Re: git: b014e0f15bc7 - main - Enable ASLR by default for 64-bit executables
- In reply to: Kubilay Kocak : "Re: git: b014e0f15bc7 - main - Enable ASLR by default for 64-bit executables"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 18 Nov 2021 15:19:52 UTC
On Tue, 16 Nov 2021 at 18:42, Kubilay Kocak <koobs@freebsd.org> wrote: > > The current description seems ambiguous with respect to the added > comment. If the sysctl (=1) applies ASLR "only" for PIE binaries, where > the =0 (sysctl disabled) case applies it unconditionally, a better > description might be: > > "Enable address map randomization only for PIE binaries" The "only" is in a confusing spot there. For ET_EXEC ELF objects (traditional binaries) randomization is controlled by aslr_enable. For ET_DYN ELF objects (PIE binaries) randomization is controlled by pie_aslr_enable. > Might aslr_enabled_pie_only also be a better OID name? Perhaps not worth > the churn, but long term it would be great if OID names reflected what > they are/do, rather than what they're not/don't do. That's true, and I think aslr_enable_pie may be a better name. I don't see how "they're not/don't do" applies here though. > > +static int __elfN(aslr_honor_sbrk) = 0; > > SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, honor_sbrk, CTLFLAG_RW, > > &__elfN(aslr_honor_sbrk), 0, > > __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": assume sbrk is used"); > > > > Can we add (DEPRECATED) to the control description, and/or otherwise > mark the control as deprecated if the sysctl framework supports an > attribute marking them as such? The sbrk system call is deprecated, not the sysctl node.