HBSD: cleanups, smaller reverts and review

* Remove default HT disable hardening for now
* Remove default tempaddr IPv6 for now
* Whitespace changes vs. FreeBSD

etc/motd

@@ -14,5 +14,4 @@ HardenedBSD ?.?.?  (UNKNOWN)
 +------------------------------------------------------------------------------+
 |     keyword: sysctl, secadm, git, github.com/hardenedbsd hardenedbsd.org     |
 +------------------------------------------------------------------------------+
-                Edit /etc/motd to change this login announcement.               
-
+                Edit /etc/motd to change this login announcement.

etc/pkg/FreeBSD.conf

@@ -12,5 +12,5 @@ FreeBSD: {
   mirror_type: "srv",
   signature_type: "fingerprints",
   fingerprints: "/usr/share/keys/pkg",
-  enabled: no
+  enabled: yes
 }

etc/pkg/HardenedBSD.conf

@@ -12,5 +12,5 @@ HardenedBSD: {
   mirror_type: "srv",
   signature_type: "fingerprints",
   fingerprints: "/usr/share/keys/pkg",
-  enabled: yes
+  enabled: no
 }

secure/usr.bin/ssh/Makefile

@@ -35,7 +35,6 @@ LIBADD+=	crypto
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif
 
-
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

secure/usr.sbin/sshd/Makefile

@@ -64,7 +64,6 @@ LIBADD+=	crypto
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif
 
-
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}

share/man/man5/src.conf.5

@@ -769,7 +769,7 @@ and related utilities.
 .It Va WITHOUT_HBSD_UPDATE
 .\" $HardenedBSD$
 Set to not build
-.Xr hbsd-update 8 
+.Xr hbsd-update 8
 and
 .Xr hbsd-update-build 8 .
 .It Va WITH_HESIOD
@@ -939,7 +939,7 @@ When set, it enforces these options:
 .Va WITHOUT_LIBTHR
 .El
 .It Va WITH_LIBRESSL
-Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents. 
+Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents.
 .It Va WITH_LIBSOFT
 On armv6 only, set to enable soft float ABI compatibility libraries.
 This option is for transitioning to the new hard float ABI.

share/mk/bsd.opts.mk

@@ -76,6 +76,7 @@ __DEFAULT_DEPENDENT_OPTIONS = \
     STAGING_MAN/STAGING \
     STAGING_PROG/STAGING \
 
+
 .include <bsd.mkopt.mk>
 
 #

share/mk/src.opts.mk

@@ -305,7 +305,6 @@ BROKEN_OPTIONS+=LOADER_UBOOT
 # profiling won't work on MIPS64 because there is only assembly for o32
 BROKEN_OPTIONS+=PROFILE
 .endif
-
 .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" || \
     ${__T} == "powerpc64" || ${__T} == "sparc64"
 __DEFAULT_YES_OPTIONS+=CXGBETOOL

sys/amd64/amd64/gdb_machdep.c

@@ -138,4 +138,3 @@ gdb_end_write(void *arg)
 
 	load_cr0((u_long)arg);
 }
-

sys/arm64/include/elf.h

@@ -90,7 +90,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */

sys/dev/random/fortuna.c

@@ -88,7 +88,7 @@ __FBSDID("$FreeBSD$");
  * and too small may compromise initial security but get faster reseeds.
  */
 #define	RANDOM_FORTUNA_MINPOOLSIZE 16
-#define	RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX 
+#define	RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX
 CTASSERT(RANDOM_FORTUNA_MINPOOLSIZE <= RANDOM_FORTUNA_DEFPOOLSIZE);
 CTASSERT(RANDOM_FORTUNA_DEFPOOLSIZE <= RANDOM_FORTUNA_MAXPOOLSIZE);
 

sys/kern/kern_shutdown.c

@@ -763,9 +763,11 @@ vpanic(const char *fmt, va_list ap)
 #ifdef SMP
 	printf("cpuid = %d\n", PCPU_GET(cpuid));
 #endif
+
 #ifdef PAX
 	pax_print_hbsd_context();
 #endif
+
 #ifdef KDB
 	if (newpanic && trace_on_panic)
 		kdb_backtrace();

sys/kern/sys_process.c

@@ -33,7 +33,6 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_compat.h"
-#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -46,7 +45,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/vnode.h>
-#include <sys/pax.h>
 #include <sys/ptrace.h>
 #include <sys/rwlock.h>
 #include <sys/sx.h>

sys/mips/include/elf.h

@@ -144,7 +144,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */

sys/netinet/ip_input.c

@@ -35,7 +35,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_bootp.h"
 #include "opt_ipstealth.h"
 #include "opt_ipsec.h"
-#include "opt_pax.h"
 #include "opt_route.h"
 #include "opt_rss.h"
 
