mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-24 19:21:38 +01:00
9017fcbd32
Following adding support for prohibiting new USB connections. Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org> issue: #88 MFC-to: NEVER
703 lines
21 KiB
Plaintext
703 lines
21 KiB
Plaintext
[20240124] Provide mechanism to disable new USB connections
|
|
__HardenedBSD_version = 1500001
|
|
|
|
HBSD: Provide support for prohibiting new USB device connections
|
|
|
|
This commit introduces the hardening.pax.prohibit_new_usb sysctl
|
|
tunable node. This node can be set to one of three values:
|
|
|
|
0: Disabled
|
|
1: Enabled
|
|
2: Enabled without possibility to disable
|
|
|
|
When set to 2, a reboot is required to end the prohibition on new USB
|
|
connections.
|
|
|
|
This is based on a patch by Loic F <loic.f@hardenedbsd.org>.
|
|
|
|
[20230826] Catch up with FreeBSD version bump to 15
|
|
__HardenedBSD_version = 1500000
|
|
|
|
HBSD: Now that __FreeBSD_version is 1500000, let's bump up
|
|
__HardenedBSD_version to reflect major version bump to 15.
|
|
|
|
[20230621] Further restrict ptrace access to capsicumized processes
|
|
__HardenedBSD_version = 1400005
|
|
|
|
HBSD: Further restrict ptrace access targeting capsicumized processes
|
|
|
|
Prevent capsicumized processes from being ptraced. Introduce a new
|
|
4-state per-jail sysctl node, hardening.prohibit_ptrace_capsicum,
|
|
defaulted to process opt-out (2). Introduce a new hbsdcontrol knob,
|
|
prohibit_ptrace_capsicum, to toggle the feature on a per-application
|
|
basis.
|
|
|
|
The intent behind this change is to make post-exploitation tasks more
|
|
difficult. Abusing ptrace to inject code or to perform process hollowing
|
|
is commonplace.
|
|
|
|
[20230528] Introduce shared memory (SHM) hardening
|
|
__HardenedBSD_version = 1400004
|
|
|
|
SHM hardening places restrictions on what can be done with the shared
|
|
memory subsystem (see `shm_open(2)`.) This feature is launching with
|
|
one technique:
|
|
|
|
Use of `shm_open(2)/__sys_shm_open2` system calls is prohibited when:
|
|
|
|
1. The `hardening.harden_shm` sysctl tunable is enabled;
|
|
2. The process has not opted out of the feature;
|
|
3. The process has entered capability mode (aka, Capsicum mode)
|
|
|
|
[20220610] Introduce Trusted Path Execution (TPE)
|
|
__HardenedBSD_version = 1400003
|
|
|
|
TPE limits the scope of what files can be executed. By default, TPE is
|
|
left disabled, but can be enabled via the `hardening.pax.tpe.status`
|
|
sysctl tunable.
|
|
|
|
When enabled, TPE will check the to-be-executed file's parent directory
|
|
to determine whether the directory is owned by the caller and is
|
|
writable to users/groups other than the owner.
|
|
|
|
The above logic is only run when:
|
|
|
|
1. The hardening.pax.tpe.all sysctl tunable is non-zero;
|
|
2. The user's primary group is the group specified in the
|
|
hardening.pax.tpe.gid group;
|
|
3. When the hardening.pax.tpe.negate sysctl tunable is non-zero, the
|
|
user's primary group is *NOT* the group specified in the
|
|
hardening.pax.tpe.gid group.
|
|
|
|
[20220406] Introduce insecure kernel module hardening
|
|
__HardenedBSD_version = 1400002
|
|
|
|
Provide support for marking certain kernel modules with a
|
|
notion of insecure or untrustworthy. Introduce a new hardening
|
|
sysctl tunable: hardening.insecure_kmod (default to 0, meaning
|
|
loading insecure kernel modules is prohibited by default.)
|
|
|
|
[20210528] Introduce LTO libs on amd64
|
|
__HardenedBSD_version = 1400001
|
|
|
|
As an initial first step towards supporting Cross-DSO CFI,
|
|
build both static and shared libraries with LTO.
|
|
|
|
[20200221] Removal of LibreSSL and OpenNTPD
|
|
__HardenedBSD_version = 1300061
|
|
|
|
LibreSSL and OpenNTPD were removed from the HardenedBSD base
|
|
system. Users who set WITH_LIBRESSL or WITH_OPENNTPD will need
|
|
to rebuild ports.
|
|
|
|
[20191214] Jail parameter: {no}allow.extattr
|
|
__HardenedBSD_version = 1300060
|
|
|
|
Provide a new jail configuration parameter: allow.extattr (and
|
|
noallow.extattr). Default: allow.
|
|
Allow setting system-level filesystem extended attributes by
|
|
default in a jailed environment.
|
|
|
|
Change the default system behavior to be more relaxed. Prior
|
|
to this change, privileged accounts in a jail could not set
|
|
system-level filesystem extended attributes. This change now
|
|
enables that ability by default.
|
|
|
|
This is in preparation for hbsdcontrol integration with
|
|
ports/packages.
|
|
|
|
[20191019] FreeBSD ASR with HardenedBSD ASLR
|
|
__HardenedBSD_version = 1300059
|
|
|
|
FreeBSD merged in their incomplete Address Space Randomization
|
|
(ASR) patch. Undo the reversion of the ASR patch and rely on
|
|
HardenedBSD's PaX ASLR implementation for the stack and shared
|
|
page when FreeBSD's ASR is enabled.
|
|
|
|
FreeBSD's ASR is disabled by default, but can be enabled at
|
|
runtime by setting the `kern.elf64.aslr.pie_enable` and
|
|
`kern.elf64.aslr.enable` sysctl nodes to 1. If HardenedBSD's
|
|
`hardening.pax.aslr.status' sysctl node is greater than or
|
|
equal to 2, the PaX ASLR implementation will only be in effect
|
|
for the stack and the shared page.
|
|
|
|
|
|
[20181019] shift to FreeBSD 13-CURRENT
|
|
__HardenedBSD_version = 1300058
|
|
|
|
FreeBSD started 13-CURRENT, do the same here.
|
|
|
|
|
|
[20180701] OpenSSL
|
|
__HardenedBSD_version = 1200058
|
|
|
|
Switch back to OpenSSL as the default crypto library in base.
|
|
|
|
|
|
[20180123] retpoline
|
|
__HardenedBSD_version = 1200057
|
|
|
|
Integrated the retpoline patch from llvm. The object
|
|
tree should be removed fully prior to rebuilding
|
|
world/kernel.
|
|
|
|
[20180103] PAX_JAIL_SUPPORT
|
|
__HardenedBSD_version = 1200056
|
|
|
|
Added infrastructure to change hardening settings at
|
|
jail creating time. You can use the same "mibs" as
|
|
jail params, which exists under the hardening sysctl
|
|
leaf. See the example jail.conf sniplet:
|
|
|
|
exec.start = "/bin/sh /etc/rc";
|
|
exec.stop = "/bin/sh /etc/rc.shutdown";
|
|
exec.clean;
|
|
mount.devfs;
|
|
|
|
path = "/usr/jails/$name";
|
|
host.hostname = "$name";
|
|
|
|
hbsdnx {
|
|
hardening.pax.segvguard.status = 3;
|
|
hardening.pax.mprotect.status = 3;
|
|
hardening.pax.pageexec.status = 3;
|
|
hardening.pax.aslr.status = 3;
|
|
persist;
|
|
}
|
|
|
|
In the current implementation the settings are still
|
|
modifiable via sysctls inside from the jail, but this
|
|
will change in the future. The same is true for the
|
|
nested jails.
|
|
|
|
|
|
[20170914] TOCTOU fix, PAX_CONTROL_{ACL,EXTATTR}
|
|
__HardenedBSD_version = 1200055
|
|
|
|
hbsdcontrol
|
|
-----------------------------------------------------------------------
|
|
The hbsdcontrol subsystem is an extattr(9) based control pane for
|
|
HardenedBSD's security settings.
|
|
|
|
Currently only the system namespace supported. (The FreeBSD's extattr
|
|
subsystem has two namespace: system and user. The system namespace is
|
|
writeable only from non-jail root user, the user namespace is writeable
|
|
from all users.)
|
|
This means only the root can assign rules to specific file. The other
|
|
restriction is similar, only from the host is allowed to set rules to
|
|
specific file, and prohibited a such operation from jails, for jail's
|
|
root user too prohibited.
|
|
|
|
To enable the hbsdcontrol subsystem, you should add the
|
|
|
|
options PAX_CONTROL_EXTATTR
|
|
|
|
kernel knob to your kernel config.
|
|
|
|
The hbsdcontrol subsystem use the following extended attributes:
|
|
|
|
hbsd.pax.aslr
|
|
hbsd.pax.noaslr
|
|
hbsd.pax.segvguard
|
|
hbsd.pax.nosegvguard
|
|
hbsd.pax.pageexec
|
|
hbsd.pax.nopageexec
|
|
hbsd.pax.mprotect
|
|
hbsd.pax.nomprotect
|
|
hbsd.pax.shlibrandom
|
|
hbsd.pax.noshlibrandom
|
|
hbsd.pax.disallow_map32bit
|
|
hbsd.pax.nodisallow_map32bit
|
|
|
|
Valid values are only the 0 (= disabled) and 1 (= enabled).
|
|
Valid settings are the following in system FS-EA namespace (with the ASLR
|
|
example, the same is true for the other settings):
|
|
|
|
* no hbsd.pax.aslr, nor hbsd.pax.noaslr assigned to the file -> system default
|
|
* hbsd.pax.aslr = 1 and hbsd.pax.noaslr = 0 -> enabled ASLR
|
|
* hbsd.pax.aslr = 0 and hbsd.pax.noaslr = 1 -> disabled ASLR
|
|
* hbsd.pax.aslr = 0 and hbsd.pax.noaslr = 0 -> invalid, warning message + execution error
|
|
* hbsd.pax.aslr = 1 and hbsd.pax.noaslr = 1 -> invalid, warning message + execution error
|
|
|
|
Attributes in user namespace are ignored.
|
|
|
|
TOCTOU fix, PAX_ACL
|
|
-----------------------------------------------------------------------
|
|
As preparation to hbsdcontrol, and to clean up the whole control logic
|
|
there is some new kernel knob:
|
|
|
|
* PAX_CONTROL_ACL
|
|
* PAX_CONTROL_ACL_OVERRIDE_SUPPORT
|
|
* PAX_CONTROL_EXTATTR
|
|
|
|
If you want to use the external secadm utility to manage hardenedbsd's
|
|
security features, then you should add
|
|
|
|
options PAX_CONTROL_ACL
|
|
|
|
to your kernel config.
|
|
|
|
If you want to use the extattr(9) based hbsdcontrol, you should add
|
|
the
|
|
|
|
options PAX_CONTROL_EXTATTR
|
|
|
|
kernel knob.
|
|
|
|
If you want to use both hbsdcontrol and secadm, and it's nice to add
|
|
|
|
option PAX_CONTROL_ACL_OVERRIDE_SUPPORT
|
|
|
|
too. This is nice in very special case, when you set rules both
|
|
from hbsdcontrol and from secadm on the _same_ file. By default
|
|
always the hbsdcontrol wins this situation, and what was set up
|
|
by hbsdcontrol gets applied as policy. To override this behavior
|
|
you can add a special flag in you secadm conf to override this
|
|
behavior. For more details consult with secadm's source code /
|
|
readme / man page.
|
|
|
|
|
|
[20170914] Changed auxvector after e5ea82a50dd64a3e47767b132a16281242ff396d
|
|
__HardenedBSD_version = 1200054
|
|
|
|
After the following commit:
|
|
|
|
> commit e5ea82a50dd64a3e47767b132a16281242ff396d
|
|
> Author: jhb <jhb@FreeBSD.org>
|
|
> Date: Thu Sep 14 14:26:55 2017 +0000
|
|
|
|
> Add AT_HWCAP and AT_EHDRFLAGS on all platforms.
|
|
>
|
|
> A new 'u_long *sv_hwcap' field is added to 'struct sysentvec'. A
|
|
> process ABI can set this field to point to a value holding a mask of
|
|
> architecture-specific CPU feature flags. If an ABI does not wish to
|
|
> supply AT_HWCAP to processes the field can be left as NULL.
|
|
>
|
|
> The support code for AT_EHDRFLAGS was already present on all systems,
|
|
> just the #define was not present. This is a step towards unifying the
|
|
> AT_* constants across platforms.
|
|
>
|
|
> Reviewed by: kib
|
|
> MFC after: 1 month
|
|
> Differential Revision: https://reviews.freebsd.org/D12290
|
|
|
|
> Notes:
|
|
> svn path=/head/; revision=323579
|
|
|
|
the AT_PAXFLAGS has been changed from 24 to 26 position in
|
|
elf auxvector. This may break some functionality, especially
|
|
the SHLIBRAND feature, when you running on a newer kernel
|
|
with an older user-space.
|
|
|
|
|
|
[20170831] Changed pax_elf API
|
|
__HardenedBSD_version = 1200053
|
|
|
|
As preparation to hardenedBSD rationalize
|
|
the pax_elf(...) functions signature, to
|
|
follow the codes in kern_exec's style.
|
|
For the details, see the code.
|
|
|
|
|
|
[20170709] Enforced KPI
|
|
__HardenedBSD_version = 1200052
|
|
|
|
Enfore the KPI version at compile time. This
|
|
will implicate the recompilation of external
|
|
modules even once __HardenedBSD_version or
|
|
__FreeBSD_version gets bumped.
|
|
|
|
|
|
[20170624] Enable OpenNTPd by default
|
|
__HardenedBSD_version = 1200051
|
|
|
|
Enable WITH_OPENNTPD by default on HardenedBSD.
|
|
After this point we deliver OpenNTPd as base
|
|
ntp provider for HardenedBSD. ISC ntpd is still
|
|
available, and accessible with WITHOUT_OPENNTPD=
|
|
knob in src.conf(5).
|
|
|
|
[20170616] Changed __HardenedBSD_version scheme
|
|
__HardenedBSD_version = 1200050
|
|
|
|
The version numbers may differ in different branches (10-STABLE,
|
|
11-STABLE, 12-CURRENT) and to keep the version number in pair
|
|
with the features state, there is a need to allow to bump they
|
|
differently.
|
|
|
|
|
|
[20170616] Changed default protection settings for text section
|
|
__HardenedBSD_version = 50
|
|
|
|
Fixes the (theoretically) last outstanding memory
|
|
protection related weakness in HBSD's user-space detectable
|
|
with paxtest.
|
|
|
|
|
|
[20170302] Enable CFI by default for amd64
|
|
__HardenedBSD_version = 49
|
|
|
|
Enable WITH_CFI by default on HardenedBSD/amd64.
|
|
Control-Flow Integrity (CFI) is an exploit mitigation
|
|
technique developed in the clang/llvm project. Now that
|
|
base has clang 4.0.0, which brings a linker that supports
|
|
Link-Time Optimization (LTO), lld, we can now make use of
|
|
CFI, which requires LTO.
|
|
|
|
This also enables lld by default for amd64 and arm64. Disable
|
|
CFI by setting WITHOUT_CFI in src.conf(5).
|
|
|
|
[20170112] Enable SafeStack by default for amd64
|
|
__HardenedBSD_version = 48
|
|
|
|
Enable WITH_SAFESTACK by default on HardenedBSD/amd64.
|
|
SafeStack is an exploit mitigation technique developed in the
|
|
clang/llvm project, born in the Code-Pointer Integrity
|
|
(CPI) project. Now that base has clang 3.9.1, which contains
|
|
a more mature CFI/CPI implementation, SafeStack can be enabled
|
|
by default for amd64.
|
|
|
|
Disable SafeStack for base by setting WITHOUT_SAFESTACK in
|
|
src.conf(5).
|
|
|
|
[20160820] Enable LibreSSL by default
|
|
__HardenedBSD_version = 47
|
|
|
|
Enable WITH_LIBRESSL by default on HardenedBSD.
|
|
After this we point we deliver LibreSSL as base
|
|
SSL engine for HardenedBSD. The OpenSSL is still
|
|
available, and accessible with WITHOUT_LIBRESSL=
|
|
knob in src.conf.
|
|
|
|
|
|
[20160423] RELRO + BIND_NOW
|
|
__HardenedBSD_version = 46
|
|
|
|
Enable RELRO + BIND_NOW for base.
|
|
Introduce WITHOUT_RELRO and WITHOUT_BIND_NOW.
|
|
Setting WITHOUT_RELRO also sets WITHOUT_BIND_NOW.
|
|
|
|
|
|
[20160408] PIEified base for amd64 and i386
|
|
__HardenedBSD_version = 45
|
|
|
|
Remove WANTS_PIE.
|
|
Default PIE for base for amd64 and i386 only.
|
|
When PIE is enabled, compile non-static libraries with -fPIC.
|
|
Default WITH_SHARED_TOOLCHAIN to enabled by default.
|
|
|
|
If you encounter build problems during make buildworld,
|
|
try to clean the object files directory, which is typically
|
|
/usr/obj:
|
|
|
|
cd /usr/obj; rm -rf *
|
|
|
|
And retry to build the world. This will require due to not
|
|
proper cleaning mechanizm of FreeBSD's build framework.
|
|
|
|
|
|
[201603XX] noexec and ASLR changes
|
|
__HardenedBSD_version = 44
|
|
|
|
Fixed noexec's paxflags parser to get usable system on
|
|
bronen setups too.
|
|
Changed ASLR stack randomization settings on 32 machines.
|
|
|
|
[20160316] ASLR cleanup
|
|
__HardenedBSD_version = 43
|
|
|
|
Since the hardening.pax.aslr.*_len variables are no longer
|
|
available outside of loader.conf(5), remove them from
|
|
struct hbsd_features, which gets embedded in struct
|
|
prison. This change makes the hardening.pax.aslr.*_len
|
|
variables a global setting, rather than a per-jail setting.
|
|
|
|
|
|
[20160225] RTLD noexec
|
|
__HardenedBSD_version = 42
|
|
|
|
Enforce nonexec thread stacks, driven by the RTLD.
|
|
|
|
|
|
[20160213] rewritten internals
|
|
__HardenedBSD_version = 41
|
|
|
|
Changed hardenedBSD core structures.
|
|
Dropped ptrace_hardening.
|
|
Dropped ASLR bit settings.
|
|
Fixed hbsd_update_build bug.
|
|
Added skeleton file.
|
|
Changed feature strings.
|
|
Changed noexec implicit rules.
|
|
|
|
|
|
[20160123] add pax_get_hardenedbsd_version API
|
|
__HardenedBSD_version = 40
|
|
|
|
Add pax_get_hardenedbsd_version() API to query hardening's version
|
|
from kernel codes.
|
|
|
|
Add new types, which represents the PAX_FLAGS.
|
|
|
|
|
|
[20151225] redo rework internal structures
|
|
__HardenedBSD_version = 39
|
|
|
|
Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
|
|
Fix one segvguard related issue.
|
|
Changed pax_elf signature.
|
|
|
|
We reverted this code in version 37, because we observed weird
|
|
issue, but this issues was unrelated to the reworked internals.
|
|
The true root of the problem was a secadm bug and the issue fixed
|
|
with version 38.
|
|
|
|
|
|
[20151218] reworked MAP_32BIT mmap randomization
|
|
__HardenedBSD_version = 38
|
|
|
|
Previously the MAP_32BIT case mmap randomization was an ASR,
|
|
to fix this and some other issue with the MAP_32BIT related
|
|
mmap, implement a proper ASLR.
|
|
|
|
Upstream fixed stability issues with higher order PID randomization
|
|
|
|
|
|
[20151208] revert the reworked internal structures
|
|
__HardenedBSD_version = 37
|
|
|
|
revert: Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
|
|
revert: Changed pax_elf signature.
|
|
|
|
|
|
[20151206] rework internal structures
|
|
__HardenedBSD_version = 36
|
|
|
|
Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
|
|
Change noexec's sysctl handlers.
