2022-06-10 08:00:03 +02:00
|
|
|
[20220610] Introduce Trusted Path Execution (TPE)
|
|
|
|
|
|
|
|
TPE limits the scope of what files can be executed. By default, TPE is
|
|
|
|
left disabled, but can be enabled via the `hardening.pax.tpe.status`
|
|
|
|
sysctl tunable.
|
|
|
|
|
|
|
|
When enabled, TPE will check the to-be-executed file's parent directory
|
|
|
|
to determine whether the directory is owned by the caller and is
|
|
|
|
writable to users/groups other than the owner.
|
|
|
|
|
|
|
|
The above logic is only run when:
|
|
|
|
|
|
|
|
1. The hardening.pax.tpe.all sysctl tunable is non-zero;
|
|
|
|
2. The user's primary group is the group specified in the
|
|
|
|
hardening.pax.tpe.gid group;
|
|
|
|
3. When the hardening.pax.tpe.negate sysctl tunable is non-zero, the
|
|
|
|
user's primary group is *NOT* the group specified in the
|
|
|
|
hardening.pax.tpe.gid group.
|
|
|
|
|
2022-04-06 19:07:11 +02:00
|
|
|
[20220406] Introduce insecure kernel module hardening
|
|
|
|
__HardenedBSD_version = 1400002
|
|
|
|
|
|
|
|
Provide support for marking certain kernel modules with a
|
|
|
|
notion of insecure or untrustworthy. Introduce a new hardening
|
|
|
|
sysctl tunable: hardening.insecure_kmod (default to 0, meaning
|
|
|
|
loading insecure kernel modules is prohibited by default.)
|
|
|
|
|
2021-05-28 15:39:28 +02:00
|
|
|
[20210528] Introduce LTO libs on amd64
|
|
|
|
__HardenedBSD_version = 1400001
|
|
|
|
|
|
|
|
As an initial first step towards supporting Cross-DSO CFI,
|
|
|
|
build both static and shared libraries with LTO.
|
|
|
|
|
2020-02-22 10:00:20 +01:00
|
|
|
[20200221] Removal of LibreSSL and OpenNTPD
|
|
|
|
__HardenedBSD_version = 1300061
|
|
|
|
|
|
|
|
LibreSSL and OpenNTPD were removed from the HardenedBSD base
|
|
|
|
system. Users who set WITH_LIBRESSL or WITH_OPENNTPD will need
|
|
|
|
to rebuild ports.
|
|
|
|
|
2019-12-14 12:36:55 +01:00
|
|
|
[20191214] Jail parameter: {no}allow.extattr
|
2019-12-14 12:53:20 +01:00
|
|
|
__HardenedBSD_version = 1300060
|
2019-12-14 12:36:55 +01:00
|
|
|
|
|
|
|
Provide a new jail configuration parameter: allow.extattr (and
|
|
|
|
noallow.extattr). Default: allow.
|
|
|
|
Allow setting system-level filesystem extended attributes by
|
|
|
|
default in a jailed environment.
|
|
|
|
|
|
|
|
Change the default system behavior to be more relaxed. Prior
|
|
|
|
to this change, privileged accounts in a jail could not set
|
|
|
|
system-level filesystem extended attributes. This change now
|
|
|
|
enables that ability by default.
|
|
|
|
|
2021-05-23 10:36:22 +02:00
|
|
|
This is in preparation for hbsdcontrol integration with
|
2019-12-14 12:36:55 +01:00
|
|
|
ports/packages.
|
|
|
|
|
|
|
|
[20191019] FreeBSD ASR with HardenedBSD ASLR
|
2019-04-22 01:51:46 +02:00
|
|
|
__HardenedBSD_version = 1300059
|
|
|
|
|
|
|
|
FreeBSD merged in their incomplete Address Space Randomization
|
|
|
|
(ASR) patch. Undo the reversion of the ASR patch and rely on
|
|
|
|
HardenedBSD's PaX ASLR implementation for the stack and shared
|
|
|
|
page when FreeBSD's ASR is enabled.
|
|
|
|
|
|
|
|
FreeBSD's ASR is disabled by default, but can be enabled at
|
|
|
|
runtime by setting the `kern.elf64.aslr.pie_enable` and
|
|
|
|
`kern.elf64.aslr.enable` sysctl nodes to 1. If HardenedBSD's
|
|
|
|
`hardening.pax.aslr.status' sysctl node is greater than or
|
|
|
|
equal to 2, the PaX ASLR implementation will only be in effect
|
|
|
|
for the stack and the shared page.
|
|
|
|
|
|
|
|
|
2018-10-28 03:08:44 +01:00
|
|
|
[20181019] shift to FreeBSD 13-CURRENT
|
2018-10-28 03:28:07 +01:00
|
|
|
__HardenedBSD_version = 1300058
|
2018-10-28 03:08:44 +01:00
|
|
|
|
|
|
|
FreeBSD started 13-CURRENT, do the same here.
|
|
|
|
|
|
|
|
|
2018-07-01 13:54:10 +02:00
|
|
|
[20180701] OpenSSL
|
2018-07-01 13:36:13 +02:00
|
|
|
__HardenedBSD_version = 1200058
|
|
|
|
|
|
|
|
Switch back to OpenSSL as the default crypto library in base.
|
|
|
|
|
|
|
|
|
2018-01-23 07:44:08 +01:00
|
|
|
[20180123] retpoline
|
2018-01-14 00:46:33 +01:00
|
|
|
__HardenedBSD_version = 1200057
|
|
|
|
|
2018-01-23 07:44:08 +01:00
|
|
|
Integrated the retpoline patch from llvm. The object
|
|
|
|
tree should be removed fully prior to rebuilding
|
|
|
|
world/kernel.
