From owner-freebsd-stable@FreeBSD.ORG  Sun May 25 16:33:02 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B8ACD80B;
 Sun, 25 May 2014 16:33:02 +0000 (UTC)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 6CCB32D38;
 Sun, 25 May 2014 16:33:01 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id 46CFDA5FF;
 Sun, 25 May 2014 16:33:00 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 779C230F49; Sun, 25 May 2014 18:33:00 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Oliver Pinter <oliver.pntr@gmail.com>
Subject: Re: [CFT] ASLR, PIE, and segvguard on 11-current and 10-stable
References: <20140514135852.GC3063@pwnie.vrt.sourcefire.com>
 <20140523195329.GC91702@FreeBSD.org>
 <20140524003525.GC2029@pwnie.vrt.sourcefire.com>
 <CAPjTQNEycL=R1mUK5A=vk7OOV6XQv4Tfi+-Wbu3x6m1+5b082w@mail.gmail.com>
Date: Sun, 25 May 2014 18:33:00 +0200
In-Reply-To: <CAPjTQNEycL=R1mUK5A=vk7OOV6XQv4Tfi+-Wbu3x6m1+5b082w@mail.gmail.com>
 (Oliver Pinter's message of "Sat, 24 May 2014 22:50:49 +0200")
Message-ID: <86egzh6coz.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org,
 "Wojciech A. Koszek" <wkoszek@freebsd.org>, freebsd-stable@freebsd.org,
 Shawn Webb <lattera@gmail.com>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 25 May 2014 16:33:02 -0000

Oliver Pinter <oliver.pntr@gmail.com> writes:
> Two idea here:
> a) create a tunable security.pax.expert_mode, and create sysctls at
> boot time depending from expert mode
> b) just add CTLFLAG_SKIP and hide the sysctl from normal user

The cost of an unused sysctl is about a hundred bytes of kernel memory.
What is the cost of the code required to turn it on and off, keeping in
mind that most of the contents of the struct sysctl_oid must be present
anyway so you can fill in the malloc()ed node?

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no