Make the ASLR sysctl's configurable on a per-jail basis.

This will allow users to enable support for legacy applications that
don't support ASLR well while still having ASLR for the whole system.

sys/kern/kern_exec.c

@@ -1062,13 +1062,20 @@ exec_new_vmspace(imgp, sv)
 	}
 
 #ifdef PAX_ASLR
+    if (pax_aslr_debug >= 2)
+        uprintf("[PaX ASLR] sv_minuser = 0x%016lx\n", sv_minuser);
+
 	pax_aslr_init(curthread, imgp);
 #endif /* PAX_ASLR */
 
 	/* Map a shared page */
 	obj = sv->sv_shared_page_obj;
 	if (obj != NULL) {
 		vm_object_reference(obj);
+#ifdef PAX_ASLR
+        if (pax_aslr_debug >= 2)
+            uprintf("[PaX ASLR] sv_shared_page_base = 0x%016lx\n", sv->sv_shared_page_base);
+#endif
 		error = vm_map_fixed(map, obj, 0,
 		    sv->sv_shared_page_base, sv->sv_shared_page_len,
 		    VM_PROT_READ | VM_PROT_EXECUTE,

sys/kern/kern_jail.c

@@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
 #include "opt_ddb.h"
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -60,6 +61,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/syscallsubr.h>
 #include <sys/sysctl.h>
 #include <sys/vnode.h>
+#include <sys/pax.h>
 
 #include <net/if.h>
 #include <net/if_var.h>
@@ -114,6 +116,20 @@ struct prison prison0 = {
 	.pr_flags	= PR_HOST|_PR_IP_SADDRSEL,
 #endif
 	.pr_allow	= PR_ALLOW_ALL,
+#ifdef PAX_ASLR
+    .pr_pax_set = 0,
+    .pr_pax_aslr_status = 0,
+    .pr_pax_aslr_debug = 0,
+    .pr_pax_aslr_mmap_len = PAX_ASLR_DELTA_MMAP_MIN_LEN,
+    .pr_pax_aslr_stack_len = PAX_ASLR_DELTA_STACK_MIN_LEN,
+    .pr_pax_aslr_exec_len = PAX_ASLR_DELTA_EXEC_MIN_LEN,
+#ifdef COMPAT_FREEBSD32
+    .pr_pax_aslr_compat_status = 0,
+    .pr_pax_aslr_compat_mmap_len = PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN,
+    .pr_pax_aslr_compat_stack_len = PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN,
+    .pr_pax_aslr_compat_exec_len = PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN,
+#endif /* COMPAT_FREEBSD32 */
+#endif /* PAX_ASLR */
 };
 MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF);