upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-13 18:50:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/sys
History
Shawn Webb efe03b23a6 HBSD OPNsense: Separate out the ASLR code. 
On OPNsense's 16.7 roadmap is HardenedBSD's ASLR code. This commit
separates out the ASLR code from the rest of our exploit mitigation
and system hardening code.

Testing and verification still need to be performed. Initial testing
(compile + boot + `procstat -v PIDofPIEapplication) has been
performed. More thorough testing should occur.

Shared object load order randomization in the RTLD is not included in
this patch. That will be discussed with the fine folks at OPNsense at
a later time.

On i386, the stack isn't randomized enough to provide enough space for
the VDSO to be randomized. Bump the stack randomization up to 14 for
32bit systems and lower the VDSO randomization to 8. This provides
enough of a difference between the two to allow for both stack and
VDSO randomization.

Note that ASLR on 32bit systems is still rather weak. Not much entropy
can be introduced into the stack and VDSO. Brute forcing the stack and
VDSO is well within the realm of possibility. Users are strongly
advised to migrate to 64bit systems.

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
2016-06-08 17:20:42 +02:00
..
amd64 HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
arm HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
boot boot: improve branding by adding a shiny logo and version info 2016-05-25 22:22:12 +02:00
bsm src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
cam src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
cddl Fix multiple OpenSSL vulnerabilitites. [SA-16:17] 2016-05-21 08:31:20 +02:00
compat HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
conf HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
contrib src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
crypto src: clean-cut move to 10.2-RELEASE 2015-08-14 14:15:00 +02:00
ddb HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
dev amdtemp: adds APU2 support 2016-05-21 08:48:36 +02:00
fs tmpfs: allow recurse as that does happen when using unionfs 2016-05-21 08:37:13 +02:00
gdb src: initial commit based on FreeBSD-10.0 2014-11-09 09:30:14 +01:00
geom src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
gnu src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
hardenedbsd HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
i386 HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
ia64 src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
isa src: initial commit based on FreeBSD-10.0 2014-11-09 09:30:14 +01:00
kern HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
kgssapi src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
libkern src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
mips HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
modules ipfw: apply dummynet aqm patch 0.2.1 2016-05-21 08:59:08 +02:00
net Revert "tools: apply pf_match.diff" 2016-05-30 15:17:00 +02:00
net80211 src: clean-cut move to 10.2-RELEASE 2015-08-14 14:15:00 +02:00
netatalk *: upgrade to 10.1 as a bulk commit 2015-02-10 19:21:02 +01:00
netgraph netgraph: mpd transition patches 2016-05-21 08:52:49 +02:00
netinet ipfw: apply dummynet aqm patch 0.2.1 2016-05-21 08:59:08 +02:00
netinet6 src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
netipsec src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
netipx src: clean-cut move to 10.2-RELEASE 2015-08-14 14:15:00 +02:00
netnatm src: initial commit based on FreeBSD-10.0 2014-11-09 09:30:14 +01:00
netpfil Revert "tools: apply pf_match.diff" 2016-05-30 15:17:00 +02:00
netsmb src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
nfs src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
nfsclient src: clean-cut move to 10.2-RELEASE 2015-08-14 14:15:00 +02:00
nfsserver src: clean-cut move to 10.2-RELEASE 2015-08-14 14:15:00 +02:00
nlm *: upgrade to 10.1 as a bulk commit 2015-02-10 19:21:02 +01:00
ofed src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
opencrypto *: upgrade to 10.1 as a bulk commit 2015-02-10 19:21:02 +01:00
pc98 src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
pci src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
powerpc HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
rpc src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
security src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
sparc64 HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
sys HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
teken src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
tools src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
ufs src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
vm HBSD OPNsense: Separate out the ASLR code. 2016-06-08 17:20:42 +02:00
x86 Fix multiple OpenSSL vulnerabilitites. [SA-16:17] 2016-05-21 08:31:20 +02:00
xdr src: initial commit based on FreeBSD-10.0 2014-11-09 09:30:14 +01:00
xen src: clean-cut move to release/10.3.0 2016-05-21 08:25:57 +02:00
Makefile src: initial commit based on FreeBSD-10.0 2014-11-09 09:30:14 +01:00