From owner-freebsd-current@FreeBSD.ORG Sun May 25 17:42:17 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D9E74A5A; Sun, 25 May 2014 17:42:17 +0000 (UTC) Received: from mail-oa0-x236.google.com (mail-oa0-x236.google.com [IPv6:2607:f8b0:4003:c02::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7E80A225A; Sun, 25 May 2014 17:42:17 +0000 (UTC) Received: by mail-oa0-f54.google.com with SMTP id j17so7514342oag.41 for ; Sun, 25 May 2014 10:42:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=eMJaJwzCcNgG8Swi4d14ow+Z7ffnhy6lksU+kThcGsM=; b=YwRjH2IhXG6Gnnr8V0Wk59yNF++Wgx5CnzEEWyqWTOHsdSigiNg5khpQ86Kny9hoJI mwz0/EVkX1/r5KC/f+otN+Brh3k6mgwweeN/7gIqAvzOYOTVcfkUuyBY7aMRfdFx40ZT 7SLHG4Z4UldymB5o+zFjUK/f3JT4CH8ZrdFdAwvhz0Z3likC5bEAWDG0lGPqrL2GvSWH rbxc6VLY25svY3hkNT+U2BsG57O5bWIpdr7hSIp32xGzYMNOz2lig89vGZ3cQHP8wYD+ KlLu1r4af1crM1t2fIoUa8G4UKTLYgbV0TU3yrQzNmfidPReo8E8APVboea8vGHmQmBP ssrg== MIME-Version: 1.0 X-Received: by 10.182.227.135 with SMTP id sa7mr19265739obc.3.1401039736765; Sun, 25 May 2014 10:42:16 -0700 (PDT) Received: by 10.182.216.197 with HTTP; Sun, 25 May 2014 10:42:16 -0700 (PDT) In-Reply-To: <86a9a56ac6.fsf@nine.des.no> References: <20140514135852.GC3063@pwnie.vrt.sourcefire.com> <86a9a56ac6.fsf@nine.des.no> Date: Sun, 25 May 2014 19:42:16 +0200 Message-ID: Subject: Re: [CFT] ASLR, PIE, and segvguard on 11-current and 10-stable From: Oliver Pinter To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, freebsd-stable@freebsd.org, dim@freebsd.org, Shawn Webb X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2014 17:42:18 -0000 On 5/25/14, Dag-Erling Sm=F8rgrav wrote: > Oliver Pinter writes: >> PAX LOG: implement new logging subsystem >> PAX LOG: fix pax_ulog_segvguard >> PAX LOG: added sysctl's and tunables >> PAX ASLR: use PAX LOG >> PAX LOG: fix pax_ulog_##name() >> PAX LOG: fix prison init >> PAX LOG: fixed log and ulog sysctl > > What exactly is the purpose of PAX LOG? Have you considered using > ktrace instead? pax_log will be in future a generic pax related logging framework, with ratelimiting and other features. It will log user, IP, binary name, path, checksum, and others. > >> PAX: blacklist clang and related binaries from PIE support > > Why? Performance, or do they actually break? No. If you definded WITH_CLANG_EXTRAS=3D in src.conf, the breaked the build= . (added dim@ to CC) --- usr.bin.all__D --- /usr/obj/usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint/.= ./../../lib/clang/libllvmirreader/libllvmirreader.a: could not read symbols: Bad value c++: error: linker command failed with exit code 1 (use -v to see invocatio= n) *** [bugpoint] Error code 1 bmake[5]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint 1 error bmake[5]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint *** [all_subdir_bugpoint] Error code 2 bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/cla= ng --- usr.sbin.all__D --- A failure has been detected in another branch of the parallel make bmake[5]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/acpi/iasl *** [all] Error code 2 bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/ac= pi 1 error bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/ac= pi *** [all_subdir_acpi] Error code 2 bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin 1 error bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin *** [usr.sbin.all__D] Error code 2 bmake[2]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git --- usr.bin.all__D --- --- all_subdir_tblgen --- A failure has been detected in another branch of the parallel make bmake[5]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/tblgen *** [all_subdir_tblgen] Error code 2 bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/cla= ng 2 errors bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/cla= ng *** [all_subdir_clang] Error code 2 bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin > >> PAX ASLR: Blacklist the applications that don't support being buil= t >> as a position-independent executable > > "don't support" as in you have tested them and confirmed that they break > in some way? Could you post your test methodology so people can > replicate the failures and look into fixing them? > >> PAX ASLR: Use a full kernel config for LATT-ASLR > > What is the difference between LATT-ASLR and OP-ASLR, and why not just > "include GENERIC"? You know about "nooptions", right? In upstreamed patch will be removed this kernel configs. These are Shawn's and my kernel config. > >> Revert "PAX: blacklist clang and related binaries from PIE support= " >> Revert "Revert "PAX: blacklist clang and related binaries from PIE >> support"" > > Hmm... See above. > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no >