@@ -127,12 +126,7 @@ SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_VNET | CTLFLAG_R
  * to the loopback interface instead of the interface where the
  * packets for those addresses are received.
  */
-#ifdef PAX_HARDENING
-static VNET_DEFINE(int, ip_checkinterface) = 1;
-#else
 static VNET_DEFINE(int, ip_checkinterface);
-#endif
-
 #define	V_ip_checkinterface	VNET(ip_checkinterface)
 SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_VNET | CTLFLAG_RW,
     &VNET_NAME(ip_checkinterface), 0,

sys/netinet6/in6_proto.c

@@ -69,7 +69,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_ipstealth.h"
 #include "opt_sctp.h"
 #include "opt_mpath.h"
-#include "opt_pax.h"
 #include "opt_route.h"
 
 #include <sys/param.h>
@@ -375,12 +374,8 @@ VNET_DOMAIN_SET(inet6);
 #endif /* !IPV6FORWARDING */
 
 #ifndef	IPV6_SENDREDIRECTS
-#ifdef PAX_HARDENING
-#define	IPV6_SENDREDIRECTS	0
-#else
 #define	IPV6_SENDREDIRECTS	1
 #endif
-#endif
 
 VNET_DEFINE(int, ip6_forwarding) = IPV6FORWARDING;	/* act as router? */
 VNET_DEFINE(int, ip6_sendredirects) = IPV6_SENDREDIRECTS;
@@ -397,13 +392,8 @@ VNET_DEFINE(int, ip6_hdrnestlimit) = 15;/* How many header options will we
 					 * process? */
 VNET_DEFINE(int, ip6_dad_count) = 1;	/* DupAddrDetectionTransmits */
 VNET_DEFINE(int, ip6_auto_flowlabel) = 1;
-#ifdef PAX_HARDENING
-VNET_DEFINE(int, ip6_use_deprecated) = 0;/* allow deprecated addr
-					 * (RFC2462 5.5.4) */
-#else
 VNET_DEFINE(int, ip6_use_deprecated) = 1;/* allow deprecated addr
 					 * (RFC2462 5.5.4) */
-#endif
 VNET_DEFINE(int, ip6_rr_prune) = 5;	/* router renumbering prefix
 					 * walk list every 5 sec. */
 VNET_DEFINE(int, ip6_mcast_pmtu) = 0;	/* enable pMTU discovery for multicast? */
@@ -426,11 +416,7 @@ VNET_DEFINE(int, pmtu_expire) = 60*10;
 VNET_DEFINE(int, pmtu_probe) = 60*2;
 
 /* ICMPV6 parameters */
-#ifdef PAX_HARDENING
-VNET_DEFINE(int, icmp6_rediraccept) = 0;/* accept and process redirects */
-#else
 VNET_DEFINE(int, icmp6_rediraccept) = 1;/* accept and process redirects */
-#endif
 VNET_DEFINE(int, icmp6_redirtimeout) = 10 * 60;	/* 10 minutes */
 VNET_DEFINE(int, icmp6errppslim) = 100;		/* 100pps */
 /* control how to respond to NI queries */

sys/netinet6/in6_src.c

@@ -66,7 +66,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_mpath.h"
-#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -129,11 +128,7 @@ static struct sx addrsel_sxlock;
 static VNET_DEFINE(struct in6_addrpolicy, defaultaddrpolicy);
 #define	V_defaultaddrpolicy		VNET(defaultaddrpolicy)
 
-#ifdef PAX_HARDENING
-VNET_DEFINE(int, ip6_prefer_tempaddr) = 1;
-#else
 VNET_DEFINE(int, ip6_prefer_tempaddr) = 0;
-#endif
 
 static int selectroute(struct sockaddr_in6 *, struct ip6_pktopts *,
 	struct ip6_moptions *, struct route_in6 *, struct ifnet **,

sys/netinet6/nd6_rtr.c

@@ -34,7 +34,6 @@ __FBSDID("$FreeBSD$");
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
-#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -97,11 +96,7 @@ static VNET_DEFINE(struct ifnet *, nd6_defifp);
 VNET_DEFINE(int, nd6_defifindex);
 #define	V_nd6_defifp			VNET(nd6_defifp)
 
-#ifdef PAX_HARDENING
-VNET_DEFINE(int, ip6_use_tempaddr) = 1;
-#else
 VNET_DEFINE(int, ip6_use_tempaddr) = 0;
-#endif
 
