Date: Wed, 22 Apr 2020 16:08:29 +1000 From: Dewayne Geraghty <dewayne@heuristicsystems.com.au> To: Ed Maste <emaste@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: ASLR/PIE status in FreeBSD HEAD Message-ID: <d63d9bd6-ff27-4bff-71ae-36e0894fae04@heuristicsystems.com.au> In-Reply-To: <CAPyFy2DErURgvKASUk_wghdPD=KA2KqT5Osczf7ZO4NFobFnsQ@mail.gmail.com> References: <CAPv3WKfYyVnfNDTPOEN6TF_GjJr=ThdNeB1yMtTEoQoxEdHMDg@mail.gmail.com> <b57fd929-9776-5ff8-f7f6-91a1c8089da3@heuristicsystems.com.au> <CAPyFy2DErURgvKASUk_wghdPD=KA2KqT5Osczf7ZO4NFobFnsQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank-you for the pointer to elfctl. Unfortunately it looks like I need to create the section in the image file, due to my: (for example) # elfctl -l /usr/bin/ztest Known features are: aslr Disable ASLR protmax Disable implicit PROT_MAX stackgap Disable stack gap elfctl: NT_FREEBSD_FEATURE_CTL note not found on FreeBSD 12.1-STABLE #0 r359973M: Thu Apr 16 amd64 1201513 1201513 I had a look inside # readelf -SW /usr/bin/ztest I also looked inside /usr/share/mk/bsd.prog.mk (because it has elf hardening knobs) but no clues. Perhaps if you could provide a pointer? (Though I wonder how the new section will be inserted into some of the ports that require gcc? An adventure awaits...) Kind regards, Dewayne. PS Yes Konstantin had previously provided substantial assistance to resolve the ntpd issue. On 21/04/2020 12:00 am, Ed Maste wrote: > On Sat, 18 Apr 2020 at 04:19, Dewayne Geraghty > <dewayne@heuristicsystems.com.au> wrote: >> >> I'm on a similar ride. We run applications in both i386 and amd64 jails >> with FreeBSD's ASLR enabled (sendmail, squid, apache, ...) and all good. > > Great! > >> On the build server, the i386 jail with aslr enabled wasn't able to >> build gcc9; so this was disabled kern.elf32.*. > > i386 has little spare address space and compiling applications as PIE > has a significant performance impact there, so enabling it only on > 64-bit seems quite reasonable. > >> ntp was the only real application that didn't play nicely with aslr. >> Fortunately, this was very helpful: >> >> /usr/bin/proccontrol -m aslr -s disable /usr/local/sbin/ntpd... > > Yes, and you can now (if using stable/12 or -CURRENT) use elfctl to > tag the binary with a note to request randomization be disabled for > the process, although we really should address the underlying issue. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d63d9bd6-ff27-4bff-71ae-36e0894fae04>