[gentoo-user] hardened vs desktop

Discussion:

(too old to reply)

ralfconn

2023-11-13 10:20:02 UTC

Hello,

I've been running the desktop profile for years. Now I'm thinking to
switch to the hardened. Since there is no 'hardened desktop' profile,
the hint I found online is to note the current desktop USEs, switch to
hardened and add the USEs not found there, but I wonder if it is really
the best option. Comparing the two profiles, hardened seems a sub-set of
desktop with the addition of:

cet
hardened
pie
ssp
xtpax

It seems to me easier to add these to the desktop rather the other way
round. Any gotcha's I am missing?

thanks

raffaele

Michael Orlitzky

2023-11-13 12:20:01 UTC

Permalink

Post by ralfconn
It seems to me easier to add these to the desktop rather the other way
round. Any gotcha's I am missing?

There are a few other things in profiles/features/hardened that you
should copy -- particularly the gcc USE flags -- but basically, you're
right. These days the hardened profiles don't add much. The main thing
they "add" is the lack of unnecessary features enabled by default in a
desktop profile.

It's a tedious process, but turning on the features you need one at a
time in package.use will eventually result in a smaller attack surface
than enabling them all at once in the desktop profile's make.defaults.
Of course you could do that the other way around, too, starting from a
desktop profile and disabling them one at a time.

Peter Böhm

2023-11-13 13:30:02 UTC

Permalink

Post by ralfconn
Hello,
I've been running the desktop profile for years. Now I'm thinking to
switch to the hardened. Since there is no 'hardened desktop' profile,
the hint I found online is to note the current desktop USEs, switch to
hardened and add the USEs not found there, but I wonder if it is really
the best option. Comparing the two profiles, hardened seems a sub-set of
cet
hardened
pie
ssp
xtpax
It seems to me easier to add these to the desktop rather the other way
round. Any gotcha's I am missing?

Yes, you are missing that the best solution is: Make a new profile which
contains both profiles. See more here:

https://forums.gentoo.org/viewtopic-p-8694188.html#8694188

(And you have to start with a hardened stage3)

Many greetings,
Peter

P.S.: Maybe read also the first note from this article:

https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/
Kernel_Hardening_with_KSPP

ralfconn

2023-11-13 16:50:01 UTC

Permalink

Post by Peter BÃ¶hm

Yes, you are missing that the best solution is: Make a new profile which
https://forums.gentoo.org/viewtopic-p-8694188.html#8694188
(And you have to start with a hardened stage3)

Looks like a good alternative, thanks. Following the post I created the
local profile 'hardened-desktop' and confirmed the USEs are the
combination of the two profiles. I suppose the added benefit of this new
profile is that it will inherit the changes eventually done to the
parent profiles by the gentoo developers, correct?

Post by Peter BÃ¶hm
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP

Thanks, this requires a bit more of study on my side which I'll
certainly do as a second step. BTW, hardened-sources is no longer
available so KSPP might be the only option.

raffaele

Peter Böhm

2023-11-13 19:10:02 UTC

Permalink

[...] I suppose the added benefit of this new
profile is that it will inherit the changes eventually done to the
parent profiles by the gentoo developers, correct?

YES ! You surely know that some use-flags can also be set for individual
packages (and not globally; e.g. for some time this was true for use-flag
"wayland").

You will get all these now automatically with your combined profile.

Peter