)

If you don't run a hardened kernel, "sudo gcc-config 5" (assuming 5 is
the vanilla gcc on your machine...) will switch you back to the vanilla
gcc. No need to switch profiles or recompile anything.

I do run a hardened kernel, but you're saying if I switch to gcc-5 I
should be able to test for a crash that was previously exhibited under
a hardened profile?

I think (completely unscientifically) that most of the day-to-day
problems are caused by the hardening features in the kernel rather than
by GCC's hardening features.

When you compile a hardened GCC, you also get the vanilla, unhardened
GCC installed. So if you see e.g. a compile failure using hardened GCC,
you can just switch to the vanilla GCC to see if that fixes it. On my
machine,

$ sudo gcc-config -l
[1] x86_64-pc-linux-gnu-4.4.5 *
[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
[3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
[4] x86_64-pc-linux-gnu-4.4.5-hardenednossp
[5] x86_64-pc-linux-gnu-4.4.5-vanilla

it's the fifth option.

Summary: if you have problems on hardened, you can always switch to
vanilla GCC and reboot to a non-hardened kernel. You don't have to
recompile anything or switch profiles again.

Alan McKinnon

2011-03-15 19:50:02 UTC

emerge -e world does remerge everything, but not in the order you'd
expect. try it with -p, you'll see that glibc and gcc are near the end.

You want them at the beginning, so that the hardened system is built by
a compiler and libc that is hardened as well as the rest of the toolchain.

Now whereas a compiler can in theory be told to generate any kind of
code for anything, including hard code when it itself is not hard, can
you really be sure it actually will do that? Plus the rest of the
toolchain too.

The only certain way is to build a hardened toolchain then rebuild the
entire system with it.

emerge -e system ; emerge -e world is not the fastest route of minimal
compilation effort, but it sure is the easiest for the human in charge:
one line in bash, press enter, walk away.

--
alan dot mckinnon at gmail dot com

Dale

2011-03-16 02:10:02 UTC

Post by Alan McKinnon
emerge -e world does remerge everything, but not in the order you'd
expect. try it with -p, you'll see that glibc and gcc are near the end.
You want them at the beginning, so that the hardened system is built by
a compiler and libc that is hardened as well as the rest of the toolchain.
Now whereas a compiler can in theory be told to generate any kind of
code for anything, including hard code when it itself is not hard, can
you really be sure it actually will do that? Plus the rest of the
toolchain too.
The only certain way is to build a hardened toolchain then rebuild the
entire system with it.
emerge -e system ; emerge -e world is not the fastest route of minimal
one line in bash, press enter, walk away.

This may be a good time to use the script off the forums. I used it a
few weeks or so ago and it worked great. It certainly does things in a
different order than portage.

Dale

:-) :-)

Mike Edenfield

2011-03-16 20:00:02 UTC

First off, is there a reason you want to switch back to non-hardened? I
run hardened on all my machines by default; almost every package in
portage is now hardened-aware and builds/runs correctly. For those few
that don't, there's paxctl and/or softmode (looking at you, openoffice)

I've gone both ways with no real issues; though admittedly not on the
same machine :)

I'm assuming you're including a switch to a hardened kernel as part of
this. That's the biggest possible source of problems: if you have a
PAX-enabled kernel then all of your binaries need to be built by the
hardened tool chain, or there is a decent chance they'll fail.

Definitely follow the FAQ for the details, but the basic process should be:

* switch profiles -> hardened
* emerge gcc glibc binutils
* emerge @system
* emerge @world
* build then boot hardened kernel

* <test test test test test>

* boot non-hardened kernel
* switch profiles -> non-hardened
* emerge gcc glibc binutils
* emerge @system
* emerge @world

Note that the emerge @world emerges are definitely overkill time-wise
but much, much safer and simpler unless you are very aware of what
you're doing, what the packages are doing, how hardened's features
interact, etc.

