Introduce HardenedBSD's SEGVGUARD. · opnsense/src@132c917

Commit

Introduce HardenedBSD's SEGVGUARD.

Browse files

lattera authored and fichtner committed Nov 9, 2016

1 parent f30e2d8 commit 132c917

sys/conf/NOTES

-Original file line number
+Diff line change
@@ Expand Up / @@ -3061,6 +3061,7 @@ options GZIO @@
     # PAX and HardenedBSD related knobs
     options		PAX		# Enable the PAX framework
     options		PAX_ASLR	# Address Space Layout Randomization
+    options		PAX_SEGVGUARD	# ASLR bruteforce protection
     options		HBSD_DEBUG
     # BHND(4) drivers
@@ Expand Down @@

sys/conf/files

-Original file line number
+Diff line change
@@ Expand Up / @@ -3218,9 +3218,10 @@ fs/ext2fs/ext2_subr.c optional ext2fs @@
     fs/ext2fs/ext2_vfsops.c		optional ext2fs
     fs/ext2fs/ext2_vnops.c		optional ext2fs
     #
-    hardenedbsd/hbsd_pax_common.c	optional pax
-    hardenedbsd/hbsd_pax_log.c	optional pax
-    hardenedbsd/hbsd_pax_aslr.c	optional pax
+    hardenedbsd/hbsd_pax_common.c		optional pax
+    hardenedbsd/hbsd_pax_log.c		optional pax
+    hardenedbsd/hbsd_pax_aslr.c		optional pax pax_aslr
+    hardenedbsd/hbsd_pax_segvguard.c	optional pax pax_segvguard
     #
     isa/isa_if.m			standard
     isa/isa_common.c		optional isa
@@ Expand Down @@

sys/conf/options

-Original file line number
+Diff line change
@@ Expand Up / @@ -968,6 +968,7 @@ RCTL opt_global.h @@
     # PaX-inspired hardening features
     PAX		opt_pax.h
     PAX_ASLR	opt_pax.h
+    PAX_SEGVGUARD	opt_pax.h
     PAX_SYSCTLS	opt_pax.h
     HBSD_DEBUG	opt_pax.h
@@ Expand Down @@

sys/hardenedbsd/hbsd_pax_common.c

-Original file line number
+Diff line change
@@ Expand Up @@
     #endif
     #endif
+    #ifdef PAX_SEGVGUARD
+    	flags |= pax_segvguard_setup_flags(imgp, td, mode);
+    #endif
     	CTR3(KTR_PAX, "%s : flags = %x mode = %x",
     	    __func__, flags, mode);
@@ Expand Down Expand Up / @@ -326,6 +330,7 @@ pax_init_prison(struct prison *pr) @@
     	    __func__, pr->pr_name);
     	pax_aslr_init_prison(pr);
+    	pax_segvguard_init_prison(pr);
     #ifdef COMPAT_FREEBSD32
     	pax_aslr_init_prison32(pr);
@@ Expand Down @@

sys/hardenedbsd/hbsd_pax_log.c

-Original file line number
+Diff line change
@@ Expand Up @@
     __HARDENING_LOG_TEMPLATE(HBSD, INTERNAL, pax, internal);
     __HARDENING_LOG_TEMPLATE(HBSD, ASLR, pax, aslr);
+    __HARDENING_LOG_TEMPLATE(HBSD, SEGVGUARD, pax, segvguard);
     void
     pax_log_internal_imgp(struct image_params *imgp, pax_log_settings_t flags, const char* fmt, ...)
@@ Expand Down @@

Please sign in to comment.