|
2018-01-14 00:46:33 +01:00
|
|
|
|
2018-01-03 00:09:36 +01:00
|
|
|
[20180103] PAX_JAIL_SUPPORT
|
|
|
|
__HardenedBSD_version = 1200056
|
|
|
|
|
|
|
|
Added infrastructure to change hardening settings at
|
|
|
|
jail creating time. You can use the same "mibs" as
|
|
|
|
jail params, which exists under the hardening sysctl
|
|
|
|
leaf. See the example jail.conf sniplet:
|
|
|
|
|
|
|
|
exec.start = "/bin/sh /etc/rc";
|
|
|
|
exec.stop = "/bin/sh /etc/rc.shutdown";
|
|
|
|
exec.clean;
|
|
|
|
mount.devfs;
|
|
|
|
|
|
|
|
path = "/usr/jails/$name";
|
|
|
|
host.hostname = "$name";
|
|
|
|
|
|
|
|
hbsdnx {
|
|
|
|
hardening.pax.segvguard.status = 3;
|
|
|
|
hardening.pax.mprotect.status = 3;
|
|
|
|
hardening.pax.pageexec.status = 3;
|
|
|
|
hardening.pax.aslr.status = 3;
|
|
|
|
persist;
|
|
|
|
}
|
|
|
|
|
|
|
|
In the current implementation the settings are still
|
|
|
|
modifiable via sysctls inside from the jail, but this
|
|
|
|
will change in the future. The same is true for the
|
|
|
|
nested jails.
|
|
|
|
|
|
|
|
|
2017-09-14 20:29:00 +02:00
|
|
|
[20170914] TOCTOU fix, PAX_CONTROL_{ACL,EXTATTR}
|
|
|
|
__HardenedBSD_version = 1200055
|
|
|
|
|
2017-09-14 20:39:51 +02:00
|
|
|
hbsdcontrol
|
|
|
|
-----------------------------------------------------------------------
|
2017-09-14 20:29:00 +02:00
|
|
|
The hbsdcontrol subsystem is an extattr(9) based control pane for
|
|
|
|
HardenedBSD's security settings.
|
|
|
|
|
|
|
|
Currently only the system namespace supported. (The FreeBSD's extattr
|
|
|
|
subsystem has two namespace: system and user. The system namespace is
|
|
|
|
writeable only from non-jail root user, the user namespace is writeable
|
|
|
|
from all users.)
|
|
|
|
This means only the root can assign rules to specific file. The other
|
|
|
|
restriction is similar, only from the host is allowed to set rules to
|
|
|
|
specific file, and prohibited a such operation from jails, for jail's
|
|
|
|
root user too prohibited.
|
|
|
|
|
|
|
|
To enable the hbsdcontrol subsystem, you should add the
|
|
|
|
|
|
|
|
options PAX_CONTROL_EXTATTR
|
|
|
|
|
|
|
|
kernel knob to your kernel config.
|
|
|
|
|
|
|
|
The hbsdcontrol subsystem use the following extended attributes:
|
|
|
|
|
|
|
|
hbsd.pax.aslr
|
|
|
|
hbsd.pax.noaslr
|
|
|
|
hbsd.pax.segvguard
|
|
|
|
hbsd.pax.nosegvguard
|
|
|
|
hbsd.pax.pageexec
|
|
|
|
hbsd.pax.nopageexec
|
|
|
|
hbsd.pax.mprotect
|
|
|
|
hbsd.pax.nomprotect
|
|
|
|
hbsd.pax.shlibrandom
|
|
|
|
hbsd.pax.noshlibrandom
|
|
|
|
hbsd.pax.disallow_map32bit
|
|
|
|
hbsd.pax.nodisallow_map32bit
|
|
|
|
|
|
|
|
Valid values are only the 0 (= disabled) and 1 (= enabled).
|
|
|
|
Valid settings are the following in system FS-EA namespace (with the ASLR
|
|
|
|
example, the same is true for the other settings):
|
|
|
|
|
|
|
|
* no hbsd.pax.aslr, nor hbsd.pax.noaslr assigned to the file -> system default
|
|
|
|
* hbsd.pax.aslr = 1 and hbsd.pax.noaslr = 0 -> enabled ASLR
|
|
|
|
* hbsd.pax.aslr = 0 and hbsd.pax.noaslr = 1 -> disabled ASLR
|
|
|
|
* hbsd.pax.aslr = 0 and hbsd.pax.noaslr = 0 -> invalid, warning message + execution error
|
|
|
|
* hbsd.pax.aslr = 1 and hbsd.pax.noaslr = 1 -> invalid, warning message + execution error
|
|
|
|
|
|
|
|
Attributes in user namespace are ignored.
|
|
|
|
|
2017-09-14 20:39:51 +02:00
|
|
|
TOCTOU fix, PAX_ACL
|
|
|
|
-----------------------------------------------------------------------
|
|
|
|
As preparation to hbsdcontrol, and to clean up the whole control logic
|
|
|
|
there is some new kernel knob:
|
|
|
|
|
|
|
|
* PAX_CONTROL_ACL
|
|
|
|
* PAX_CONTROL_ACL_OVERRIDE_SUPPORT
|
|
|
|
* PAX_CONTROL_EXTATTR
|
|
|
|
|
|
|
|
If you want to use the external secadm utility to manage hardenedbsd's
|
|
|
|
security features, then you should add
|
|
|
|
|
|
|
|
options PAX_CONTROL_ACL
|
|
|
|
|
|
|
|
to your kernel config.
|
|
|
|
|
|
|
|
If you want to use the extattr(9) based hbsdcontrol, you should add
|
|
|
|
the
|
|
|
|
|
|
|
|
options PAX_CONTROL_EXTATTR
|
|
|
|
|
|
|
|
kernel knob.
