From 391aafd7abc06a8ec1c83cdbff07c13fb27e7560 Mon Sep 17 00:00:00 2001 From: Bartek Rutkowski Date: Fri, 21 Jul 2017 08:50:22 +0000 Subject: [PATCH] Remove stack guard option from hardening menu. Since kib's change the stack guard is now ON by default, this option in hardening menu of bsdinstall is no longer needed. Submitted by: Bartlomiej Rutkowski Reviewed by: bapt Approved by: bapt MFC after: 1 day Sponsored by: Pixeware LTD Differential Revision: https://reviews.freebsd.org/D11686 --- usr.sbin/bsdinstall/scripts/hardening | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/usr.sbin/bsdinstall/scripts/hardening b/usr.sbin/bsdinstall/scripts/hardening index 471108013d2..1ea312db7ef 100755 --- a/usr.sbin/bsdinstall/scripts/hardening +++ b/usr.sbin/bsdinstall/scripts/hardening @@ -42,11 +42,10 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ - "6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \ - "7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ - "8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ - "9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ - "10 secure_console" "Enable console password prompt" ${secure_console:-off} \ + "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ + "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ + "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ + "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ 2>&1 1>&3 ) exec 3>&- @@ -69,9 +68,6 @@ for feature in $FEATURES; do if [ "$feature" = "random_pid" ]; then echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi - if [ "$feature" = "stack_guard" ]; then - echo security.bsd.stack_guard_page=512 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening - fi if [ "$feature" = "clear_tmp" ]; then echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening fi