Hi everyone,
During the last meeting of the hardened team [1], we discussed the issue
of the proper use of the global "hardened" flag. Because "hardened" has
various meanings the flag is being (ab)used in various way. Primarily
there are two distinct meanings that need to be distinguished in the tree.
1) hardened toolchain which means SSP, PIE, FORTIFY_SOURCES=2 and all
the good stuff.
2) hardened kernel which is complicated by the fact that there are many
hardening features the user can choose from. These, however, fall into
three groups, "pax", "grsec" and "selinux".
An example of using "hardened" in the first sense is mail-mta/postfix.
Examples of using it in the second sense are app-admin/syslog-ng and
dev-lang/mono.
Since there are some users which use a hardened toolchain, but not a
hardened kernel and vice versa, this ambiguity leads (and has led) to
undesirable consequences.
Here's how we propose to disambiguate the flag:
1) The current "hardened" flag will mean only the toolchain. Setting it
globally means that the user wants a hardened toolchains + resulting
hardened binaries upon emerge -e world.
2) The choice of a hardened kernel is made by emergeing
hardened-sources, configuring, compiling, booting. There is no use flag
for this choice per se. That means that virtual/linux-sources would
remove the condition RDEPEND:
hardened? ( =sys-kernel/hardened-sources-2.6* )
and simply replace it with
=sys-kernel/hardened-sources-2.6*
3) Since a hardened kernel can be configure with various flavors of
"pax" or "grsec" or "selinux", there should be useflags to reflect
userland needs to conform. There already is a "selinux" flag which is
set by selinux profiles. Currently we don't see a need for a "grsec"
flag, however, there is a need for a "pax" global use flag which we
propose calling "pax_kernel". (If nothing else to distinguish it from
app-arch/pax.)
Userland binaries which will run under a pax enabled kernel may need
special treatment to run, or else they'll be killed by the kernel. The
best example here is an RWX mmapping. Although the ideal case is to
"fix the code" this is not always feasible and so binaries will still
need markings with paxctl -m.
4) The hardened team will work with maintainers to clean up the flags.
Thanks, and we await comments.
--The hardened team.
Ref
[1]
http://archives.gentoo.org/gentoo-hardened/msg_040568ebe0a2f55c76820cfdcf8a0ff9.xml
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
