On Sun, Jul 1, 2012 at 11:04 PM, Anthony G. Basile <[email protected]> wrote: > 1. Gone are Gentoo's predefined HARDENED_SERVER, HARDENED_DESKTOP and > HARDENED_VIRTUALIZATION. There is no need for them anymore as they are > pretty much subsumed under the above. With some minor differences: > > HARDENED_SERVER => Type=Server, Priority=Security, Virt=None > HARDENED_DESKTOP => Type=Desktop, Priority=Security, Virt=None > HARDENED_VIRTUALIZATION => Type=Server, Priority=Security Virt=<mixed>
I played a bit with the new settings in the latest unstable hardened x86 kernel today (in an attempt to squash a NULL deref bug, will send another email about that), and the new approach seemed very confusing to me. It has many overlapping options (VMware or VirtualBox?), the ultimate effect of which is not clear (what if I want to use both VMs?). In addition, all these options only have effect for new kernel configuration (probably not even an oldconfig), since they only affect defaults. Afterwards, they just sit there (interfering with other settings, see below). In the old approach, I found HARDENED_VIRTUALIZATION to be a very robust choice that actually enforced most settings that I have carefully chosen previously. In the new approach, I just switched to GRKERNSEC_CONFIG_CUSTOM after a while. > 2. I've tried to keep the Gentoo GIDs where possible. There is one bug that > I've noticed, which I'm passing to upstream. Toggling "Invert GID option" > under TPE does not toggle between our trusted (GID=10) and our untrusted > (GID=100) values. You can change them manually, but since in Gentoo we want > to keep our GIDs in line [1], we need to change upstream's default values to > ours. GRKERNSEC_CONFIG_AUTO interferes with that — a trusted group is shown as "untrusted". In addition, groups for disabled settings (like GRKERNSEC_SYMLINKOWN) are also shown. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte
