On Wed, Jun 21, 2017 at 01:13:31PM -0600, Theo de Raadt wrote:
| Future work should be to see if we can build a fresh kernel at
| install/upgrade time, for that "every computer is unique" feel.
How about we move the rc bits out from rc and into a small script
that we call from rc. Now we can also easily call it from the install
and/or upgrade script with something like
/mnt/usr/sbin/chroot /mnt /usr/local/libexec/reorder_kernel
and have a new kernel always. Not sure if that's feasible in this
case, but it looks doable. Here's the diff that moves the rc bits
into a separate script. Not included are the bits for the install
script.
Index: etc/rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.504
diff -u -p -u -r1.504 rc
--- etc/rc 22 Jun 2017 16:03:36 -0000 1.504
+++ etc/rc 23 Jun 2017 07:58:50 -0000
@@ -219,38 +219,6 @@ reorder_libs() {
fi
}
-# Re-link the kernel, placing the objects in a random order.
-# Replace current with relinked kernel and inform root about it.
-reorder_kernel() {
- (
- set -e
- _compile_dir=/usr/share/compile
- _kernel=$(sysctl -n kern.osversion)
- _kernel=${_kernel%#*}
- _kernel_dir=$_compile_dir/$_kernel
- _sha256=/var/db/kernel.SHA256
-
- if [[ -f /usr/share/compile.tgz ]]; then
- rm -rf $_compile_dir
- mkdir -m 700 -p $_compile_dir
- tar -C $_compile_dir -xzf /usr/share/compile.tgz $_kernel
- rm -f /usr/share/compile.tgz
- fi
-
- sha256 -q -C $_sha256 /bsd
-
- cd $_kernel_dir
- make newbsd >$_kernel_dir/log 2>&1
- make newinstall >>$_kernel_dir/log 2>&1
- (umask 077 && sha256 -h $_sha256 /bsd)
-
- (echo "Kernel has been relinked and is active on next reboot\n"; \
- cat $_sha256; echo "\nRelink log:\n"; cat $_kernel_dir/log ) |
- mail -Es "$(hostname) Kernel relink info" root >/dev/null
-
- ) >/dev/null 2>&1 &
-}
-
# Run rc.* script and email output to root.
# Usage: run_upgrade_script firsttime|sysmerge
run_upgrade_script() {
@@ -619,7 +587,9 @@ echo -n 'starting local daemons:'
start_daemon apmd sensorsd hotplugd watchdogd cron wsmoused xenodm
echo '.'
-reorder_kernel
+# Re-link the kernel, placing the objects in a random order.
+# Replace current with relinked kernel and inform root about it.
+/usr/libexec/reorder_kernel
date
exit 0
Index: libexec/Makefile
===================================================================
RCS file: /cvs/src/libexec/Makefile,v
retrieving revision 1.65
diff -u -p -u -r1.65 Makefile
--- libexec/Makefile 26 Nov 2015 19:13:14 -0000 1.65
+++ libexec/Makefile 23 Jun 2017 07:32:35 -0000
@@ -6,7 +6,7 @@
SUBDIR= comsat fingerd ftpd getty ld.so lockspool login_chpass \
login_lchpass login_passwd login_radius login_reject \
login_skey login_token login_yubikey mail.local \
- rpc.rquotad rpc.rstatd rpc.rusersd rpc.rwalld \
+ reorder_kernel rpc.rquotad rpc.rstatd rpc.rusersd rpc.rwalld \
security spamd spamd-setup spamlogd talkd tradcpp
.include <bsd.subdir.mk>
Index: libexec/reorder_kernel/Makefile
===================================================================
RCS file: libexec/reorder_kernel/Makefile
diff -N libexec/reorder_kernel/Makefile
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ libexec/reorder_kernel/Makefile 23 Jun 2017 07:56:12 -0000
@@ -0,0 +1,11 @@
+# $Id$
+
+MAN= reorder_kernel.8
+
+SCRIPT= reorder_kernel.sh
+
+realinstall:
+ ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \
+ ${.CURDIR}/${SCRIPT} ${DESTDIR}${BINDIR}/reorder-kernel
+
+.include <bsd.prog.mk>
Index: libexec/reorder_kernel/reorder_kernel.8
===================================================================
RCS file: libexec/reorder_kernel/reorder_kernel.8
diff -N libexec/reorder_kernel/reorder_kernel.8
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ libexec/reorder_kernel/reorder_kernel.8 23 Jun 2017 07:56:34 -0000
@@ -0,0 +1,13 @@
+.Dd $Mdocdate$
+.Dt REORDER_KERNEL 8
+.Os
+.Sh NAME
+.Nm reorder_kernel
+.Nd build a new /bsd with randomly ordered objects
+.Sh SYNOPSIS
+.Nm reorder_kernel
+.Oc
+.Sh DESCRIPTION
+.Nm
+will take the kernel object files from /usr/share/compile/ and build a
+new randomly ordered /bsd out of them.
Index: libexec/reorder_kernel/reorder_kernel.sh
===================================================================
RCS file: libexec/reorder_kernel/reorder_kernel.sh
diff -N libexec/reorder_kernel/reorder_kernel.sh
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ libexec/reorder_kernel/reorder_kernel.sh 23 Jun 2017 07:53:36 -0000
@@ -0,0 +1,34 @@
+#!/bin/sh -
+# $Id$
+
+# standard license here; attribution to rpe@?
+
+# Re-link the kernel, placing the objects in a random order.
+# Replace current with relinked kernel and inform root about it.
+(
+ set -e
+ _compile_dir=/usr/share/compile
+ _kernel=$(sysctl -n kern.osversion)
+ _kernel=${_kernel%#*}
+ _kernel_dir=$_compile_dir/$_kernel
+ _sha256=/var/db/kernel.SHA256
+
+ if [[ -f /usr/share/compile.tgz ]]; then
+ rm -rf $_compile_dir
+ mkdir -m 700 -p $_compile_dir
+ tar -C $_compile_dir -xzf /usr/share/compile.tgz $_kernel
+ rm -f /usr/share/compile.tgz
+ fi
+
+ sha256 -q -C $_sha256 /bsd
+
+ cd $_kernel_dir
+ make newbsd >$_kernel_dir/log 2>&1
+ make newinstall >>$_kernel_dir/log 2>&1
+ (umask 077 && sha256 -h $_sha256 /bsd)
+
+ (echo "Kernel has been relinked and is active on next reboot\n"; \
+ cat $_sha256; echo "\nRelink log:\n"; cat $_kernel_dir/log ) |
+ mail -Es "$(hostname) Kernel relink info" root >/dev/null
+
+) > /dev/null 2>&1
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
