hardened profile for desktops?

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Matthew Thode (prometheanfire)
On 06/08/2012 11:34 AM, Javier Juan Martínez Cabezón wrote:

> On 08/06/12 17:35, Anthony G. Basile wrote:
>
>>> Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>>
>> This one is a moving target.  Sometimes broken, times fixed.  kvm is
>> working very well of late.
>
> Uh!, even with kernexec, uderef, mprotect etc etc etc, with both
> hardened host and guests?, and without the horrible slowness?
>
> If this is true maybe I would be one of the happiest folk of the world...
>
I run Hardened host/guest with only uderef disabled.

--
-- Matthew Thode (prometheanfire)




signature.asc (918 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Matthew Thode (prometheanfire)
In reply to this post by Grant-4
On 06/08/2012 02:44 AM, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops.  I thought
> I'd check with you guys on this.  Is that the case?
>
> - Grant
>
Running gentoo hardened on all my systems (desktop/laptop and server).

worksforme

--
-- Matthew Thode (prometheanfire)




signature.asc (918 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Francisco Blas Izquierdo Riera (klondike)
In reply to this post by Grant-4
El 08/06/12 09:44, Grant escribió:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops.  I thought
> I'd check with you guys on this.  Is that the case?
I have been using Gentoo on Desktop systems for some time, mainly
because it doesn't makes much sense speaking well to others of something
without being an example. The Gentoo Hardened system can be used as a
Desktop for daily use (I do use it) and by that I also mean I have used
it even on demanding tasks like live video streaming from DV cameras
(never tried playing games since I'm not that kind of person).

Of course there are some drawbacks, but the team is aware of them and we
do our best to fix these. Some of the ones that come to mind are:
* If you plan on using binary drivers you'll need to disable many
security protections on a most of the programs since the libraries
bundled with them are not hardened friendly.
* Some open source graphical drivers (ATI/AMD comes to mind) require JIT
code in 3D applications (or hacking LLVM so it will always default to
the slooooow interpreter mode). This is a known issue and can be fixed
with tools like revdep-pax which allow you to check which are those
applications.
* In general JIT code is deemed to fail in hardened systems because of
mprotect restrictions, this is a known issue and tends to be fixed by
disabling JIT code generation in the affected packages or removing the
mprotect restrictions on said binaries.
* Virtualization is a world in itself, many processors with
virtualization extensions (specially older ones without hardware  nested
pagetables supports) tend to be rather slow with UDEREF and kernexec
enabled in kvm. I think this is more of an implementation issue than a
real hardware issue but I may be wrong here. As for other solutions each
tends to be a world of its own where is better to just try them and see
what happens since they tend to be very hardware specific.

@Grant I generally tend to monitor gentoo-user from time to time to
answer to threads involving hardened (although it is hard to read
everything so many just pass by ignored), can you please tell me the
topic of the thread so I can give it a look and contribute as needed?


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Jens Kasten
In reply to this post by Javier Juan Martinez Cabezon


Am 2012-06-08 22:32, schrieb Javier Juan Martínez Cabezón:

> On 08/06/12 21:40, Kevin Chadwick wrote:
>> On Fri, 8 Jun 2012 16:06:37 +0300
>> Alex Efros wrote:
>>
>>> Actually, I see no reasons to NOT use hardened on desktops.
>>
>> Maybe many more would if there was an easy and quick to install and
>> maintain compiled distro. More users more compatibility too, I'd
>> guess.
>>
>> Not suggesting there should be, just stating a reality.
>>
>> Anyone know why hardened debian and was it adamantix died off?
>>
>
> Hardened debian had to change their name by adamantix because debian
> forbid the use of his name.
> It dissapeared because hardened gentoo appeared, and one distro
> maintained  by one user (Peter Busser) is a hard and crazy task.

Hmm because gentoo hardened? I am not sure about that.
Adamantix was RSBAC specific not grsecurity or SELinux.
I switch to gentoo hardened after adamantix was not maintained anymore.

--
Mit freundlichen Grüßen

Jens Kasten


http://www.kasten-edv.de

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Javier Juan Martinez Cabezon
On 11/06/12 04:26, Jens Kasten wrote:

>
>
> Am 2012-06-08 22:32, schrieb Javier Juan Martínez Cabezón:
>> On 08/06/12 21:40, Kevin Chadwick wrote:
>>> On Fri, 8 Jun 2012 16:06:37 +0300
>>> Alex Efros wrote:
>>>
>>>> Actually, I see no reasons to NOT use hardened on desktops.
>>>
>>> Maybe many more would if there was an easy and quick to install and
>>> maintain compiled distro. More users more compatibility too, I'd guess.
>>>
>>> Not suggesting there should be, just stating a reality.
>>>
>>> Anyone know why hardened debian and was it adamantix died off?
>>>
>>
>> Hardened debian had to change their name by adamantix because debian
>> forbid the use of his name.
>> It dissapeared because hardened gentoo appeared, and one distro
>> maintained  by one user (Peter Busser) is a hard and crazy task.
>
> Hmm because gentoo hardened? I am not sure about that.
> Adamantix was RSBAC specific not grsecurity or SELinux.
> I switch to gentoo hardened after adamantix was not maintained anymore.
>

Hi Jens, Yes, I'm sure, the main goal of adamantix was to create a
distribution with PIE and SSP to use over a rsbac kernel, goal that made
hardened gentoo later.

At the beginning rsbac was supported in gentoo and maintained by Kang.


Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

Anthony G. Basile-2
On 06/11/2012 01:20 AM, Javier Juan Martínez Cabezón wrote:

> On 11/06/12 04:26, Jens Kasten wrote:
>>
>>
>> Am 2012-06-08 22:32, schrieb Javier Juan Martínez Cabezón:
>>> On 08/06/12 21:40, Kevin Chadwick wrote:
>>>> On Fri, 8 Jun 2012 16:06:37 +0300
>>>> Alex Efros wrote:
>>>>
>>>>> Actually, I see no reasons to NOT use hardened on desktops.
>>>>
>>>> Maybe many more would if there was an easy and quick to install and
>>>> maintain compiled distro. More users more compatibility too, I'd guess.
>>>>
>>>> Not suggesting there should be, just stating a reality.
>>>>
>>>> Anyone know why hardened debian and was it adamantix died off?
>>>>
>>>
>>> Hardened debian had to change their name by adamantix because debian
>>> forbid the use of his name.
>>> It dissapeared because hardened gentoo appeared, and one distro
>>> maintained  by one user (Peter Busser) is a hard and crazy task.
>>
>> Hmm because gentoo hardened? I am not sure about that.
>> Adamantix was RSBAC specific not grsecurity or SELinux.
>> I switch to gentoo hardened after adamantix was not maintained anymore.
>>
>
> Hi Jens, Yes, I'm sure, the main goal of adamantix was to create a
> distribution with PIE and SSP to use over a rsbac kernel, goal that made
> hardened gentoo later.
>
> At the beginning rsbac was supported in gentoo and maintained by Kang.
>

I'm supporting it again.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Reply | Threaded
Open this post in threaded view
|

Re: hardened profile for desktops?

schaduwfax
This post has NOT been accepted by the mailing list yet.
In reply to this post by Alex Efros-4
Did you use USE flags such as: "dlloader static static_libs hardened" in order to get nvidia graphics running?

I managed to get nouveau running with the USE flags i meantioned above.But nouveau is not exactly what i want:-(
12