# Hardened ready for Desktop/Laptop use?

## Master One

Was reading about the hardened projects the last few days, and it seems indeed pretty interesting. As I could see on various forum posts, people are already using hardened systems on their desktops, but I also found some problem reports due to software not playing nice with added security rules.

I'd like to try a new desktop/laptop installation with hardened-sources, hardened toolchain, PaX/Gresecurity, making full use of PIE/SSP, inspired by Jaded stage3 hardened Guide With Grsecurity & PaX ver2.0.

Are there any programs (for example multimedia, like audio/video players, codecs,...), which can not be made to run with such a hardened system at all? As seen, some programs surely will not work without tweaking the security rules, but isn't chpax fit for solving all those problems (as it does with Xorg and JAVA, for example)?

My major concern is latest Xorg with ATI binary drivers. In the Gentoo hardened docs it is mentioned, that NVIDIA/ATI proprietary binary drivers will not work with dlloader, but someone mentioned, that at least the latest NVIDIA drivers should work now. Any hint about the lastest ATI binary drivers & dlloader? Are there any other drivers effected on a hardened system?

If hardened is ready for desktop, shouldn't it become the default way of installing Gentoo? I mean, hardened-sources + hardened toolchain + PaX + PIE/SSP is to be considered of use for any installation, and it should indeed go in the direction of more security for the general public.

----------

## Xaid

I've been using a Hardened system on my desktop for the last year or so with little problems.

The comment about Xorg and dlloader is old I believe, I'm on an nvidia card (FX5200) and I have no problems playing any games or using applications that require 3D acceleration.

I'm not using Grsecurity though, only PaX (with PIE/SSP ofcourse), and the issues are usually easy to fix (disable MPROTECT on applications that will use libraries that were n't compiled with PIC).

For example, if an application will use the proprierty Nvidia drivers, then I disable MPROTECT on that binary and its all good to go.

Same goes for Java (disable MPROTECT on firefox-bin and that should take care of it).

Wine works fine as well, but you'll have to disable all PaX permissions for wine-preloader I believe.

Some of the information there might be incorrect, and if thats the case then I'm sure someone will correct me.

----------

## Master One

Thank's for the feedback, Xaid, seems to be like I expected. It should be not too hard, to set the PaX flags on individual programs causing troubles, is it? I mean, it is only about executeably binaries, or libraries as well? I couldn't take a closer look, but I assume chpax already comes with a config for some usual troublemakers.

I'd still like to get some feedback, if the latest ATI binary drivers will run on a hardened system, or not. PaX should not be the problem here, but probably dlloader (I am not quite sure, if I should go for Xorg 6.9 or 7.0 for my new installation).

----------

## PaveQ

Least sun jdk is working in my server (all hardened enabled) without configuration/hazle. Maybe it's just good luck?   :Laughing: 

----------

## Master One

 *PaveQ wrote:*   

> Least sun jdk is working in my server (all hardened enabled) without configuration/hazle. Maybe it's just good luck?  

 

So you have PaX in use, but didn't need to tweak the flags for JAVA using chpax as mentioned in the Hardended FAQ? If that's true, I'd say the FAQ needs some updating (although it was last modified just 2 days ago).

----------

## Xaid

Hi Masterone,

I think the preferred way is to disable the PaX permissions on the binaries and not the libraries, but I've seen a few people changing the permissions on the libraries so that they don't have to disable them on the individual binaries.

There shouldn't be any problems in doing that (chaning the PaX permissions on the binaries), as far as I know..

You need to disable the PaX permissions on firefox-bin for example, if you want to use the Java plugin in firefox, same goes if you want to use the flash plugin.

PaveQ, if you are running a server then I'm assuming you don't have X installed (so no mozilla/firefox) and thats why you didn't have to change anything to get Java running  :Smile: 

So you don't have to change anything for any of the propreitery libraries (or ones which were built without PIC), but you need to disable some permissions on the binaries that use those libraries (I would first try to disable MPROTECT, and if that still doesn't make it work then start disabling the permissions one by one and see which one does the trick).