|
|
|
|
|
|
|
|
If you want to use both hbsdcontrol and secadm, and it's nice to add
|
|
|
|
|
|
|
|
option PAX_CONTROL_ACL_OVERRIDE_SUPPORT
|
|
|
|
|
|
|
|
too. This is nice in very special case, when you set rules both
|
|
|
|
from hbsdcontrol and from secadm on the _same_ file. By default
|
|
|
|
always the hbsdcontrol wins this situation, and what was set up
|
|
|
|
by hbsdcontrol gets applied as policy. To override this behavior
|
|
|
|
you can add a special flag in you secadm conf to override this
|
|
|
|
behavior. For more details consult with secadm's source code /
|
|
|
|
readme / man page.
|
|
|
|
|
2017-09-14 20:29:00 +02:00
|
|
|
|
2017-09-14 20:16:34 +02:00
|
|
|
[20170914] Changed auxvector after e5ea82a50dd64a3e47767b132a16281242ff396d
|
|
|
|
__HardenedBSD_version = 1200054
|
|
|
|
|
|
|
|
After the following commit:
|
|
|
|
|
|
|
|
> commit e5ea82a50dd64a3e47767b132a16281242ff396d
|
|
|
|
> Author: jhb <jhb@FreeBSD.org>
|
|
|
|
> Date: Thu Sep 14 14:26:55 2017 +0000
|
|
|
|
|
|
|
|
> Add AT_HWCAP and AT_EHDRFLAGS on all platforms.
|
|
|
|
>
|
|
|
|
> A new 'u_long *sv_hwcap' field is added to 'struct sysentvec'. A
|
|
|
|
> process ABI can set this field to point to a value holding a mask of
|
|
|
|
> architecture-specific CPU feature flags. If an ABI does not wish to
|
|
|
|
> supply AT_HWCAP to processes the field can be left as NULL.
|
|
|
|
>
|
|
|
|
> The support code for AT_EHDRFLAGS was already present on all systems,
|
|
|
|
> just the #define was not present. This is a step towards unifying the
|
|
|
|
> AT_* constants across platforms.
|
|
|
|
>
|
|
|
|
> Reviewed by: kib
|
|
|
|
> MFC after: 1 month
|
|
|
|
> Differential Revision: https://reviews.freebsd.org/D12290
|
|
|
|
|
|
|
|
> Notes:
|
|
|
|
> svn path=/head/; revision=323579
|
|
|
|
|
|
|
|
the AT_PAXFLAGS has been changed from 24 to 26 position in
|
|
|
|
elf auxvector. This may break some functionality, especially
|
|
|
|
the SHLIBRAND feature, when you running on a newer kernel
|
|
|
|
with an older user-space.
|
|
|
|
|
|
|
|
|
2017-08-31 00:25:36 +02:00
|
|
|
[20170831] Changed pax_elf API
|
|
|
|
__HardenedBSD_version = 1200053
|
|
|
|
|
|
|
|
As preparation to hardenedBSD rationalize
|
|
|
|
the pax_elf(...) functions signature, to
|
|
|
|
follow the codes in kern_exec's style.
|
|
|
|
For the details, see the code.
|
|
|
|
|
|
|
|
|
2017-07-09 23:05:29 +02:00
|
|
|
[20170709] Enforced KPI
|
|
|
|
__HardenedBSD_version = 1200052
|
|
|
|
|
|
|
|
Enfore the KPI version at compile time. This
|
|
|
|
will implicate the recompilation of external
|
|
|
|
modules even once __HardenedBSD_version or
|
|
|
|
__FreeBSD_version gets bumped.
|
|
|
|
|
|
|
|
|
2017-06-24 17:25:03 +02:00
|
|
|
[20170624] Enable OpenNTPd by default
|
|
|
|
__HardenedBSD_version = 1200051
|
|
|
|
|
|
|
|
Enable WITH_OPENNTPD by default on HardenedBSD.
|
|
|
|
After this point we deliver OpenNTPd as base
|
|
|
|
ntp provider for HardenedBSD. ISC ntpd is still
|
|
|
|
available, and accessible with WITHOUT_OPENNTPD=
|
|
|
|
knob in src.conf(5).
|
|
|
|
|
2017-06-16 01:14:22 +02:00
|
|
|
[20170616] Changed __HardenedBSD_version scheme
|
|
|
|
__HardenedBSD_version = 1200050
|
|
|
|
|
|
|
|
The version numbers may differ in different branches (10-STABLE,
|
|
|
|
11-STABLE, 12-CURRENT) and to keep the version number in pair
|
|
|
|
with the features state, there is a need to allow to bump they
|
|
|
|
differently.
|
|
|
|
|
|
|
|
|
2017-06-16 01:13:11 +02:00
|
|
|
[20170616] Changed default protection settings for text section
|
|
|
|
__HardenedBSD_version = 50
|
|
|
|
|
|
|
|
Fixes the (theoretically) last outstanding memory
|
|
|
|
protection related weakness in HBSD's user-space detectable
|
|
|
|
with paxtest.
|
|
|
|
|
|
|
|
|
2017-03-02 23:03:52 +01:00
|
|
|
[20170302] Enable CFI by default for amd64
|
|
|
|
__HardenedBSD_version = 49
|
|
|
|
|
|
|
|
Enable WITH_CFI by default on HardenedBSD/amd64.
|
|
|
|
Control-Flow Integrity (CFI) is an exploit mitigation
|
|
|
|
technique developed in the clang/llvm project. Now that
|
|
|
|
base has clang 4.0.0, which brings a linker that supports
|
|
|
|
Link-Time Optimization (LTO), lld, we can now make use of
|
|
|
|
CFI, which requires LTO.
|
|
|
|
|
|
|
|
This also enables lld by default for amd64 and arm64. Disable
|
|
|
|
CFI by setting WITHOUT_CFI in src.conf(5).
|
|
|
|
|
2017-01-12 17:43:57 +01:00
|
|
|
[20170112] Enable SafeStack by default for amd64
|
|
|
|
__HardenedBSD_version = 48
|
|
|
|
|
|
|
|
Enable WITH_SAFESTACK by default on HardenedBSD/amd64.
