forked from freebsd/freebsd-src
-
Notifications
You must be signed in to change notification settings - Fork 42
/
UPDATING-HardenedBSD
443 lines (286 loc) · 12.2 KB
/
UPDATING-HardenedBSD
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
[20170914] Changed auxvector after e5ea82a50dd64a3e47767b132a16281242ff396d
__HardenedBSD_version = 1200054
After the following commit:
> commit e5ea82a50dd64a3e47767b132a16281242ff396d
> Author: jhb <jhb@FreeBSD.org>
> Date: Thu Sep 14 14:26:55 2017 +0000
> Add AT_HWCAP and AT_EHDRFLAGS on all platforms.
>
> A new 'u_long *sv_hwcap' field is added to 'struct sysentvec'. A
> process ABI can set this field to point to a value holding a mask of
> architecture-specific CPU feature flags. If an ABI does not wish to
> supply AT_HWCAP to processes the field can be left as NULL.
>
> The support code for AT_EHDRFLAGS was already present on all systems,
> just the #define was not present. This is a step towards unifying the
> AT_* constants across platforms.
>
> Reviewed by: kib
> MFC after: 1 month
> Differential Revision: https://reviews.freebsd.org/D12290
> Notes:
> svn path=/head/; revision=323579
the AT_PAXFLAGS has been changed from 24 to 26 position in
elf auxvector. This may break some functionality, especially
the SHLIBRAND feature, when you running on a newer kernel
with an older user-space.
[20170831] Changed pax_elf API
__HardenedBSD_version = 1200053
As preparation to hardenedBSD rationalize
the pax_elf(...) functions signature, to
follow the codes in kern_exec's style.
For the details, see the code.
[20170709] Enforced KPI
__HardenedBSD_version = 1200052
Enfore the KPI version at compile time. This
will implicate the recompilation of external
modules even once __HardenedBSD_version or
__FreeBSD_version gets bumped.
[20170624] Enable OpenNTPd by default
__HardenedBSD_version = 1200051
Enable WITH_OPENNTPD by default on HardenedBSD.
After this point we deliver OpenNTPd as base
ntp provider for HardenedBSD. ISC ntpd is still
available, and accessible with WITHOUT_OPENNTPD=
knob in src.conf(5).
[20170616] Changed __HardenedBSD_version scheme
__HardenedBSD_version = 1200050
The version numbers may differ in different branches (10-STABLE,
11-STABLE, 12-CURRENT) and to keep the version number in pair
with the features state, there is a need to allow to bump they
differently.
[20170616] Changed default protection settings for text section
__HardenedBSD_version = 50
Fixes the (theoretically) last outstanding memory
protection related weakness in HBSD's user-space detectable
with paxtest.
[20170302] Enable CFI by default for amd64
__HardenedBSD_version = 49
Enable WITH_CFI by default on HardenedBSD/amd64.
Control-Flow Integrity (CFI) is an exploit mitigation
technique developed in the clang/llvm project. Now that
base has clang 4.0.0, which brings a linker that supports
Link-Time Optimization (LTO), lld, we can now make use of
CFI, which requires LTO.
This also enables lld by default for amd64 and arm64. Disable
CFI by setting WITHOUT_CFI in src.conf(5).
[20170112] Enable SafeStack by default for amd64
__HardenedBSD_version = 48
Enable WITH_SAFESTACK by default on HardenedBSD/amd64.
SafeStack is an exploit mitigation technique developed in the
clang/llvm project, born in the Code-Pointer Integrity
(CPI) project. Now that base has clang 3.9.1, which contains
a more mature CFI/CPI implementation, SafeStack can be enabled
by default for amd64.
Disable SafeStack for base by setting WITHOUT_SAFESTACK in
src.conf(5).
[20160820] Enable LibreSSL by default
__HardenedBSD_version = 47
Enable WITH_LIBRESSL by default on HardenedBSD.
After this we point we deliver LibreSSL as base
SSL engine for HardenedBSD. The OpenSSL is still
available, and accessable with WITHOUT_LIBRESSL=
knob in src.conf.
[20160423] RELRO + BIND_NOW
__HardenedBSD_version = 46
Enable RELRO + BIND_NOW for base.
Introduce WITHOUT_RELRO and WITHOUT_BIND_NOW.
