2015-09-07 16:09:23 +02:00
|
|
|
[20150907] Reworked DISALLOWMAP32BIT and changes some internal functions
|
|
|
|
|
__HardenedBSD_version = 31
|
|
|
|
|
|
|
|
|
|
Rename and correctly paxify the DISALLOWMAP32BIT.
|
|
|
|
|
Changed pax flags setup.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[20150905] Added MAP32_PROTECT
|
|
|
|
|
__HardenedBSD_version = 30
|
|
|
|
|
|
|
|
|
|
Added per-process mode to disable MAP_32BIT mode mmap(2).
|
|
|
|
|
|
|
|
|
|
|
2015-08-23 01:20:56 +02:00
|
|
|
[20150823] Fixed pkg bootstrap
|
|
|
|
|
__HardenedBSD_version = 29
|
|
|
|
|
|
|
|
|
|
With FreeBSD commit 671f0b9, use of pubkey signature_type method is explicitly disallowed.
|
|
|
|
|
This breaks bootstrapping with pubkey signature_type.
|
|
|
|
|
|
|
|
|
|
|
2015-07-15 02:37:58 +02:00
|
|
|
[20150715] Fixed vdso randomization
|
|
|
|
|
__HardenedBSD_version = 28
|
|
|
|
|
|
|
|
|
|
Fixed and simplified vdso and stack mapping.
|
|
|
|
|
|
|
|
|
|
|
2015-07-06 00:14:11 +02:00
|
|
|
[20150706] Added shared-page (vdso) randomization
|
|
|
|
|
__HardenedBSD_version = 27
|
|
|
|
|
|
|
|
|
|
This version brings in true stack randomization.
|
|
|
|
|
Changed ASLR settings:
|
|
|
|
|
vdso random : 20 bit
|
|
|
|
|
|
|
|
|
|
|
2015-07-01 03:11:36 +02:00
|
|
|
[20150701] Rewriten stack randomization, and bumped ASLR settings
|
|
|
|
|
__HardenedBSD_version = 26
|
|
|
|
|
|
|
|
|
|
This version brings in true stack randomization.
|
|
|
|
|
Changed ASLR settings:
|
|
|
|
|
stack random : 26 -> 42 bit
|
|
|
|
|
exec random : 21 -> 30 bit
|
|
|
|
|
|
|
|
|
|
|
2015-06-05 22:35:05 +02:00
|
|
|
[20150605] ASLR "rewrite" and NOEXEC fixes after jhb's vm_mmap.c changes
|
2015-07-01 03:11:36 +02:00
|
|
|
__HardenedBSD_version = 25
|
2015-06-05 22:35:05 +02:00
|
|
|
__HardenedBSD_version = 24
|
|
|
|
|
|
|
|
|
|
Move the mmap randomization to it's own place and add more state enforcements (KASSERTs).
|
|
|
|
|
Added locking around pax_aslr_mmap(...).
|
|
|
|
|
Factore out the MAP_32BIT related code from pax_aslr_mmap(...), and move to pax_aslr_mmap_map_32bit(...)
|
|
|
|
|
|
|
|
|
|
|
2015-06-04 16:32:33 +02:00
|
|
|
[20150604] fix ASLR - randomize the rtld's shared object too
|
|
|
|
|
__HardenedBSD_version = 23
|
|
|
|
|
|
|
|
|
|
Randomize the rtld's address before load them in imgact_elf.c
|
|
|
|
|
|
|
|
|
|
|
2015-06-04 02:29:35 +02:00
|
|
|
[20150604] added PAX_NOTE_{,NO}SHLIBRANDOM extension
|
|
|
|
|
__HardenedBSD_version = 22
|
|
|
|
|
|
|
|
|
|
This feature will fix the issue mentioned on issue #137
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[20150528] Changed internal structure, removed hardening.pax.segvguard.debug sysctl
|
|
|
|
|
__HardenedBSD_version = 21
|
|
|
|
|
|
|
|
|
|
Changed internal structure
|
|
|
|
|
Removed hardening.pax.segvguard.debug sysctl
|
|
|
|
|
|
|
|
|
|
|
2015-04-17 02:05:33 +02:00
|
|
|
[20150415] Bumped stack randomization
|
|
|
|
|
__HardenedBSD_version = 20
|
|
|
|
|
|
|
|
|
|
Increased stack randomization from 20 bit to 26 bit.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[20150415] Fixed stack randomization
|
|
|
|
|
__HardenedBSD_version = 19
|
|
|
|
|
|
|
|
|
|
|
2015-04-08 23:00:37 +02:00
|
|
|
[20150408] How to get HardenedBSD and HardenedBSD-ports?