|
|
|
|
SafeStack is an exploit mitigation technique developed in the
|
|
|
|
clang/llvm project, born in the Code-Pointer Integrity
|
|
|
|
(CPI) project. Now that base has clang 3.9.1, which contains
|
|
|
|
a more mature CFI/CPI implementation, SafeStack can be enabled
|
|
|
|
by default for amd64.
|
|
|
|
|
|
|
|
Disable SafeStack for base by setting WITHOUT_SAFESTACK in
|
|
|
|
src.conf(5).
|
|
|
|
|
2016-08-28 17:30:17 +02:00
|
|
|
[20160820] Enable LibreSSL by default
|
|
|
|
__HardenedBSD_version = 47
|
|
|
|
|
|
|
|
Enable WITH_LIBRESSL by default on HardenedBSD.
|
|
|
|
After this we point we deliver LibreSSL as base
|
|
|
|
SSL engine for HardenedBSD. The OpenSSL is still
|
2021-04-11 17:48:55 +02:00
|
|
|
available, and accessible with WITHOUT_LIBRESSL=
|
2016-08-28 17:30:17 +02:00
|
|
|
knob in src.conf.
|
|
|
|
|
|
|
|
|
2016-04-23 20:24:52 +02:00
|
|
|
[20160423] RELRO + BIND_NOW
|
|
|
|
__HardenedBSD_version = 46
|
|
|
|
|
|
|
|
Enable RELRO + BIND_NOW for base.
|
|
|
|
Introduce WITHOUT_RELRO and WITHOUT_BIND_NOW.
|
|
|
|
Setting WITHOUT_RELRO also sets WITHOUT_BIND_NOW.
|
|
|
|
|
|
|
|
|
HBSD: Introduce PIEified base.
Base is now able to compile as Position-Independent Executables (PIEs)
for amd64 and i386. Only a few applications are left as non-PIE. Some
applications, like /sbin/init, cannot be compiled as PIEs as they are
statically compiled.
This work has been tested on numerous machines, both on bare metal and
virtualized. Multiple package builds have run successfully.
PIEified base can be disabled for amd64 and i386 by setting
WITHOUT_PIE in src.conf(5) or enabled for other architectures by
setting WITH_PIE in src.conf(5). Since this is controlled by
src.conf(5), PIEified base does not affect out-of-tree builds of 3rd
party applications, like those found in the Ports tree.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Hat-tip-to: Bryan Drewery <bdrewery@freebsd.org>
MFC-to: 10-STABLE
Squashed commit of the following:
commit 4a3e0fdbe8662aa1473bd323a2297e4573c13217
Merge: bea0b2c 83368e9
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Tue Apr 12 21:06:13 2016 -0400
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie
commit bea0b2cfaf875cdf76bf32b1ff46ecccceb17517
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Tue Apr 12 21:01:11 2016 -0400
HBSD: Tidy up base PIEification.
Switch the PIE knob from make.conf(5) to src.conf(5). Add a
conditional surrounding the PIE logic to prevent Ports failures, since
Ports shares the host build framework (bsd.*.mk and friends). Document
why the extra conditional is needed.
PIEification is still opt-in per architecture, with support only for
amd64 and i386 at the moment. I'm hoping ARM and ARM64 support will
come at BSDCan.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 1d066c70e146d77f2181549e6cf4751c0fe40da9
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Tue Apr 12 20:58:17 2016 -0400
HBSD: Optionally include src.opts.mk.
By using .sinclude, the build framework will utilize src.opts.mk for
base, but not for ports, since src.*.mk does not get installed into
/usr/share/mk. This is needed to change the PIE knob from make.conf(5)
to src.conf(5).
Obtained-from: @bdrewery <bdrewery@freebsd.org>
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 5878050ccd01f7e105822997ad7c3c93a505a376
Merge: dad709a 2e9b0ff
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Mon Apr 11 11:47:40 2016 -0400
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie
commit dad709ae80a8e29d1fb98d34514bc75e02483145
Merge: 0c3ce796 f2ee05d
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Sat Apr 9 12:40:01 2016 -0400
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie
commit 0c3ce7963507a18ffd455f66023f97bdee52893f
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Sat Apr 9 09:59:51 2016 -0400
HBSD: Key off -static being in LDFLAGS.
Reported-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 4846e3fe562bd531dc61e1ddc637f06e589ecd52
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Fri Apr 8 15:00:29 2016 -0400
HBSD: Also key off NOPIE when adding the PIC flag for libraries.
Some ports fail to link due to the aggressive PIEification of base.
Adding support for NOPIE in bsd.lib.mk will allow workarounds to be
placed in each port.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit d70919d3507757d215bd36b37d4ab04ecc96d0ab
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Fri Apr 8 11:08:32 2016 -0400
HBSD: Bump __HardenedBSD_version to 45.
For the PIEified base work.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 84d8e20ebcd3c1bbd10c10b05a32f466da2154f8
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Fri Apr 8 10:59:29 2016 -0400
HBSD: Only enable PIEified base for amd64 and i386.
Compiling (nearly) all of base causes issues with booting arm64 (and
likely arm, but I haven't verified that, yet). As I learn the arm64
architecture, and as I learn its boot process and what code is
involved with that, PIEified base will make its debut on arm64. I'm
hoping to complete that during BSDCan.
With this commit, PIEified base can be considered complete on amd64
and i386.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit b2207b5036b7a1c3c626d6af6dd5d4825c760cee
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Thu Apr 7 09:33:27 2016 -0400
HBSD: Build shared toolchain by default.
