Tuesday, September 15, 2009

Profiles in Hardened: Migrating to the "new" hardened profile

For a while now, there have been two different sets of Hardened Gentoo profiles to pick from (not counting the SELinux ones)  For most of that time, the correct profile, managed by the hardened team, was in hardened/${ARCH}.  The release engineering team (apparently trying to organize their profiles better) created a hardened/linux/${ARCH} tree (including options like 2008.0, minimal, etc.)  Unfortunately, this new profile was never maintained, and quickly became outdated, with the hardened project pointing people back at their "real" profile.

At some indeterminate time not too long ago, the hardened team took over maintenance of the new profile, and some users are receiving notification to update their obsolete profile to the new one.  So, lets update my Hardened AMD64 laptop and see what happens.


Switching Profiles

Initially, my laptop was set up using the old hardened amd64 multilib profile:
Current make.profile symlink:
  hardened/amd64/multilib
I switched to the new profile, under the hardened/linux tree:
platypus ~ # eselect profile set 20
platypus ~ # eselect profile show
Current make.profile symlink:
  hardened/linux/amd64/10.0 
And ran
platypus ~ # emerge --newuse --verbose --deep --ask @world
I got a ton of hits -- 111 reinstalls and 20 new installs -- but the actual changes in my profile were really quite minor.

Multilib

The most obvious change here is that multilib is now the default state for a hardened profile. If you want a non-multilib amd64 system, you need to pick the no-multilib profile explicitly. This matches the non-hardened setup for the 10.0 profile, but is a change from the old hardened profile that had a separate multilib option.

Masked Packages

Just to get my complaining out of the way early: there's been no change in the set of masked packages between the overlays.  Put another way, to get the latest working copies of hardebed gcc/glibc, and portage, you still need to manually unmask them.  This makes me sad, especially the comment in the hardened/linux/package.mask file:
# No hardened >=sys-devel/gcc-4.4 available.
>=sys-devel/gcc-4.4
which is clearly contradicted by the fact that I've been using hardened gcc 4.4 for months.  But that's a rant for another day.

USE Flag Changes

As you probably expect, most of the changes in the profile are in the default USE flags.  One in particular causes a ton of reinstalls: the 'nls' USE flag is gone.  I can't see any particular reason why nls would be removed from the new hardened profile, when it's present in both the non-hardened and old hardened ones.  Since I don't really need nls, I'll just leave it out.

Besides removing nls from the default set, a number of flags were added, some of which seem a big strange.  +iconv, +gpm, +gdbm, +pcre, and +ncurses seem like unusual choices to add to the default USE flag set, especially given how few packages use them.  I already had +python and +perl in my global USE flags, and +prce in a few package.use entries, so I got to remove those.  Finally, I can see a decent argument why the +acl should be present on hardened system; but I don't build ACL support into my kernel, so this one's getting turned back off.

Conclusion

Overall the switch was pretty painless.  Had I been in a hurry, adding +nls to my global USE flags would have cut down the package reinstalls to less than 20.  I'd like to see more progress toward getting hardened gcc/glibc up to date, but otherwise, thumbs up to the new official hardened profile.

0 comments: