HBSD: Bump __HardenedBSD_version to 48 for SafeStack

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
HardenedBSD · Jan 12, 2017 · 7520382 · 7520382
1 parent 9c275af
commit 7520382
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/UPDATING-HardenedBSD b/UPDATING-HardenedBSD
@@ -1,3 +1,16 @@
+[20170112] Enable SafeStack by default for amd64
+__HardenedBSD_version = 48
+
+	Enable WITH_SAFESTACK by default on HardenedBSD/amd64.
+	SafeStack is an exploit mitigation technique developed in the
+	clang/llvm project, born in the Code-Pointer Integrity
+	(CPI) project. Now that base has clang 3.9.1, which contains
+	a more mature CFI/CPI implementation, SafeStack can be enabled
+	by default for amd64.
+
+	Disable SafeStack for base by setting WITHOUT_SAFESTACK in
+	src.conf(5).
+
 [20160820] Enable LibreSSL by default
 __HardenedBSD_version = 47
 

diff --git a/sys/sys/pax.h b/sys/sys/pax.h
@@ -32,7 +32,7 @@
 #ifndef	_SYS_PAX_H
 #define	_SYS_PAX_H
 
-#define	__HardenedBSD_version	47UL
+#define	__HardenedBSD_version	48UL
 
 #if defined(_KERNEL) || defined(_WANT_PRISON)
 struct hbsd_features {