Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 5 May 2020 19:59:19 -0400
From:      Ed Maste <emaste@freebsd.org>
To:        Dewayne Geraghty <dewayne@heuristicsystems.com.au>
Cc:        Brooks Davis <brooks@freebsd.org>, freebsd-security@freebsd.org,  Marcin Wojtas <mw@semihalf.com>, Rafal Jaworowski <raj@semihalf.com>
Subject:   Re: ASLR/PIE status in FreeBSD HEAD
Message-ID:  <CAPyFy2AeRB4Hj2%2Bmp5A4h1-pMz9aeF%2BwNqEPqS610E3dzzPhqQ@mail.gmail.com>
In-Reply-To: <9ad00dc0-b9d5-525a-9d5d-b65dac60f0d4@heuristicsystems.com.au>
References:  <CAPv3WKfYyVnfNDTPOEN6TF_GjJr=ThdNeB1yMtTEoQoxEdHMDg@mail.gmail.com> <CAPyFy2Cis6mKP%2BtRqEG8CwODgLXVBpQsxQ4FJX6wrpiPODr=Bg@mail.gmail.com> <CAPv3WKdQrS4oAcUcNn_mQOUJCmKm88LWhv62yf5B0BkmnyGpaA@mail.gmail.com> <20200423153835.GF42225@spindle.one-eyed-alien.net> <CAPyFy2DGh8sa=VYuHF8aC2NU5LkpMLsBv1kQ-zkEbPyz_z9JzA@mail.gmail.com> <9ad00dc0-b9d5-525a-9d5d-b65dac60f0d4@heuristicsystems.com.au>
index | next in thread | previous in thread | raw e-mail 

On Mon, 4 May 2020 at 19:39, Dewayne Geraghty
<dewayne@heuristicsystems.com.au> wrote:
>
> It would be palatable to have a "secure.mk" under /usr/ports/Mk/Uses
> that enables  pie, relro, now, noexecstack and elfctl features.  Then
> port users can enable/disable their (elfctl) default features as they wish.

The general intent for elfctl isn't to have a lot of knobs to worry
about, either user- or developer-facing, and they'll generally be
opt-outs. Ports with known incompatibilities will be tagged at build
time (regardless of whether mitigations are enabled), and mitigations
should be able to be turned on system-wide.

We should be able to address non-executable stack in a similar way -
virtually all ports should have a RW GNU_STACK segment indicating that
the stack is not executable, so a ports build stage could check for
that and produce an error if not, with some sort of override for any
exceptional cases.

We definitely want some global infrastructure for pie, relro, and bind_now.
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2AeRB4Hj2%2Bmp5A4h1-pMz9aeF%2BwNqEPqS610E3dzzPhqQ>