Il 13/11/23 14:22, Peter Böhm ha scritto:
Am Montag, 13. November 2023, 11:19:26 CET schrieb ralfconn:
Hello,
I've been running the desktop profile for years. Now I'm thinking to
switch to the hardened. Since there is no 'hardened desktop' profile,
the hint I found online is to note the current desktop USEs, switch to
hardened and add the USEs not found there, but I wonder if it is really
the best option. Comparing the two profiles, hardened seems a sub-set of
desktop with the addition of:
cet
hardened
pie
ssp
xtpax
It seems to me easier to add these to the desktop rather the other way
round. Any gotcha's I am missing?
Yes, you are missing that the best solution is: Make a new profile which
contains both profiles. See more here:
https://forums.gentoo.org/viewtopic-p-8694188.html#8694188
(And you have to start with a hardened stage3)
Looks like a good alternative, thanks. Following the post I created the
local profile 'hardened-desktop' and confirmed the USEs are the
combination of the two profiles. I suppose the added benefit of this new
profile is that it will inherit the changes eventually done to the
parent profiles by the gentoo developers, correct?
P.S.: Maybe read also the first note from this article:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP
Thanks, this requires a bit more of study on my side which I'll
certainly do as a second step. BTW, hardened-sources is no longer
available so KSPP might be the only option.
raffaele
