Peter Humphrey <pe...@prh.myzen.co.uk> wrote: > On Friday 07 Jul 2017 07:53:01 Martin Vaeth wrote: > >> ... my original text was arguing against the claim that the primary >> purpose of hardened kernels was to protect against untrusted users >> sitting in front of the keyboard. > > It wasn't a claim, just an impression
Sorry that my formulation was unfortunate. My intention had been to explain why that impression is wrong IMHO. Anyway, this discussion is meanwhile almost pointless since hardened-sources are pratically no longer available for "normal" users, and so also the hardened profile has become almost pointless. As a small substitute, I would recommend to follow the recommendations of the kernel self projection project and to use the default/linux/amd64/17.0/desktop profile or - if you are limited to x86 - to combine default/linux/x86 releases/17.0 targets/desktop which enables the current compilers with some default-enabled security relevant CFLAGS. In addition you can also add -fstack-check=specific to CFLAGS and -Wl,-z,now -Wl,-z,relro to LDFLAGS. All this is not a complete substitute for TPE and friends but better than nothing.