|
|
Fix one segvguard related issue.
|
|
Fix randompid related issue.
|
|
Changed pax_elf signature.
|
|
|
|
|
|
[20151123] changed proc structure : added p_timekeep_base
|
|
__HardenedBSD_version = 35
|
|
|
|
Follow the recent VDSO changes from kib@.
|
|
This required to introduce new field to struct proc.
|
|
|
|
|
|
[20151018] disabled lib32 build by default
|
|
__HardenedBSD_version = 34
|
|
|
|
Do not build lib32 and 32bit related stuffs on 64bit platforms
|
|
by default.
|
|
|
|
|
|
[20150924] changed stack-protector level
|
|
__HardenedBSD_version = 33
|
|
|
|
Bump the default build settings from the --stack-protector
|
|
to --stack-protector-strong.
|
|
|
|
|
|
[20150915] ASLR changes
|
|
__HardenedBSD_version = 32
|
|
|
|
Changed default VDSO randomization from 20 bits to 28 bits.
|
|
Fixed div by zero in rare cases in pax_aslr_init_vmspace.
|
|
|
|
|
|
[20150907] Reworked DISALLOWMAP32BIT and changes some internal functions
|
|
__HardenedBSD_version = 31
|
|
|
|
Rename and correctly paxify the DISALLOWMAP32BIT.
|
|
Changed pax flags setup.
|
|
|
|
|
|
[20150905] Added MAP32_PROTECT
|
|
__HardenedBSD_version = 30
|
|
|
|
Added per-process mode to disable MAP_32BIT mode mmap(2).
|
|
|
|
|
|
[20150823] Fixed pkg bootstrap
|
|
__HardenedBSD_version = 29
|
|
|
|
With FreeBSD commit 671f0b9, use of pubkey signature_type method is explicitly disallowed.
|
|
This breaks bootstrapping with pubkey signature_type.
|
|
|
|
|
|
[20150715] Fixed vdso randomization
|
|
__HardenedBSD_version = 28
|
|
|
|
Fixed and simplified vdso and stack mapping.
|
|
|
|
|
|
[20150706] Added shared-page (vdso) randomization
|
|
__HardenedBSD_version = 27
|
|
|
|
This version brings in true stack randomization.
|
|
Changed ASLR settings:
|
|
vdso random : 20 bit
|
|
|
|
|
|
[20150701] Rewriten stack randomization, and bumped ASLR settings
|
|
__HardenedBSD_version = 26
|
|
|
|
This version brings in true stack randomization.
|
|
Changed ASLR settings:
|
|
stack random : 26 -> 42 bit
|
|
exec random : 21 -> 30 bit
|
|
|
|
|
|
[20150605] ASLR "rewrite" and NOEXEC fixes after jhb's vm_mmap.c changes
|
|
__HardenedBSD_version = 25
|
|
__HardenedBSD_version = 24
|
|
|
|
Move the mmap randomization to it's own place and add more state enforcements (KASSERTs).
|
|
Added locking around pax_aslr_mmap(...).
|
|
Factore out the MAP_32BIT related code from pax_aslr_mmap(...), and move to pax_aslr_mmap_map_32bit(...)
|
|
|
|
|
|
[20150604] fix ASLR - randomize the rtld's shared object too
|
|
__HardenedBSD_version = 23
|
|
|
|
Randomize the rtld's address before load them in imgact_elf.c
|
|
|
|
|
|
[20150604] added PAX_NOTE_{,NO}SHLIBRANDOM extension
|
|
__HardenedBSD_version = 22
|
|
|
|
This feature will fix the issue mentioned on issue #137
|
|
|
|
|
|
[20150528] Changed internal structure, removed hardening.pax.segvguard.debug sysctl
|
|
__HardenedBSD_version = 21
|
|
|
|
Changed internal structure
|
|
Removed hardening.pax.segvguard.debug sysctl
|
|
|
|
|
|
[20150415] Bumped stack randomization
|
|
__HardenedBSD_version = 20
|
|
|
|
Increased stack randomization from 20 bit to 26 bit.
