Skip to content
Permalink
Browse files
HBSD: Bump __HardenedBSD_version due to FreeBSD ASR
FreeBSD's ASR implementation is now optionally available to HardenedBSD
users. As such, bump __HardenedBSD_version due to subtle changes in how
ASLR/ASR interact.

Note that allocation clustering is disabled by default, causing large
memory fragmentation with FreeBSD's ASR implementation (no additional
memory fragmentation with HardenedBSD's PaX ASLR). Enabling clustering
negatively impacts both ASR and ASLR implementations.

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
  • Loading branch information
lattera committed Apr 21, 2019
1 parent 9a12f3f commit 553b58b88ecd166c040c87d22ca1554361b0fad2
Showing with 17 additions and 1 deletion.
  1. +16 −0 UPDATING-HardenedBSD
  2. +1 −1 sys/sys/pax.h
@@ -1,3 +1,19 @@
[20181019] FreeBSD ASR with HardenedBSD ASLR
__HardenedBSD_version = 1300059

FreeBSD merged in their incomplete Address Space Randomization
(ASR) patch. Undo the reversion of the ASR patch and rely on
HardenedBSD's PaX ASLR implementation for the stack and shared
page when FreeBSD's ASR is enabled.

FreeBSD's ASR is disabled by default, but can be enabled at
runtime by setting the `kern.elf64.aslr.pie_enable` and
`kern.elf64.aslr.enable` sysctl nodes to 1. If HardenedBSD's
`hardening.pax.aslr.status' sysctl node is greater than or
equal to 2, the PaX ASLR implementation will only be in effect
for the stack and the shared page.


[20181019] shift to FreeBSD 13-CURRENT
__HardenedBSD_version = 1300058

@@ -32,7 +32,7 @@
#ifndef _SYS_PAX_H
#define _SYS_PAX_H

#define __HardenedBSD_version 1300058UL
#define __HardenedBSD_version 1300059UL

#if defined(_KERNEL) || defined(_WANT_PRISON)
typedef uint32_t pax_state_t;

0 comments on commit 553b58b

Please sign in to comment.