Building a shared toolchain allows the toolchain to compile as PIEs.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 4e7d3943adbeb45ee941a257c6d3a8dae1e309b9
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Wed Apr 6 22:39:17 2016 -0400
HBSD: Only force -fPIC for libs if MK_PIE is active.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 1778a96ac539184dc4f45a9415c74ae07d35419f
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Wed Apr 6 22:36:06 2016 -0400
HBSD: Remove WANTS_PIE.
Now that all of base can be compiled as a PIE, do not use WANTS_PIE
for the select few applications that had it. Users can still disable
PIE support by setting WITHOUT_PIE in src.conf(5).
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 573124785e4eb1f0dceb34000ec2acb2698fc390
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Wed Apr 6 21:30:46 2016 -0400
HBSD: Compile base as Position-Independent Executables (PIEs)
Enable compiling nearly all of base as PIEs. Only 24 applications
(listed below) do not get compiled as PIEs. This has been tested with
a default make.conf(5) and src.conf(5) on amd64. More testing is
needed, especially with custom make.conf(5) and src.conf(5) flags.
Applications that aren't compiled as PIEs:
/sbin/init.bak
/sbin/init
/sbin/devd
/usr/sbin/nologin
/usr/bin/gprof
/usr/bin/ar
/usr/bin/ld.bfd
/usr/bin/clang++
/usr/bin/lldb
/usr/bin/cc
/usr/bin/clang
/usr/bin/mkulzma
/usr/bin/ld
/usr/bin/c++
/usr/bin/clang-tblgen
/usr/bin/clang-cpp
/usr/bin/cpp
/usr/bin/as
/usr/bin/llvm-tblgen
/usr/bin/elfcopy
/usr/bin/tblgen
/usr/bin/ranlib
/usr/bin/ldd32
/usr/bin/make
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
2016-04-16 00:07:19 +02:00
|
|
|
[20160408] PIEified base for amd64 and i386
|
|
|
|
__HardenedBSD_version = 45
|
|
|
|
|
|
|
|
Remove WANTS_PIE.
|
|
|
|
Default PIE for base for amd64 and i386 only.
|
|
|
|
When PIE is enabled, compile non-static libraries with -fPIC.
|
|
|
|
Default WITH_SHARED_TOOLCHAIN to enabled by default.
|
|
|
|
|
2016-05-16 17:39:59 +02:00
|
|
|
If you encounter build problems during make buildworld,
|
|
|
|
try to clean the object files directory, which is typically
|
|
|
|
/usr/obj:
|
|
|
|
|
|
|
|
cd /usr/obj; rm -rf *
|
|
|
|
|
|
|
|
And retry to build the world. This will require due to not
|
|
|
|
proper cleaning mechanizm of FreeBSD's build framework.
|
|
|
|
|
HBSD: Introduce PIEified base.
Base is now able to compile as Position-Independent Executables (PIEs)
for amd64 and i386. Only a few applications are left as non-PIE. Some
applications, like /sbin/init, cannot be compiled as PIEs as they are
statically compiled.
This work has been tested on numerous machines, both on bare metal and
virtualized. Multiple package builds have run successfully.
PIEified base can be disabled for amd64 and i386 by setting
WITHOUT_PIE in src.conf(5) or enabled for other architectures by
setting WITH_PIE in src.conf(5). Since this is controlled by
src.conf(5), PIEified base does not affect out-of-tree builds of 3rd
party applications, like those found in the Ports tree.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Hat-tip-to: Bryan Drewery <bdrewery@freebsd.org>
MFC-to: 10-STABLE
Squashed commit of the following:
commit 4a3e0fdbe8662aa1473bd323a2297e4573c13217
Merge: bea0b2c 83368e9
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Tue Apr 12 21:06:13 2016 -0400
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie
commit bea0b2cfaf875cdf76bf32b1ff46ecccceb17517
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Tue Apr 12 21:01:11 2016 -0400
HBSD: Tidy up base PIEification.
Switch the PIE knob from make.conf(5) to src.conf(5). Add a
conditional surrounding the PIE logic to prevent Ports failures, since
Ports shares the host build framework (bsd.*.mk and friends). Document
why the extra conditional is needed.
PIEification is still opt-in per architecture, with support only for
amd64 and i386 at the moment. I'm hoping ARM and ARM64 support will
come at BSDCan.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 1d066c70e146d77f2181549e6cf4751c0fe40da9
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Tue Apr 12 20:58:17 2016 -0400
HBSD: Optionally include src.opts.mk.
By using .sinclude, the build framework will utilize src.opts.mk for
base, but not for ports, since src.*.mk does not get installed into
/usr/share/mk. This is needed to change the PIE knob from make.conf(5)
to src.conf(5).
Obtained-from: @bdrewery <bdrewery@freebsd.org>
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 5878050ccd01f7e105822997ad7c3c93a505a376
Merge: dad709a 2e9b0ff
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Mon Apr 11 11:47:40 2016 -0400
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie
commit dad709ae80a8e29d1fb98d34514bc75e02483145
Merge: 0c3ce796 f2ee05d
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Sat Apr 9 12:40:01 2016 -0400
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/pie
commit 0c3ce7963507a18ffd455f66023f97bdee52893f
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Sat Apr 9 09:59:51 2016 -0400
HBSD: Key off -static being in LDFLAGS.
Reported-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 4846e3fe562bd531dc61e1ddc637f06e589ecd52
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Fri Apr 8 15:00:29 2016 -0400
HBSD: Also key off NOPIE when adding the PIC flag for libraries.
Some ports fail to link due to the aggressive PIEification of base.
Adding support for NOPIE in bsd.lib.mk will allow workarounds to be
placed in each port.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit d70919d3507757d215bd36b37d4ab04ecc96d0ab
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Fri Apr 8 11:08:32 2016 -0400
HBSD: Bump __HardenedBSD_version to 45.
For the PIEified base work.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 84d8e20ebcd3c1bbd10c10b05a32f466da2154f8
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Fri Apr 8 10:59:29 2016 -0400
HBSD: Only enable PIEified base for amd64 and i386.
