On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: > On 3/22/14, Shawn Webb <latt...@gmail.com> wrote: > > Hey All, > > > > First off, I hope that even as a non-committer, it's okay that I post > > a call for testing. If not, please excuse my newbishness in this > > process. This is my first time submitting a major patch upstream to > > FreeBSD. > > > > Over the past few months, I've had the opportunity and pleasure to > > enhance existing patches to FreeBSD that implement a common exploit > > mitigation technology called Address Space Layout Randomization (ASLR) > > along with support for Position Independent Executables (PIE). > > ASLR+PIE has been a long-requested feature by many people I've met on > > IRC. > > > > I've submitted my patch to PR kernel/181497. I'm currently in the > > process of adding PIE support to certain high-visibility applications > > in base (mainly network daemons). I've added a make.conf knob that's > > default to enabled (WITH_PIE=1). An application has to also explicitly > > support PIE as well by defining CAN_PIE in the Makefile prior to > > including bsd.prog.mk. After I get a decent amount of applications > > enabled with PIE support, I'll submit one last patch. > > > > The following sysctl's can be set with a kernel compiled with the > > PAX_ASLR option: > > > > security.pax.aslr.status: 1 > > security.pax.aslr.debug: 0 > > security.pax.aslr.mmap_len: 16 > > security.pax.aslr.stack_len: 12 > > security.pax.aslr.exec_len: 12 > > > > The security.pax.aslr.status sysctl enables and disables the ASLR > > system as a whole. The debug sysctl gives debugging output. The > > mmap_len sysctl tells the ASLR system how many bits to randomize with > > mmap() is called. The stack_len sysctl tells the ASLR system how many > > bits to randomize in the stack. The exec_len sysctl tells the ASLR > > system how many bits to randomize the execbase (this controls PIE). > > These sysctls can be set as a per-jail basis. If you have an > > application which doesn't support ASLR, yet you want ASLR enabled for > > everything else, you can simply place that misbehaving application in > > a jail with only that jail's ASLR settings turned off. > > > > Please let me know how your testing goes. I'm giving a presentation at > > BSDCan regarding this. > > > > If you want to keep tabs on my bleeding-edge development process, > > please follow my progress on GitHub: > > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). > > > > Thank you very much, > > Hi! > > Please apply this patch. This fixed an issue with tunables.
Patch merged successfully into my GitHub repo. Fixed with commit d2c0813. I'll include it in my next patch submission upstream when I submit my PIE work. Thanks!
Description: PGP signature