From 5a1bbae356ef4f3ff88d508f4614beaa36f8c3c8 Mon Sep 17 00:00:00 2001 From: Shawn Webb Date: Fri, 12 Jan 2018 02:31:22 -0500 Subject: [PATCH] HBSD+OPNsense: Set hardening.pax.disallow_map32bit.status=1 by default LuaJIT creates 32-bit memory maps in a 64-bit execution environment, which is disabled by default in HardenedBSD. We never ported the MAP_32BIT disallow logic over from HardenedBSD to OPNsense prior to 18.1. The merge of HardenedBSD's ASLR implementation for 18.1 also brought in the new logic. Instead of removing disallow_map32bit, simply set it to 1 by default. This will allow those who don't use LuaJIT applications to set it to 2 in /boot/loader.conf.local. Note that this commit is specific to OPNsense. OPNsense ships without the PAX_SYSCTLS kernel option, thus it's impossible to toggle via sysctl.conf(5) and must be set via loader.conf.local. Signed-off-by: Shawn Webb github-issue: opnsense/plugins#466 --- sys/hardenedbsd/hbsd_pax_aslr.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/sys/hardenedbsd/hbsd_pax_aslr.c b/sys/hardenedbsd/hbsd_pax_aslr.c index 2d1a6d348c0..da7d8cdfdb2 100644 --- a/sys/hardenedbsd/hbsd_pax_aslr.c +++ b/sys/hardenedbsd/hbsd_pax_aslr.c @@ -200,12 +200,8 @@ static int pax_aslr_exec_len = PAX_ASLR_DELTA_EXEC_DEF_LEN; static int pax_aslr_vdso_len = PAX_ASLR_DELTA_VDSO_DEF_LEN; #ifdef MAP_32BIT static int pax_aslr_map32bit_len = PAX_ASLR_DELTA_MAP32BIT_DEF_LEN; -#ifdef PAX_HARDENING -static int pax_disallow_map32bit_status_global = PAX_FEATURE_OPTOUT; -#else static int pax_disallow_map32bit_status_global = PAX_FEATURE_OPTIN; #endif -#endif #ifdef COMPAT_FREEBSD32 static int pax_aslr_compat_status = PAX_FEATURE_OPTOUT;