2015-04-17 02:05:33 +02:00
|
|
|
[20150415] Bumped stack randomization
|
|
|
|
|
__HardenedBSD_version = 20
|
|
|
|
|
|
|
|
|
|
Increased stack randomization from 20 bit to 26 bit.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[20150415] Fixed stack randomization
|
|
|
|
|
__HardenedBSD_version = 19
|
|
|
|
|
|
|
|
|
|
|
2015-04-08 23:00:37 +02:00
|
|
|
[20150408] How to get HardenedBSD and HardenedBSD-ports?
|
|
|
|
|
|
|
|
|
|
Without git:
|
|
|
|
|
|
|
|
|
|
HardenedBSD source:
|
|
|
|
|
|
2015-04-09 00:44:41 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/hardenedBSD/archive/hardened/current/master.tar.gz -o hardenedbsd-src.tar.gz
|
|
|
|
|
# tar xf hardenedbsd-src.tar.gz
|
2015-04-08 23:00:37 +02:00
|
|
|
# mv hardenedBSD-hardened-current-master /usr/src
|
|
|
|
|
|
|
|
|
|
HardenedBSD ports:
|
|
|
|
|
|
2015-04-09 00:44:41 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/freebsd-ports/archive/master.tar.gz -o hardenedbsd-ports.tar.gz
|
|
|
|
|
# tar xf hardenedbsd-ports.tar.gz
|
2015-04-08 23:00:37 +02:00
|
|
|
# mv freebsd-ports-master /usr/ports
|
|
|
|
|
|
|
|
|
|
Secadm:
|
|
|
|
|
|
2015-04-09 00:44:41 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/secadm/archive/master.tar.gz -o secadm.tar.gz
|
|
|
|
|
# tar xf secadm.tar.gz
|
2015-04-08 23:00:37 +02:00
|
|
|
|
|
|
|
|
With git:
|
|
|
|
|
|
|
|
|
|
HardenedBSD-source:
|
|
|
|
|
|
|
|
|
|
# git clone https://github.com/HardenedBSD/hardenedBSD.git /usr/src
|
|
|
|
|
|
|
|
|
|
HardenedBSD ports:
|
|
|
|
|
|
|
|
|
|
# git clone https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
|
|
|
|
|
|
|
|
|
|
Secadm:
|
|
|
|
|
|
|
|
|
|
# git clone https://github.com/HardenedBSD/secadm.git
|
|
|
|
|
|
|
|
|
|
|
2015-04-08 22:46:43 +02:00
|
|
|
[20150404] Added secadm hook to rtld
|
|
|
|
|
__HardenedBSD_version = 18
|
|
|
|
|
|
|
|
|
|
Added integriforce secadm hook to rtld to validate
|
|
|
|
|
shared object before loading them.
|
|
|
|
|
|
|
|
|
|
|
2015-04-08 22:42:01 +02:00
|
|
|
[20150318] Merged first part of NOEXEC project
|
2015-04-08 22:46:43 +02:00
|
|
|
__HardenedBSD_version = 17
|
2015-04-08 22:42:01 +02:00
|
|
|
|
|
|
|
|
This is the first part of PaX's MPROTECT restriction:
|
|
|
|
|
* this merge brings per process level restriction settings
|
|
|
|
|
* eliminated the linux's sound related mmap weakness
|
|
|
|
|
* improved the logging
|
|
|
|
|
...
|
|
|
|
|
|
|
|
|
|
If you have problem with your application, then install
|
|
|
|
|
secadm:
|
|
|
|
|
|
|
|
|
|
* from pkg:
|
|
|
|
|
|
|
|
|
|
pkg install secadm
|
|
|
|
|
|
|
|
|
|
* or from github:
|
|
|
|
|
|
|
|
|
|
# git clone https://github.com/hardenedbsd/secadm
|
|
|
|
|
# cd secadm
|
|
|
|
|
# make && make install
|
|
|
|
|
|
|
|
|
|
|
2015-02-12 00:57:24 +01:00
|
|
|
[201502011] Changed kernel knobs
|
|
|
|
|
|
|
|
|
|
Added ``options PAX`` to enable the HardenedBSD framework.
|
|
|
|
|
All other PAX_* knob depends on PAX knob.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[20150131] Upgrading from systems before "HBSD: Revert the chacha20 import in full."
|
|
|
|
|
|
2015-02-12 23:11:43 +01:00
|
|
|
After the "HBSD: Revert the chacha20 import in full." commit
|
|
|
|
|
we lost the compatibility with the previous version, this
|
|
|
|
|
means ABI break, and the system is unable to properly boot.
|
|
|
|
|
In the background is the removed VM_INHERIT_ZERO flag, which
|
|
|
|
|
was previously used in libc.
|
2015-02-12 00:57:24 +01:00
|
|
|
|
|
|
|
|
The solution is to install the new world, before you booting to the new kernel.
|
|
|
|
|
|
|
|
|
|
1. make buildworld kernel
|
|
|
|
|
2. IMPORTANT: install world before you reboot
|
2015-02-12 23:11:43 +01:00
|
|
|
2.1. mergemaster -p && make installworld && mergemaster
|
2015-02-12 00:57:24 +01:00
|
|
|
3. reboot
|
|
|
|
|
4. start in single user mode
|
|
|
|
|
5. cd /usr/src
|
|
|
|
|
6. make delete-old delete-old-libs
|
2015-02-12 23:11:43 +01:00
|
|
|
7. if you have buildworld or buildkernel error,
|
|
|
|
|
where the cc aborting and dumping core,
|
|
|
|
|
then you need to delete the content of /usr/obj directory:
|
|
|
|
|
7.1 cd /usr/obj
|
|
|
|
|
7.2 rm -rf *
|
2015-02-12 00:57:24 +01:00
|
|
|
|
|
|
|
|
And probably a full ports rebuild required too...
|
|
|
|
|
|