Also, when building your PAX kernel,

MAKE SURE YOU INCLUDE SOFTMODE SUPPORT

That way, if something misbehaves and you can't fix it you can enable
soft mode and PAX will stop killing things on you.

Post by Grant
BTW, are emerge -e world and emerge -e system both necessary? I
thought emerge -e world would rebuild everything.

IIRC, @system is not in @world unless you put it there yourself. (This
might depend on your portage version, though).

--Mike

Peter Humphrey

2011-03-17 01:10:02 UTC

Post by Mike Edenfield
might depend on your portage version, though).

I'm sure I once saw a comment in a portage version that @system was being
included in @world to preserve earlier behaviour.

--
Rgds
Peter

Neil Bothwick

2011-03-17 09:10:02 UTC

Post by Mike Edenfield
might depend on your portage version, though).

From man emerge:

"world encompasses both the selected and system sets"

--
Neil Bothwick

What is a "free" gift ? Aren't all gifts free?

yokee

2011-03-17 09:50:02 UTC

-----邮件原件-----
发件人: Neil Bothwick [mailto:***@digimed.co.uk]
发送时间: 2011-03-17 17:01
收件人: gentoo-***@lists.gentoo.org
主题: Re: [gentoo-user] Switching to a hardened profile and back again

(This might depend on your portage version, though).

From man emerge:

"world encompasses both the selected and system sets"

--
Neil Bothwick

What is a "free" gift ? Aren't all gifts free?

Alex Schuster

2011-03-17 13:50:02 UTC

Post by Neil Bothwick

(This might depend on your portage version, though).

"world encompasses both the selected and system sets"

BTW, this can be toggled by putting or not putting 'system' into
/var/lib/portage/world_sets.

Wonko

Neil Bothwick

2011-03-17 14:30:02 UTC

Post by Alex Schuster

Post by Neil Bothwick
"world encompasses both the selected and system sets"

BTW, this can be toggled by putting or not putting 'system' into
/var/lib/portage/world_sets.

That was the case for a while with portage-2.2, but it appears that
@system is now automatically part of @world. That's how I read the man
page that says that @world encompasses @system, without any setting by the
user. A new install no longer includes @system in world_sets.

--
Neil Bothwick

Philosophical error: Demonstrate the existence of a key to continue

Dale

2011-03-17 14:40:02 UTC

Post by Neil Bothwick

Post by Alex Schuster

Post by Neil Bothwick
"world encompasses both the selected and system sets"

BTW, this can be toggled by putting or not putting 'system' into
/var/lib/portage/world_sets.

That was the case for a while with portage-2.2, but it appears that
@system is now automatically part of @world. That's how I read the man

That appears to be true here. I have portage 2.2 installed and system
is no longer in that file. It used to be but not anymore.

I wonder how a person would override that if they needed to tho? Not
sure why a person would but anyway.

Dale

:-) :-)

Neil Bothwick

2011-03-17 14:50:02 UTC

Post by Dale
That appears to be true here. I have portage 2.2 installed and system
is no longer in that file. It used to be but not anymore.
I wonder how a person would override that if they needed to tho? Not
sure why a person would but anyway.

cp /var/lib/portage/world /etc/portage/sets/my_world
emerge @my_world

--
Neil Bothwick

"I teleported home one night
With Ron and Sid and Meg.
Ron stole Meggie's heart away
And I got Sidney's leg."

Francesco Talamona

2011-03-17 16:30:02 UTC

Post by Neil Bothwick
cp /var/lib/portage/world /etc/portage/sets/my_world

Neil, this is simply wonderful :)
Thanks
FT

--
Linux Version 2.6.38-gentoo, Compiled #1 SMP PREEMPT Wed Mar 16 20:03:24
CET 2011
Two 1GHz AMD Athlon 64 Processors, 4GB RAM, 4019.38 Bogomips Total
aemaeth

klondike

2011-03-17 17:50:02 UTC