Date: Thu, 18 Nov 2021 10:19:52 -0500 From: Ed Maste <emaste@freebsd.org> To: Kubilay Kocak <koobs@freebsd.org> Cc: Marcin Wojtas <mw@freebsd.org>, src-committers <src-committers@freebsd.org>, "<dev-commits-src-all@freebsd.org>" <dev-commits-src-all@freebsd.org>, dev-commits-src-main@freebsd.org Subject: Re: git: b014e0f15bc7 - main - Enable ASLR by default for 64-bit executables Message-ID: <CAPyFy2D_4E0T=VWZHHw1J=2U1CYJULipqOOzT%2BugE1LgDcBnNQ@mail.gmail.com> In-Reply-To: <e07dce67-5aaa-a9ea-bfa4-941c01cdead8@FreeBSD.org> References: <202111162226.1AGMQg00099240@gitrepo.freebsd.org> <e07dce67-5aaa-a9ea-bfa4-941c01cdead8@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 16 Nov 2021 at 18:42, Kubilay Kocak <koobs@freebsd.org> wrote: > > The current description seems ambiguous with respect to the added > comment. If the sysctl (=1) applies ASLR "only" for PIE binaries, where > the =0 (sysctl disabled) case applies it unconditionally, a better > description might be: > > "Enable address map randomization only for PIE binaries" The "only" is in a confusing spot there. For ET_EXEC ELF objects (traditional binaries) randomization is controlled by aslr_enable. For ET_DYN ELF objects (PIE binaries) randomization is controlled by pie_aslr_enable. > Might aslr_enabled_pie_only also be a better OID name? Perhaps not worth > the churn, but long term it would be great if OID names reflected what > they are/do, rather than what they're not/don't do. That's true, and I think aslr_enable_pie may be a better name. I don't see how "they're not/don't do" applies here though. > > +static int __elfN(aslr_honor_sbrk) = 0; > > SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, honor_sbrk, CTLFLAG_RW, > > &__elfN(aslr_honor_sbrk), 0, > > __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": assume sbrk is used"); > > > > Can we add (DEPRECATED) to the control description, and/or otherwise > mark the control as deprecated if the sysctl framework supports an > attribute marking them as such? The sbrk system call is deprecated, not the sysctl node.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2D_4E0T=VWZHHw1J=2U1CYJULipqOOzT%2BugE1LgDcBnNQ>