Date: Mon, 11 Jan 2021 21:57:30 -0500 From: Ed Maste <emaste@freebsd.org> To: John Baldwin <jhb@freebsd.org> Cc: Konstantin Belousov <kib@freebsd.org>, src-committers <src-committers@freebsd.org>, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 2e1c94aa1fd5 - main - Implement enforcing write XOR execute mapping policy. Message-ID: <CAPyFy2AvwfUvOEbopejjSLaCYw=H1CHUyFSRR6wq5w_EzxgekA@mail.gmail.com> In-Reply-To: <8f0f88f5-2a4b-a11d-7b9c-892443184b15@FreeBSD.org> References: <202101112322.10BNMFFE035513@gitrepo.freebsd.org> <8f0f88f5-2a4b-a11d-7b9c-892443184b15@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 11 Jan 2021 at 19:34, John Baldwin <jhb@freebsd.org> wrote: > > To be clear though, this doesn't set the default to enforcing W^X, it just > adds a knob that can be set to enforce that on most binaries. My guess is > that the plan is to get some testing/exposure of this on head (e.g. doing > an exp-run with this set would probably be a good test?) and then flip the > default to enable this restriction in the future? Yes, an exp-run would be useful, although I don't think it will find too much unless we execute regression tests on the built ports. We can ask folks to turn it on and report problems; note that any ELF binary requesting an executable stack will (appear to) abort at startup, and will have to be fixed to request a non-executable stack. Other than that I have seen no fallout after enabling this on my laptop. To enable set the two sysctls: kern.elf32.allow_wx=0 kern.elf64.allow_wx=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2AvwfUvOEbopejjSLaCYw=H1CHUyFSRR6wq5w_EzxgekA>