One more note, if you are doing this on a Pentium 4, then its a good idea not to enable PAGEEXEC when configuring the kernel since (someone correct me if I'm wrong here), Pentium4s don't have native hardware support for PAGEEXEC so it'll have to be emulated, and that will incur a big performance hit.

Edit: I'm not sure if you have to change any permissions on java/javac but the last time I installed blackdown-jdk, I don't think I had to change any permissions on them.

----------

## PaveQ

 *Master One wrote:*   

>  *PaveQ wrote:*   Least sun jdk is working in my server (all hardened enabled) without configuration/hazle. Maybe it's just good luck?   
> 
> So you have PaX in use, but didn't need to tweak the flags for JAVA using chpax as mentioned in the Hardended FAQ? If that's true, I'd say the FAQ needs some updating (although it was last modified just 2 days ago).

 

Yep, I didn't change anything, althought I have chpax emerged.

 *Xaid wrote:*   

> 
> 
> PaveQ, if you are running a server then I'm assuming you don't have X installed (so no mozilla/firefox) and thats why you didn't have to change anything to get Java running 
> 
> So you don't have to change anything for any of the propreitery libraries (or ones which were built without PIC), but you need to disable some permissions on the binaries that use those libraries (I would first try to disable MPROTECT, and if that still doesn't make it work then start disabling the permissions one by one and see which one does the trick).
> ...

 

Hmm, ok. There's no X installed. Actually my server is PIII. Its not good idea to use PAGEEXEC on any processor that doesn't have NX bit (or what ever its called). Althought memory will be limited to 1.5Gb per process.

----------

## Master One

Any new opinions on that subject?

I was away for a while, distro-hopping led me from Kubuntu over Arch Linux to Foresight Linux (which has a very interesting software management concept), but that idea of giving Hardened-Gentoo a try on my ThinkPad never left my mind.

----------

## basement

I don't see why not. I've been using hardened only on my desktop + laptop gentoo installations for a while now (I believe I messaged you last year).

The few issues that has come up has been easily solved by using these forums and the log files (pax.log and grsec.log in /var/log). And the solution has usually been either to recompile a few packages without SSP+PIE (like media libs), or changing pax permissions (e.g. for java and wine). I also had to disable the "Enforce Non-Executable Kernel Pages" option in the kernel, because it screwed up the mouse pointer in X.

----------

## kernelOfTruth

*dig dig dig*   :Wink: 

Xaid, could you please lend me a helping hand in getting 3D to work with pax?

https://forums.gentoo.org/viewtopic-t-669428-start-0-postdays-0-postorder-asc-highlight-.html

I've already got mono/tomboy and some other tiny apps to run but wasn't successful with nvidia-drivers , e.g.

in which folder exactly I need to dive into etc etc

my goal is a running 3D-desktop with compiz-fusion & avant-window-navigator so that I can also use this on my laptop (security & functionality FTW   :Cool:   )

many thanks in advance

your answeres & help is highly appreciated   :Smile: 

----------

## mmoufid

As of yet, mplayer fails to build for me with a hardened toolchain.

----------

## kernelOfTruth

 *mmoufid wrote:*   

> As of yet, mplayer fails to build for me with a hardened toolchain.

 

switch temporarily to hardenednopiessp specs :

e.g.

 *Quote:*   

> 
> 
>  [7] x86_64-pc-linux-gnu-4.2.3 *
> 
>  [8] x86_64-pc-linux-gnu-4.2.3-hardenednopiessp
> ...

 

to 

 *Quote:*   

>  [7] x86_64-pc-linux-gnu-4.2.3 
> 
>  [8] x86_64-pc-linux-gnu-4.2.3-hardenednopiessp *
> 
>  [9] x86_64-pc-linux-gnu-4.2.3-hardenednossp
> ...

 

----------

