On May 23, 2014 07:44 PM -0500, Pedro Giffuni wrote:
> (Dropped the cross-posting, which *is* frowned upon)
> 
> While I do very much appreciate this work being done, and I agree we should 
> have it in the tree, I would really prefer it opt-in rather opt-out, at least 
> initially.
> 
> I know this may very well be the subject of a bikeshed of historical 
> proportions but:
> 
> 1) Understand this may break some applications (?).

Yup. This is why we provide both ugidfw support for dynamic rulesets and
per-jail settings. We'll soon be adding FS extended attributes as well.

> 
> 2) It is yet undetermined what the performance effect will be.

Very early on, Oliver ran unixbench against the ASLR implementation.
There was some anomalous behaviors. Our implementation has drastically
changed since then and we ought to run unixbench again against the
current implementation. I've got a lot going on right now, but when
things settle down, I'll run unixbench under these conditions:

1) Vanilla FreeBSD 11-CURRENT with WITNESS and other debugging features
turned off.
2) FreeBSD 11-CURRENT with ASLR patches applied, but with ASLR turned
off, and with WITNESS and other debugging features turned off.
3) FreeBSD 11-CURRENT with ASLR patches applied, but with ASLR turned
on, and with WITNESS and other debugging features turned off.

I hope to have the tests done within the next two weeks.

> 
> I find it very neat that it can be enabled for jails though.

That's my second favorite feature of our implementation, the first being
ugidfw integration. I'm glad to see you like the jails integration.

Thanks,

Shawn

Attachment: pgpt0Dx797gBg.pgp
Description: PGP signature

Reply via email to