Compiling (nearly) all of base causes issues with booting arm64 (and
likely arm, but I haven't verified that, yet). As I learn the arm64
architecture, and as I learn its boot process and what code is
involved with that, PIEified base will make its debut on arm64. I'm
hoping to complete that during BSDCan.
With this commit, PIEified base can be considered complete on amd64
and i386.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit b2207b5036b7a1c3c626d6af6dd5d4825c760cee
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Thu Apr 7 09:33:27 2016 -0400
HBSD: Build shared toolchain by default.
Building a shared toolchain allows the toolchain to compile as PIEs.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 4e7d3943adbeb45ee941a257c6d3a8dae1e309b9
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Wed Apr 6 22:39:17 2016 -0400
HBSD: Only force -fPIC for libs if MK_PIE is active.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 1778a96ac539184dc4f45a9415c74ae07d35419f
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Wed Apr 6 22:36:06 2016 -0400
HBSD: Remove WANTS_PIE.
Now that all of base can be compiled as a PIE, do not use WANTS_PIE
for the select few applications that had it. Users can still disable
PIE support by setting WITHOUT_PIE in src.conf(5).
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
commit 573124785e4eb1f0dceb34000ec2acb2698fc390
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
Date: Wed Apr 6 21:30:46 2016 -0400
HBSD: Compile base as Position-Independent Executables (PIEs)
Enable compiling nearly all of base as PIEs. Only 24 applications
(listed below) do not get compiled as PIEs. This has been tested with
a default make.conf(5) and src.conf(5) on amd64. More testing is
needed, especially with custom make.conf(5) and src.conf(5) flags.
Applications that aren't compiled as PIEs:
/sbin/init.bak
/sbin/init
/sbin/devd
/usr/sbin/nologin
/usr/bin/gprof
/usr/bin/ar
/usr/bin/ld.bfd
/usr/bin/clang++
/usr/bin/lldb
/usr/bin/cc
/usr/bin/clang
/usr/bin/mkulzma
/usr/bin/ld
/usr/bin/c++
/usr/bin/clang-tblgen
/usr/bin/clang-cpp
/usr/bin/cpp
/usr/bin/as
/usr/bin/llvm-tblgen
/usr/bin/elfcopy
/usr/bin/tblgen
/usr/bin/ranlib
/usr/bin/ldd32
/usr/bin/make
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
2016-04-16 00:07:19 +02:00
|
|
|
|
2016-03-26 16:30:52 +01:00
|
|
|
[201603XX] noexec and ASLR changes
|
|
|
|
__HardenedBSD_version = 44
|
|
|
|
|
|
|
|
Fixed noexec's paxflags parser to get usable system on
|
|
|
|
bronen setups too.
|
|
|
|
Changed ASLR stack randomization settings on 32 machines.
|
|
|
|
|
2016-03-16 16:32:27 +01:00
|
|
|
[20160316] ASLR cleanup
|
|
|
|
__HardenedBSD_version = 43
|
|
|
|
|
|
|
|
Since the hardening.pax.aslr.*_len variables are no longer
|
|
|
|
available outside of loader.conf(5), remove them from
|
|
|
|
struct hbsd_features, which gets embedded in struct
|
|
|
|
prison. This change makes the hardening.pax.aslr.*_len
|
|
|
|
variables a global setting, rather than a per-jail setting.
|
|
|
|
|
|
|
|
|
2016-02-25 15:28:27 +01:00
|
|
|
[20160225] RTLD noexec
|
|
|
|
__HardenedBSD_version = 42
|
|
|
|
|
|
|
|
Enforce nonexec thread stacks, driven by the RTLD.
|
|
|
|
|
|
|
|
|
2016-02-25 15:31:06 +01:00
|
|
|
[20160213] rewritten internals
|
2016-02-13 18:58:50 +01:00
|
|
|
__HardenedBSD_version = 41
|
|
|
|
|
|
|
|
Changed hardenedBSD core structures.
|
|
|
|
Dropped ptrace_hardening.
|
|
|
|
Dropped ASLR bit settings.
|
|
|
|
Fixed hbsd_update_build bug.
|
|
|
|
Added skeleton file.
|
|
|
|
Changed feature strings.
|
|
|
|
Changed noexec implicit rules.
|
|
|
|
|
|
|
|
|
2016-02-25 15:31:06 +01:00
|
|
|
[20160123] add pax_get_hardenedbsd_version API
|
2016-01-23 23:12:52 +01:00
|
|
|
__HardenedBSD_version = 40
|
|
|
|
|
|
|
|
Add pax_get_hardenedbsd_version() API to query hardening's version
|
|
|
|
from kernel codes.
|
|
|
|
|
|
|
|
Add new types, which represents the PAX_FLAGS.
|
|
|
|
|
|
|
|
|
2015-12-25 22:52:52 +01:00
|
|
|
[20151225] redo rework internal structures
|
|
|
|
__HardenedBSD_version = 39
|
|
|
|
|
|
|
|
Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
|
|
|
|
Fix one segvguard related issue.
|
|
|
|
Changed pax_elf signature.
|
|
|
|
|
|
|
|
We reverted this code in version 37, because we observed weird
|
|
|
|
issue, but this issues was unrelated to the reworked internals.
|
|
|
|
The true root of the problem was a secadm bug and the issue fixed
|
|
|
|
with version 38.
|
|
|
|
|
|
|
|
|
2015-12-18 22:48:25 +01:00
|
|
|
[20151218] reworked MAP_32BIT mmap randomization
|
|
|
|
__HardenedBSD_version = 38
|
|
|
|
|
|
|
|
Previously the MAP_32BIT case mmap randomization was an ASR,
|
|
|
|
to fix this and some other issue with the MAP_32BIT related
|
|
|
|
mmap, implement a proper ASLR.
