View previous topic :: View next topic |
Author |
Message |
whiteman808 n00b
Joined: 07 Jul 2024 Posts: 7
|
Posted: Thu Oct 17, 2024 1:07 pm Post subject: Gentoo hardened stage3 on desktop? |
|
|
I had installed gentoo and using desktop profile now. I tried different distros like Debian, Slackware, Arch, and finally, end distrohopping on Gentoo. I love Gentoo for great flexibility it offers, portability, and well-written documentation. USE flags are nice feature.
On the virtual machines gentoo hardened works fine.
I want to know your experiences with using Gentoo hardened profiles on the desktop daily-driver. I want to try use hardened stage3 on ThinkPad X220 because Gentoo hardened profile's default USE flag set is more minimal than default desktop's, so I have less stuff to globally disable and I can enable support for stuff I'm sure I'll need it. Another nice features are hardened toolchain and hardened USE flag.
I'm just curious if there are any issues with hardened profiles on desktop. I'm going to run some window manager + emacs + nyxt on desktop. Does minimalistic desktop configuration like mine vs full-blown GNOME/KDE + Firefox + Thunderbird make difference when I use stage3 hardened?
Please share your experience with using hardened stage3 as daily-driver on desktop computer. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3940 Location: Hamburg
|
|
Back to top |
|
|
NeglectedRudderPug n00b
Joined: 04 Oct 2023 Posts: 34
|
Posted: Sat Oct 19, 2024 3:02 pm Post subject: |
|
|
Much like above, I also run a hardened KDE desktop. In my case it's a custom profile with a mix of:
Quote: |
gentoo:default/linux/amd64/23.0/hardened
gentoo:targets/desktop/plasma
gentoo:targets/systemd
|
I've not experienced any issues. Though, I should note that my original install was not hardened and was profile version 17. I moved over to a hardened profile shortly after installing, which went smoothly and I've also since upgraded the profile to 23 without issues. The only area I did have issues with was SELinux, though I since switched to apparmor with custom profiles instead.
In any case, a full desktop versus a minimal install (hopefully) shouldn't cause issues. But it is worth remembering you can switch profiles even after installing, so if you do get issues you can move back to a different profile (carefully). |
|
Back to top |
|
|
whiteman808 n00b
Joined: 07 Jul 2024 Posts: 7
|
Posted: Sun Oct 20, 2024 3:44 pm Post subject: |
|
|
NeglectedRudderPug wrote: | it is worth remembering you can switch profiles even after installing, so if you do get issues you can move back to a different profile (carefully). |
Can I even switch from nomultilib profile to its multilib version or from non-hardened to hardened profile and vice-versa? What about switching from multilib system to nomultilib? Can I switch easily between regular systemd profile and llvm? How easy is in general switching between different profiles, and what are the limits of eselect profile set x && rebuild world using emerge? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22867
|
Posted: Sun Oct 20, 2024 3:53 pm Post subject: |
|
|
Moving from multilib to no-multilib is possible. Moving back is more difficult, since you need multilib in order to build multilib. Generally, it's easy to tell Portage to switch profiles. Whether you can readily build anything in your new profile depends on the capabilities of the profile you are leaving. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3940 Location: Hamburg
|
Posted: Sun Oct 20, 2024 5:11 pm Post subject: |
|
|
whiteman808 wrote: |
Can I even switch from nomultilib profile to its multilib version or from non-hardened to hardened profile and vice-versa? |
No:
Code: | # [11:06:37 pm] <@toralf> Would changing the profile and re-emerging @world with --emptytree do it?
# [11:27:13 pm] <@dilfridge> switching from/to hardened, and switching from multilib to non-multilib, yes
# [11:27:31 pm] <@dilfridge> switching from non-multilib to multilib, NO
|
|
|
Back to top |
|
|
whiteman808 n00b
Joined: 07 Jul 2024 Posts: 7
|
Posted: Mon Oct 21, 2024 3:25 pm Post subject: |
|
|
toralf wrote: | https://wiki.gentoo.org/wiki/Hardened_Desktop_Profiles#hardened-desktop
I do run hardened Desktop (KDE) since 10 yrs at Lenove ThinkPads without any bigger problems. |
NeglectedRudderPug wrote: | Much like above, I also run a hardened KDE desktop |
Just curious, why do you run gentoo hardened profile instead of regular desktop kde? Does your threat model require that or other reasons? |
|
Back to top |
|
|
NeglectedRudderPug n00b
Joined: 04 Oct 2023 Posts: 34
|
Posted: Mon Oct 21, 2024 10:45 pm Post subject: |
|
|
whiteman808 wrote: | toralf wrote: | https://wiki.gentoo.org/wiki/Hardened_Desktop_Profiles#hardened-desktop
I do run hardened Desktop (KDE) since 10 yrs at Lenove ThinkPads without any bigger problems. |
NeglectedRudderPug wrote: | Much like above, I also run a hardened KDE desktop |
Just curious, why do you run gentoo hardened profile instead of regular desktop kde? Does your threat model require that or other reasons? |
In my case there's a few reasons:
- I'm a bit paranoid
- My computer often holds sensitive customer data, and in some instances backups of systems that also hold it - I must keep it safe.
- My computer holds SSH keys that can access many, many, many servers. It's best I don't lose them.
But, it works well enough. |
|
Back to top |
|
|
|