From owner-freebsd-current@FreeBSD.ORG  Tue Nov 15 16:58:05 2011
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BBEB01065677
	for <current@freebsd.org>; Tue, 15 Nov 2011 16:58:05 +0000 (UTC)
	(envelope-from jeremie@le-hen.org)
Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [IPv6:2a01:e0c:1:1599::14])
	by mx1.freebsd.org (Postfix) with ESMTP id D3D348FC1A
	for <current@freebsd.org>; Tue, 15 Nov 2011 16:58:03 +0000 (UTC)
Received: from endor.tataz.chchile.org (unknown [82.233.239.98])
	by smtp5-g21.free.fr (Postfix) with ESMTP id 0A530D483B5
	for <current@freebsd.org>; Tue, 15 Nov 2011 17:57:57 +0100 (CET)
Received: from felucia.tataz.chchile.org (felucia.tataz.chchile.org
	[192.168.1.9])
	by endor.tataz.chchile.org (Postfix) with ESMTP id CDBFC8ED;
	Tue, 15 Nov 2011 16:57:56 +0000 (UTC)
Received: by felucia.tataz.chchile.org (Postfix, from userid 1000)
	id 9506C13C37; Tue, 15 Nov 2011 16:57:56 +0000 (UTC)
Date: Tue, 15 Nov 2011 17:57:56 +0100
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Oliver Pinter <oliver.pntr@gmail.com>
Message-ID: <20111115165756.GA11894@felucia.tataz.chchile.org>
References: <CAPjTQNFCT5LBKwVQFf9FHk4aTzrJ243j2uN1nPmMeFp=cTdMUA@mail.gmail.com>
	<20111018090750.GG50300@deviant.kiev.zoral.com.ua>
	<CACqU3MWftO=FG4GbnKCFjTcKg1narJWuYnCwv-Mcu=WGriScwA@mail.gmail.com>
	<alpine.BSF.2.00.1110180838200.38610@toaster.local>
	<CACqU3MWOXTMfu0LySukcwAz=NGSzyN=ettiY0fQj3Ehp5MONug@mail.gmail.com>
	<CAPjTQNE5-kGJ+D2c3Z2y-e_h95i5VY0Yc=C26BJ_Oq0n2DNz6A@mail.gmail.com>
	<CACqU3MXm1P1P2FBMCKhYOC+eCn_3QyQmd98b+_Kiq98usuqiPA@mail.gmail.com>
	<20111018183219.GN50300@deviant.kiev.zoral.com.ua>
	<CACqU3MXNpmhwUM-incmeU_vUXZOKaZ=sZmGmUX5WCmdz6kfE7A@mail.gmail.com>
	<CAPjTQNFiqq9TEzTs812f7nVVY-74bMgvL9ujT-qXkMKnhux+tA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAPjTQNFiqq9TEzTs812f7nVVY-74bMgvL9ujT-qXkMKnhux+tA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Mailman-Approved-At: Tue, 15 Nov 2011 17:13:24 +0000
Cc: Kostik Belousov <kostikbel@gmail.com>, Garrett Cooper <yanegomi@gmail.com>,
	current@freebsd.org, Arnaud Lacombe <lacombar@gmail.com>
Subject: Re: [RFC] Enable nxstack by default
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 16:58:05 -0000

Hi,

On Wed, Oct 19, 2011 at 12:37:44AM +0200, Oliver Pinter wrote:
> In NetBSD has been some PaX feature [0] implemented. (ASLR, W^X
> (~nxstack), mprotect restriction, veriexec, mmap randomization[2]...)
> 
> [0] http://pax.grsecurity.net/docs/index.html
> [1] http://www.netbsd.org/~elad/recent/man/security.8.html
> [2] http://people.freebsd.org/~ssouhlal/testing/stackgap-20050527.diff

Suleiman actually wrought two patches, one randomizing the stack (the
one you pointed out) and another one randomizing non-fixed mmap(2)
calls:

http://people.freebsd.org/~ssouhlal/testing/mmap_random-20050528.diff


FYI, they do not apply cleanly on recent source trees (the patches were
made in 2005), but they can be applied with little fiddling.  I'm
running multiple 8.x production machines with them without any problem.

I've always wanted them to be committed as opt-in knobs, but I can't
remember why they hadn't at the time.

Cheers,
-- 
Jeremie Le Hen

Men are born free and equal.  Later on, they're on their own.
				Jean Yanne