 VNET_DEFINE(int, ip6_desync_factor);
 VNET_DEFINE(u_int32_t, ip6_temp_preferred_lifetime) = DEF_TEMP_PREFERRED_LIFETIME;

sys/powerpc/include/elf.h

@@ -107,7 +107,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	19	/* Number of pagesizes. */
 #define	AT_STACKPROT	21	/* Initial stack protection. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */

sys/riscv/include/elf.h

@@ -90,7 +90,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */

sys/x86/include/elf.h

@@ -100,7 +100,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */
@@ -189,7 +188,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */

sys/x86/x86/mp_x86.c

@@ -33,7 +33,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_cpu.h"
 #include "opt_isa.h"
 #include "opt_kstack_pages.h"
-#include "opt_pax.h"
 #include "opt_pmap.h"
 #include "opt_sched.h"
 #include "opt_smp.h"
@@ -138,11 +137,7 @@ volatile u_int cpu_ipi_pending[MAXCPU];
 static void	release_aps(void *dummy);
 static void	cpustop_handler_post(u_int cpu);
 
-#ifdef PAX_HARDENING
-static int	hyperthreading_allowed;
-#else
 static int	hyperthreading_allowed = 1;
-#endif
 SYSCTL_INT(_machdep, OID_AUTO, hyperthreading_allowed, CTLFLAG_RDTUN,
 	&hyperthreading_allowed, 0, "Use Intel HTT logical CPUs");
 

tests/sys/kern/kern_copyin.c

@@ -66,7 +66,7 @@ ATF_TC_BODY(kern_copyin, tc)
 	/*
 	 * On HardenedBSD, the last page not always mapped in contrast
 	 * to FreeBSD, where the last page always mapped as shared page.
-	 * 
+	 *
 	 * To fix this test, which expects the existence of the last page
 	 * just map them in at the test start, and unmap them at the end.
 	 */

tools/build/options/WITHOUT_HBSD_UPDATE

@@ -1,5 +1,5 @@
-.\" $HardenedBSD$
+.\" $FreeBSD$
 Set to not build
-.Xr hbsd-update 8 
+.Xr hbsd-update 8
 and
 .Xr hbsd-update-build 8 .

tools/build/options/WITHOUT_LIBRESSL

@@ -1,2 +1,2 @@
-.\" $FreeBSD: $
-Set to build OpenSSL as libcrypto/libssl provider as replacement of the LibreSSL equivalents. 
+.\" $FreeBSD$
+Set to build OpenSSL as libcrypto/libssl provider as replacement of the LibreSSL equivalents.

tools/build/options/WITHOUT_PIE

@@ -1 +1,2 @@
+.\" $FreeBSD$
 Disable building of Position-Independent Executables (PIEs).

tools/build/options/WITH_LIBRESSL

@@ -1,2 +1,2 @@
-.\" $FreeBSD: $
-Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents. 
+.\" $FreeBSD$
+Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents.

tools/build/options/WITH_SAFESTACK

@@ -1 +1,2 @@
+.\" $FreeBSD$
 Set to compile with SafeStack.

tools/build/options/WITH_SHLIBRANDOM

@@ -1 +1,2 @@
+.\" $FreeBSD$
 Enable randomizing the load order of shared objects.

usr.sbin/ctld/Makefile

@@ -17,7 +17,6 @@ MAN=		ctld.8 ctl.conf.5
 
 LIBADD=		bsdxml l md sbuf util ucl m
 
-
 YFLAGS+=	-v
 CLEANFILES=	y.tab.c y.tab.h y.output
 

usr.sbin/inetd/Makefile

@@ -29,5 +29,4 @@ CFLAGS+= -DIPSEC
 LIBADD+=	ipsec
 .endif
 
-
 .include <bsd.prog.mk>

usr.sbin/iscsid/Makefile

@@ -11,7 +11,6 @@ MAN=		iscsid.8
 
 LIBADD=		md util
 
-
 WARNS=		6
 
 .include <bsd.prog.mk>

usr.sbin/ppp/auth.c

@@ -129,7 +129,7 @@ auth_CheckPasswd(const char *name, const char *data, const char *key)
     struct passwd *pw;
     int result = 0;
     char *cryptpw;
-    
+
     pw = getpwnam(name);
 
     if (pw) {

usr.sbin/rtsold/Makefile

@@ -21,5 +21,4 @@ SRCS=	rtsold.c rtsol.c if.c probe.c dump.c rtsock.c
 
 WARNS?=	3
 
-
 .include <bsd.prog.mk>

usr.sbin/tcpdump/tcpdump/Makefile

@@ -198,7 +198,6 @@ CFLAGS+= -I${DESTDIR}/usr/include/openssl
 CFLAGS+= -DHAVE_LIBCRYPTO -DHAVE_OPENSSL_EVP_H
 .endif
 
-
 .if ${MK_PF} != "no"
 SRCS+=	print-pflog.c \
 	print-pfsync.c