Setting WITHOUT_RELRO also sets WITHOUT_BIND_NOW.
[20160408] PIEified base for amd64 and i386
__HardenedBSD_version = 45
Remove WANTS_PIE.
Default PIE for base for amd64 and i386 only.
When PIE is enabled, compile non-static libraries with -fPIC.
Default WITH_SHARED_TOOLCHAIN to enabled by default.
If you encounter build problems during make buildworld,
try to clean the object files directory, which is typically
/usr/obj:
cd /usr/obj; rm -rf *
And retry to build the world. This will require due to not
proper cleaning mechanizm of FreeBSD's build framework.
[201603XX] noexec and ASLR changes
__HardenedBSD_version = 44
Fixed noexec's paxflags parser to get usable system on
bronen setups too.
Changed ASLR stack randomization settings on 32 machines.
[20160316] ASLR cleanup
__HardenedBSD_version = 43
Since the hardening.pax.aslr.*_len variables are no longer
available outside of loader.conf(5), remove them from
struct hbsd_features, which gets embedded in struct
prison. This change makes the hardening.pax.aslr.*_len
variables a global setting, rather than a per-jail setting.
[20160225] RTLD noexec
__HardenedBSD_version = 42
Enforce nonexec thread stacks, driven by the RTLD.
[20160213] rewritten internals
__HardenedBSD_version = 41
Changed hardenedBSD core structures.
Dropped ptrace_hardening.
Dropped ASLR bit settings.
Fixed hbsd_update_build bug.
Added skeleton file.
Changed feature strings.
Changed noexec implicit rules.
[20160123] add pax_get_hardenedbsd_version API
__HardenedBSD_version = 40
Add pax_get_hardenedbsd_version() API to query hardening's version
from kernel codes.
Add new types, which represents the PAX_FLAGS.
[20151225] redo rework internal structures
__HardenedBSD_version = 39
Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
Fix one segvguard related issue.
Changed pax_elf signature.
We reverted this code in version 37, because we observed weird
issue, but this issues was unrelated to the reworked internals.
The true root of the problem was a secadm bug and the issue fixed
with version 38.
[20151218] reworked MAP_32BIT mmap randomization
__HardenedBSD_version = 38
Previously the MAP_32BIT case mmap randomization was an ASR,
to fix this and some other issue with the MAP_32BIT related
mmap, implement a proper ASLR.
Upstream fixed stability issues with higher order PID randomization
[20151208] revert the reworked internal structures
__HardenedBSD_version = 37
revert: Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
revert: Changed pax_elf signature.
[20151206] rework internal structures
__HardenedBSD_version = 36
Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
Change noexec's sysctl handlers.
Fix one segvguard related issue.
Fix randompid related issue.
Changed pax_elf signature.
[20151123] changed proc structure : added p_timekeep_base
__HardenedBSD_version = 35
Follow the recent VDSO changes from kib@.
This required to introduce new field to struct proc.
[20151018] disabled lib32 build by default
__HardenedBSD_version = 34
Do not build lib32 and 32bit related stuffs on 64bit platforms
by default.
[20150924] changed stack-protector level
__HardenedBSD_version = 33
Bump the default build settings from the --stack-protector
to --stack-protector-strong.
[20150915] ASLR changes
__HardenedBSD_version = 32
Changed default VDSO randomization from 20 bits to 28 bits.
Fixed div by zero in rare cases in pax_aslr_init_vmspace.
[20150907] Reworked DISALLOWMAP32BIT and changes some internal functions
__HardenedBSD_version = 31
Rename and correctly paxify the DISALLOWMAP32BIT.
Changed pax flags setup.
[20150905] Added MAP32_PROTECT
__HardenedBSD_version = 30
Added per-process mode to disable MAP_32BIT mode mmap(2).
[20150823] Fixed pkg bootstrap
__HardenedBSD_version = 29
With FreeBSD commit 671f0b9, use of pubkey signature_type method is explicitly disallowed.
This breaks bootstrapping with pubkey signature_type.
[20150715] Fixed vdso randomization
__HardenedBSD_version = 28
Fixed and simplified vdso and stack mapping.
[20150706] Added shared-page (vdso) randomization
__HardenedBSD_version = 27
This version brings in true stack randomization.