|
|
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
Without git/svnlite:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
HardenedBSD source:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/hardenedBSD/archive/hardened/current/master.tar.gz -o hardenedbsd-src.tar.gz
|
|
|
|
|
# tar xf hardenedbsd-src.tar.gz
|
|
|
|
|
# mv hardenedBSD-hardened-current-master /usr/src
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
HardenedBSD ports:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/freebsd-ports/archive/master.tar.gz -o hardenedbsd-ports.tar.gz
|
|
|
|
|
# tar xf hardenedbsd-ports.tar.gz
|
|
|
|
|
# mv freebsd-ports-master /usr/ports
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
Secadm:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# fetch https://github.com/HardenedBSD/secadm/archive/master.tar.gz -o secadm.tar.gz
|
|
|
|
|
# tar xf secadm.tar.gz
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
With git:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
HardenedBSD-source:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# git clone https://github.com/HardenedBSD/hardenedBSD.git /usr/src
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
HardenedBSD ports:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# git clone https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
Secadm:
|
2015-04-08 23:00:37 +02:00
|
|
|
|
2015-06-29 17:29:57 +02:00
|
|
|
# git clone https://github.com/HardenedBSD/secadm.git
|
|
|
|
|
|
|
|
|
|
With svnlite (much more slower than git version):
|
|
|
|
|
|
|
|
|
|
HardenedBSD-source:
|
|
|
|
|
|
|
|
|
|
# svnlite co https://github.com/HardenedBSD/hardenedBSD.git /usr/src
|
|
|
|
|
|
|
|
|
|
HardenedBSD ports:
|
|
|
|
|
|
|
|
|
|
# svnlite co https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
|
|
|
|
|
|
|
|
|
|
Secadm:
|
|
|
|
|
|
|
|
|
|
# svnlite co https://github.com/HardenedBSD/secadm.git
|
2015-04-08 23:00:37 +02:00
|
|
|
|
|
|
|
|
|
2015-04-08 22:46:43 +02:00
|
|
|
[20150404] Added secadm hook to rtld
|
|
|
|
|
__HardenedBSD_version = 18
|
|
|
|
|
|
|
|
|
|
Added integriforce secadm hook to rtld to validate
|
|
|
|
|
shared object before loading them.
|
|
|
|
|
|
|
|
|
|
|
2015-04-08 22:42:01 +02:00
|
|
|
[20150318] Merged first part of NOEXEC project
|
2015-04-08 22:46:43 +02:00
|
|
|
__HardenedBSD_version = 17
|
2015-04-08 22:42:01 +02:00
|
|
|
|
|
|
|
|
This is the first part of PaX's MPROTECT restriction:
|
|
|
|
|
* this merge brings per process level restriction settings
|
|
|
|
|
* eliminated the linux's sound related mmap weakness
|
|
|
|
|
* improved the logging
|
|
|
|
|
...
|
|
|
|
|
|
|
|
|
|
If you have problem with your application, then install
|
|
|
|
|
secadm:
|
|
|
|
|
|
|
|
|
|
* from pkg:
|
|
|
|
|
|
|
|
|
|
pkg install secadm
|
|
|
|
|
|
|
|
|
|
* or from github:
|
|
|
|
|
|
|
|
|
|
# git clone https://github.com/hardenedbsd/secadm
|
|
|
|
|
# cd secadm
|
|
|
|
|
# make && make install
|
|
|
|
|
|
|
|
|
|
|
2015-02-12 00:57:24 +01:00
|
|
|
[201502011] Changed kernel knobs
|
|
|
|
|
|
|
|
|
|
Added ``options PAX`` to enable the HardenedBSD framework.
|
|
|
|
|
All other PAX_* knob depends on PAX knob.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[20150131] Upgrading from systems before "HBSD: Revert the chacha20 import in full."
|
|
|
|
|
|
2015-02-12 23:11:43 +01:00
|
|
|
After the "HBSD: Revert the chacha20 import in full." commit
|
|
|
|
|
we lost the compatibility with the previous version, this
|
|
|
|
|
means ABI break, and the system is unable to properly boot.
|
|
|
|
|
In the background is the removed VM_INHERIT_ZERO flag, which
|
|
|
|
|
was previously used in libc.
|
2015-02-12 00:57:24 +01:00
|
|
|
|
|
|
|
|
The solution is to install the new world, before you booting to the new kernel.
|
|
|
|
|
|
|
|
|
|
1. make buildworld kernel
|
|
|
|
|
2. IMPORTANT: install world before you reboot
|
2015-02-12 23:11:43 +01:00
|
|
|
2.1. mergemaster -p && make installworld && mergemaster
|
2015-02-12 00:57:24 +01:00
|
|
|
3. reboot
|
|
|
|
|
4. start in single user mode
|
|
|
|
|
5. cd /usr/src
|
|
|
|
|
6. make delete-old delete-old-libs
|
2015-02-12 23:11:43 +01:00
|
|
|
7. if you have buildworld or buildkernel error,
|
|
|
|
|
where the cc aborting and dumping core,
|
|
|
|
|
then you need to delete the content of /usr/obj directory:
|
|
|
|
|
7.1 cd /usr/obj
|
|
|
|
|
7.2 rm -rf *
|
2015-02-12 00:57:24 +01:00
|
|
|
|
|
|
|
|
And probably a full ports rebuild required too...
|
|
|
|
|
|
