On 12/23/2017 10:20 PM, Adam Carter wrote:
>
> So i'm wondering how much difference there is between hardened and
> non-hardened profiles these days.
>
The hardened profiles ensure that PaX works by setting PAX_MARKINGS="XT"
and by making sure that you don't disable xattr support in, say,
coreutils. They also let you build gcc/glibc with USE=hardened, although
what that actually does these days I'm not sure.
Aside from that, the hardened profiles have less stuff enabled by
default. The "desktop" portion is the worst offender there...
$ cat profiles/targets/desktop/make.defaults
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
USE="a52 aac acpi alsa bluetooth branding cairo cdda cdr consolekit
cups dbus dri dts dvd dvdr emboss encode exif fam firefox flac gif
glamor gpm gtk jpeg lcms ldap libnotify mad mng mp3 mp4 mpeg ogg
opengl pango pdf png policykit ppds qt3support qt5 sdl spell startup-
notification svg tiff truetype vorbis udev udisks unicode upower usb
wxwidgets X xcb x264 xml xv xvid"
That's as opposed to,
$ cat profiles/features/hardened/make.defaults
...
USE="${USE} -berkdb -gdbm -tcpd"
USE="${USE} -fortran"
USE="${USE} -cli -session"
USE="${USE} -dri"
USE="${USE} -modules"