|
|
|
|
|
|
|
|
Upstream fixed stability issues with higher order PID randomization
|
|
|
|
|
|
|
|
|
2015-12-10 21:07:17 +01:00
|
|
|
[20151208] revert the reworked internal structures
|
|
|
|
__HardenedBSD_version = 37
|
|
|
|
|
|
|
|
revert: Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
|
|
|
|
revert: Changed pax_elf signature.
|
|
|
|
|
|
|
|
|
2015-12-06 22:48:59 +01:00
|
|
|
[20151206] rework internal structures
|
|
|
|
__HardenedBSD_version = 36
|
|
|
|
|
|
|
|
Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
|
|
|
|
Change noexec's sysctl handlers.
|
|
|
|
Fix one segvguard related issue.
|
|
|
|
Fix randompid related issue.
|
|
|
|
Changed pax_elf signature.
|
|
|
|
|
|
|
|
|
2015-11-23 20:38:28 +01:00
|
|
|
[20151123] changed proc structure : added p_timekeep_base
|
|
|
|
__HardenedBSD_version = 35
|
|
|
|
|
|
|
|
Follow the recent VDSO changes from kib@.
|
|
|
|
This required to introduce new field to struct proc.
|
|
|
|
|
|
|
|
|
2015-10-18 15:32:44 +02:00
|
|
|
[20151018] disabled lib32 build by default
|
|
|
|
__HardenedBSD_version = 34
|
|
|
|
|
|
|
|
Do not build lib32 and 32bit related stuffs on 64bit platforms
|
|
|
|
by default.
|
|
|
|
|
|
|
|
|
2015-09-24 12:27:39 +02:00
|
|
|
[20150924] changed stack-protector level
|
|
|
|
__HardenedBSD_version = 33
|
|
|
|
|
|
|
|
Bump the default build settings from the --stack-protector
|
|
|
|
to --stack-protector-strong.
|
|
|
|
|
|
|
|
|
2015-09-15 12:45:08 +02:00
|
|
|
[20150915] ASLR changes
|
|
|
|
__HardenedBSD_version = 32
|
|
|
|
|
|
|
|
Changed default VDSO randomization from 20 bits to 28 bits.
|
|
|
|
Fixed div by zero in rare cases in pax_aslr_init_vmspace.
|
|
|
|
|
|
|
|
|
2015-09-07 16:09:23 +02:00
|
|
|
[20150907] Reworked DISALLOWMAP32BIT and changes some internal functions
|
|
|
|
__HardenedBSD_version = 31
|
|
|
|
|
|
|
|
Rename and correctly paxify the DISALLOWMAP32BIT.
|
|
|
|
Changed pax flags setup.
|
|
|
|
|
|
|
|
|
|
|
|
[20150905] Added MAP32_PROTECT
|
|
|
|
__HardenedBSD_version = 30
|
|
|
|
|
|
|
|
Added per-process mode to disable MAP_32BIT mode mmap(2).
|
|
|
|
|
|
|
|
|
2015-08-23 01:20:56 +02:00
|
|
|
[20150823] Fixed pkg bootstrap
|
|
|
|
__HardenedBSD_version = 29
|
|
|
|
|
|
|
|
With FreeBSD commit 671f0b9, use of pubkey signature_type method is explicitly disallowed.
|
|
|
|
This breaks bootstrapping with pubkey signature_type.
|
|
|
|
|
|
|
|
|
2015-07-15 02:37:58 +02:00
|
|
|
[20150715] Fixed vdso randomization
|
|
|
|
__HardenedBSD_version = 28
|
|
|
|
|
|
|
|
Fixed and simplified vdso and stack mapping.
|
|
|
|
|
|
|
|
|
2015-07-06 00:14:11 +02:00
|
|
|
[20150706] Added shared-page (vdso) randomization
|
|
|
|
__HardenedBSD_version = 27
|
|
|
|
|
|
|
|
This version brings in true stack randomization.
|
|
|
|
Changed ASLR settings:
|
|
|
|
vdso random : 20 bit
|
|
|
|
|
|
|
|
|
2015-07-01 03:11:36 +02:00
|
|
|
[20150701] Rewriten stack randomization, and bumped ASLR settings
|
|
|
|
__HardenedBSD_version = 26
|
|
|
|
|
|
|
|
This version brings in true stack randomization.
|
|
|
|
Changed ASLR settings:
|
|
|
|
stack random : 26 -> 42 bit
|
|
|
|
exec random : 21 -> 30 bit
|
|
|
|
|
|
|
|
|
2015-06-05 22:35:05 +02:00
|
|
|
[20150605] ASLR "rewrite" and NOEXEC fixes after jhb's vm_mmap.c changes
|
2015-07-01 03:11:36 +02:00
|
|
|
__HardenedBSD_version = 25
|
2015-06-05 22:35:05 +02:00
|
|
|
__HardenedBSD_version = 24
|
|
|
|
|
|
|
|
Move the mmap randomization to it's own place and add more state enforcements (KASSERTs).
|
|
|
|
Added locking around pax_aslr_mmap(...).
|
|
|
|
Factore out the MAP_32BIT related code from pax_aslr_mmap(...), and move to pax_aslr_mmap_map_32bit(...)
|
|
|
|
|
|
|
|
|
2015-06-04 16:32:33 +02:00
|
|
|
[20150604] fix ASLR - randomize the rtld's shared object too
|
|
|
|
__HardenedBSD_version = 23
|
|
|
|
|
|
|
|
Randomize the rtld's address before load them in imgact_elf.c
|
|
|
|
|
|
|
|
|
2015-06-04 02:29:35 +02:00
|
|
|
[20150604] added PAX_NOTE_{,NO}SHLIBRANDOM extension
|
|
|
|
__HardenedBSD_version = 22
|
|
|
|
|
|
|
|
This feature will fix the issue mentioned on issue #137
|
|
|
|
|
|
|
|
|
|
|
|
[20150528] Changed internal structure, removed hardening.pax.segvguard.debug sysctl
|
|
|
|
__HardenedBSD_version = 21
|
|
|
|
|
|
|
|
Changed internal structure
|
|
|
|
Removed hardening.pax.segvguard.debug sysctl
|
|
|
|
|
|
|
|
|
2015-04-17 02:05:33 +02:00
|
|
|
[20150415] Bumped stack randomization
|
|
|
|
__HardenedBSD_version = 20
|
|
|
|
|
|
|
|
Increased stack randomization from 20 bit to 26 bit.
