On May 23, 2014 07:44 PM -0500, Pedro Giffuni wrote: > (Dropped the cross-posting, which *is* frowned upon) > > While I do very much appreciate this work being done, and I agree we should > have it in the tree, I would really prefer it opt-in rather opt-out, at least > initially. > > I know this may very well be the subject of a bikeshed of historical > proportions but: > > 1) Understand this may break some applications (?).
Yup. This is why we provide both ugidfw support for dynamic rulesets and per-jail settings. We'll soon be adding FS extended attributes as well. > > 2) It is yet undetermined what the performance effect will be. Very early on, Oliver ran unixbench against the ASLR implementation. There was some anomalous behaviors. Our implementation has drastically changed since then and we ought to run unixbench again against the current implementation. I've got a lot going on right now, but when things settle down, I'll run unixbench under these conditions: 1) Vanilla FreeBSD 11-CURRENT with WITNESS and other debugging features turned off. 2) FreeBSD 11-CURRENT with ASLR patches applied, but with ASLR turned off, and with WITNESS and other debugging features turned off. 3) FreeBSD 11-CURRENT with ASLR patches applied, but with ASLR turned on, and with WITNESS and other debugging features turned off. I hope to have the tests done within the next two weeks. > > I find it very neat that it can be enabled for jails though. That's my second favorite feature of our implementation, the first being ugidfw integration. I'm glad to see you like the jails integration. Thanks, Shawn
Description: PGP signature