Changed ASLR settings:
vdso random : 20 bit
[20150701] Rewriten stack randomization, and bumped ASLR settings
__HardenedBSD_version = 26
This version brings in true stack randomization.
Changed ASLR settings:
stack random : 26 -> 42 bit
exec random : 21 -> 30 bit
[20150605] ASLR "rewrite" and NOEXEC fixes after jhb's vm_mmap.c changes
__HardenedBSD_version = 25
__HardenedBSD_version = 24
Move the mmap randomization to it's own place and add more state enforcements (KASSERTs).
Added locking around pax_aslr_mmap(...).
Factore out the MAP_32BIT related code from pax_aslr_mmap(...), and move to pax_aslr_mmap_map_32bit(...)
[20150604] fix ASLR - randomize the rtld's shared object too
__HardenedBSD_version = 23
Randomize the rtld's address before load them in imgact_elf.c
[20150604] added PAX_NOTE_{,NO}SHLIBRANDOM extension
__HardenedBSD_version = 22
This feature will fix the issue mentioned on issue #137
[20150528] Changed internal structure, removed hardening.pax.segvguard.debug sysctl
__HardenedBSD_version = 21
Changed internal structure
Removed hardening.pax.segvguard.debug sysctl
[20150415] Bumped stack randomization
__HardenedBSD_version = 20
Increased stack randomization from 20 bit to 26 bit.
[20150415] Fixed stack randomization
__HardenedBSD_version = 19
[20150408] How to get HardenedBSD and HardenedBSD-ports?
Without git/svnlite:
HardenedBSD source:
# fetch https://github.com/HardenedBSD/hardenedBSD/archive/hardened/current/master.tar.gz -o hardenedbsd-src.tar.gz
# tar xf hardenedbsd-src.tar.gz
# mv hardenedBSD-hardened-current-master /usr/src
HardenedBSD ports:
# fetch https://github.com/HardenedBSD/freebsd-ports/archive/master.tar.gz -o hardenedbsd-ports.tar.gz
# tar xf hardenedbsd-ports.tar.gz
# mv freebsd-ports-master /usr/ports
Secadm:
# fetch https://github.com/HardenedBSD/secadm/archive/master.tar.gz -o secadm.tar.gz
# tar xf secadm.tar.gz
With git:
HardenedBSD-source:
# git clone https://github.com/HardenedBSD/hardenedBSD.git /usr/src
HardenedBSD ports:
# git clone https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
Secadm:
# git clone https://github.com/HardenedBSD/secadm.git
With svnlite (much more slower than git version):
HardenedBSD-source:
# svnlite co https://github.com/HardenedBSD/hardenedBSD.git /usr/src
HardenedBSD ports:
# svnlite co https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
Secadm:
# svnlite co https://github.com/HardenedBSD/secadm.git
[20150404] Added secadm hook to rtld
__HardenedBSD_version = 18
Added integriforce secadm hook to rtld to validate
shared object before loading them.
[20150318] Merged first part of NOEXEC project
__HardenedBSD_version = 17
This is the first part of PaX's MPROTECT restriction:
* this merge brings per process level restriction settings
* eliminated the linux's sound related mmap weakness
* improved the logging
...
If you have problem with your application, then install
secadm:
* from pkg:
pkg install secadm
* or from github:
# git clone https://github.com/hardenedbsd/secadm
# cd secadm
# make && make install
[201502011] Changed kernel knobs
Added ``options PAX`` to enable the HardenedBSD framework.
All other PAX_* knob depends on PAX knob.
[20150131] Upgrading from systems before "HBSD: Revert the chacha20 import in full."
After the "HBSD: Revert the chacha20 import in full." commit
we lost the compatibility with the previous version, this
means ABI break, and the system is unable to properly boot.
In the background is the removed VM_INHERIT_ZERO flag, which
was previously used in libc.
The solution is to install the new world, before you booting to the new kernel.
1. make buildworld kernel
2. IMPORTANT: install world before you reboot
2.1. mergemaster -p && make installworld && mergemaster
3. reboot
4. start in single user mode
5. cd /usr/src
6. make delete-old delete-old-libs
7. if you have buildworld or buildkernel error,
where the cc aborting and dumping core,
then you need to delete the content of /usr/obj directory:
7.1 cd /usr/obj
7.2 rm -rf *
And probably a full ports rebuild required too...