|
|
|
|
|
|
|
|
|
|
|
|
[20150415] Fixed stack randomization
|
|
|
|
__HardenedBSD_version = 19
|
|
|
|
|
|
|
|
|
2015-04-08 23:00:37 +02:00
|
|
|
[20150408] How to get HardenedBSD and HardenedBSD-ports?
|
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
Without git/svnlite:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
HardenedBSD source:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/hardenedBSD/archive/hardened/current/master.tar.gz -o hardenedbsd-src.tar.gz
|
|
|
|
# tar xf hardenedbsd-src.tar.gz
|
|
|
|
# mv hardenedBSD-hardened-current-master /usr/src
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
HardenedBSD ports:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/freebsd-ports/archive/master.tar.gz -o hardenedbsd-ports.tar.gz
|
|
|
|
# tar xf hardenedbsd-ports.tar.gz
|
|
|
|
# mv freebsd-ports-master /usr/ports
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
Secadm:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/secadm/archive/master.tar.gz -o secadm.tar.gz
|
|
|
|
# tar xf secadm.tar.gz
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
With git:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
HardenedBSD-source:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# git clone https://github.com/HardenedBSD/hardenedBSD.git /usr/src
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
HardenedBSD ports:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# git clone https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
Secadm:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# git clone https://github.com/HardenedBSD/secadm.git
|
|
|
|
|
|
|
|
With svnlite (much more slower than git version):
|
|
|
|
|
|
|
|
HardenedBSD-source:
|
|
|
|
|
|
|
|
# svnlite co https://github.com/HardenedBSD/hardenedBSD.git /usr/src
|
|
|
|
|
|
|
|
HardenedBSD ports:
|
|
|
|
|
|
|
|
# svnlite co https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
|
|
|
|
|
|
|
|
Secadm:
|
|
|
|
|
|
|
|
# svnlite co https://github.com/HardenedBSD/secadm.git
|
2015-04-08 23:00:37 +02:00
|
|
|
|
|
|
|
|
2015-04-08 22:46:43 +02:00
|
|
|
[20150404] Added secadm hook to rtld
|
|
|
|
__HardenedBSD_version = 18
|
|
|
|
|
|
|
|
Added integriforce secadm hook to rtld to validate
|
|
|
|
shared object before loading them.
|
|
|
|
|
|
|
|
|
2015-04-08 22:42:01 +02:00
|
|
|
[20150318] Merged first part of NOEXEC project
|
2015-04-08 22:46:43 +02:00
|
|
|
__HardenedBSD_version = 17
|
2015-04-08 22:42:01 +02:00
|
|
|
|
|
|
|
This is the first part of PaX's MPROTECT restriction:
|
|
|
|
* this merge brings per process level restriction settings
|
|
|
|
* eliminated the linux's sound related mmap weakness
|
|
|
|
* improved the logging
|
|
|
|
...
|
|
|
|
|
|
|
|
If you have problem with your application, then install
|
|
|
|
secadm:
|
|
|
|
|
|
|
|
* from pkg:
|
|
|
|
|
|
|
|
pkg install secadm
|
|
|
|
|
|
|
|
* or from github:
|
|
|
|
|
|
|
|
# git clone https://github.com/hardenedbsd/secadm
|
|
|
|
# cd secadm
|
|
|
|
# make && make install
|
|
|
|
|
|
|
|
|
2015-02-12 00:57:24 +01:00
|
|
|
[201502011] Changed kernel knobs
|
|
|
|
|
|
|
|
Added ``options PAX`` to enable the HardenedBSD framework.
|
|
|
|
All other PAX_* knob depends on PAX knob.
|
|
|
|
|
|
|
|
|
|
|
|
[20150131] Upgrading from systems before "HBSD: Revert the chacha20 import in full."
|
|
|
|
|
2015-02-12 23:11:43 +01:00
|
|
|
After the "HBSD: Revert the chacha20 import in full." commit
|
|
|
|
we lost the compatibility with the previous version, this
|
|
|
|
means ABI break, and the system is unable to properly boot.
|
|
|
|
In the background is the removed VM_INHERIT_ZERO flag, which
|
|
|
|
was previously used in libc.
|
2015-02-12 00:57:24 +01:00
|
|
|
|
|
|
|
The solution is to install the new world, before you booting to the new kernel.
|
|
|
|
|
|
|
|
1. make buildworld kernel
|
|
|
|
2. IMPORTANT: install world before you reboot
|
2015-02-12 23:11:43 +01:00
|
|
|
2.1. mergemaster -p && make installworld && mergemaster
|
2015-02-12 00:57:24 +01:00
|
|
|
3. reboot
|
|
|
|
4. start in single user mode
|
|
|
|
5. cd /usr/src
|
|
|
|
6. make delete-old delete-old-libs
|
2015-02-12 23:11:43 +01:00
|
|
|
7. if you have buildworld or buildkernel error,
|
|
|
|
where the cc aborting and dumping core,
|
|
|
|
then you need to delete the content of /usr/obj directory:
|
|
|
|
7.1 cd /usr/obj
|
|
|
|
7.2 rm -rf *
|
2015-02-12 00:57:24 +01:00
|
|
|
|
|
|
|
And probably a full ports rebuild required too...
|
|
|
|
|