[CFT] ASLR, PIE, and segvguard on 11-current and 10-stable

Oliver Pinter oliver.pntr at gmail.com
Sun May 25 17:42:18 UTC 2014 

On 5/25/14, Dag-Erling Smørgrav <des at des.no> wrote:
> Oliver Pinter <oliver.pntr at gmail.com> writes:
>>       PAX LOG: implement new logging subsystem
>>       PAX LOG: fix pax_ulog_segvguard
>>       PAX LOG: added sysctl's and tunables
>>       PAX ASLR: use PAX LOG
>>       PAX LOG: fix pax_ulog_##name()
>>       PAX LOG: fix prison init
>>       PAX LOG: fixed log and ulog sysctl
>
> What exactly is the purpose of PAX LOG?  Have you considered using
> ktrace instead?

pax_log will be in future a generic pax related logging framework,
with ratelimiting and other features.
It will log user, IP, binary name, path, checksum, and others.

>
>>       PAX: blacklist clang and related binaries from PIE support
>
> Why?  Performance, or do they actually break?

No. If you definded WITH_CLANG_EXTRAS= in src.conf, the breaked the build.
(added dim@ to CC)

--- usr.bin.all__D ---
/usr/obj/usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint/../../../lib/clang/libllvmirreader/libllvmirreader.a:
could not read symbols: Bad value
c++: error: linker command failed with exit code 1 (use -v to see invocation)
*** [bugpoint] Error code 1

bmake[5]: stopped in
/usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint
1 error

bmake[5]: stopped in
/usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint
*** [all_subdir_bugpoint] Error code 2

bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang
--- usr.sbin.all__D ---
A failure has been detected in another branch of the parallel make

bmake[5]: stopped in
/usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/acpi/iasl
*** [all] Error code 2

bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/acpi
1 error

bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/acpi
*** [all_subdir_acpi] Error code 2

bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin
1 error

bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin
*** [usr.sbin.all__D] Error code 2

bmake[2]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git
--- usr.bin.all__D ---
--- all_subdir_tblgen ---
A failure has been detected in another branch of the parallel make

bmake[5]: stopped in
/usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/tblgen
*** [all_subdir_tblgen] Error code 2

bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang
2 errors

bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang
*** [all_subdir_clang] Error code 2

bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin

>
>>       PAX ASLR: Blacklist the applications that don't support being built
>> as a position-independent executable
>
> "don't support" as in you have tested them and confirmed that they break
> in some way?  Could you post your test methodology so people can
> replicate the failures and look into fixing them?
>
>>       PAX ASLR: Use a full kernel config for LATT-ASLR
>
> What is the difference between LATT-ASLR and OP-ASLR, and why not just
> "include GENERIC"?  You know about "nooptions", right?

In upstreamed patch will be removed this kernel configs. These are
Shawn's and my kernel config.

>
>>       Revert "PAX: blacklist clang and related binaries from PIE support"
>>       Revert "Revert "PAX: blacklist clang and related binaries from PIE
>> support""
>
> Hmm...

See above.

>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
>

More information about the freebsd-stable mailing list