|
|
|
|
|
|
[20150415] Fixed stack randomization
|
|
__HardenedBSD_version = 19
|
|
|
|
|
|
[20150408] How to get HardenedBSD and HardenedBSD-ports?
|
|
|
|
Without git/svnlite:
|
|
|
|
HardenedBSD source:
|
|
|
|
# fetch https://github.com/HardenedBSD/hardenedBSD/archive/hardened/current/master.tar.gz -o hardenedbsd-src.tar.gz
|
|
# tar xf hardenedbsd-src.tar.gz
|
|
# mv hardenedBSD-hardened-current-master /usr/src
|
|
|
|
HardenedBSD ports:
|
|
|
|
# fetch https://github.com/HardenedBSD/freebsd-ports/archive/master.tar.gz -o hardenedbsd-ports.tar.gz
|
|
# tar xf hardenedbsd-ports.tar.gz
|
|
# mv freebsd-ports-master /usr/ports
|
|
|
|
Secadm:
|
|
|
|
# fetch https://github.com/HardenedBSD/secadm/archive/master.tar.gz -o secadm.tar.gz
|
|
# tar xf secadm.tar.gz
|
|
|
|
With git:
|
|
|
|
HardenedBSD-source:
|
|
|
|
# git clone https://github.com/HardenedBSD/hardenedBSD.git /usr/src
|
|
|
|
HardenedBSD ports:
|
|
|
|
# git clone https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
|
|
|
|
Secadm:
|
|
|
|
# git clone https://github.com/HardenedBSD/secadm.git
|
|
|
|
With svnlite (much more slower than git version):
|
|
|
|
HardenedBSD-source:
|
|
|
|
# svnlite co https://github.com/HardenedBSD/hardenedBSD.git /usr/src
|
|
|
|
HardenedBSD ports:
|
|
|
|
# svnlite co https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
|
|
|
|
Secadm:
|
|
|
|
# svnlite co https://github.com/HardenedBSD/secadm.git
|
|
|
|
|
|
[20150404] Added secadm hook to rtld
|
|
__HardenedBSD_version = 18
|
|
|
|
Added integriforce secadm hook to rtld to validate
|
|
shared object before loading them.
|
|
|
|
|
|
[20150318] Merged first part of NOEXEC project
|
|
__HardenedBSD_version = 17
|
|
|
|
This is the first part of PaX's MPROTECT restriction:
|
|
* this merge brings per process level restriction settings
|
|
* eliminated the linux's sound related mmap weakness
|
|
* improved the logging
|
|
...
|
|
|
|
If you have problem with your application, then install
|
|
secadm:
|
|
|
|
* from pkg:
|
|
|
|
pkg install secadm
|
|
|
|
* or from github:
|
|
|
|
# git clone https://github.com/hardenedbsd/secadm
|
|
# cd secadm
|
|
# make && make install
|
|
|
|
|
|
[201502011] Changed kernel knobs
|
|
|
|
Added ``options PAX`` to enable the HardenedBSD framework.
|
|
All other PAX_* knob depends on PAX knob.
|
|
|
|
|
|
[20150131] Upgrading from systems before "HBSD: Revert the chacha20 import in full."
|
|
|
|
After the "HBSD: Revert the chacha20 import in full." commit
|
|
we lost the compatibility with the previous version, this
|
|
means ABI break, and the system is unable to properly boot.
|
|
In the background is the removed VM_INHERIT_ZERO flag, which
|
|
was previously used in libc.
|
|
|
|
The solution is to install the new world, before you booting to the new kernel.
|
|
|
|
1. make buildworld kernel
|
|
2. IMPORTANT: install world before you reboot
|
|
2.1. mergemaster -p && make installworld && mergemaster
|
|
3. reboot
|
|
4. start in single user mode
|
|
5. cd /usr/src
|
|
6. make delete-old delete-old-libs
|
|
7. if you have buildworld or buildkernel error,
|
|
where the cc aborting and dumping core,
|
|
then you need to delete the content of /usr/obj directory:
|
|
7.1 cd /usr/obj
|
|
7.2 rm -rf *
|
|
|
|
And probably a full ports rebuild required too...
|
|
|