HBSD: bump __HardenedBSD_version to 1200056 after the jail params

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
HardenedBSD · Jan 2, 2018 · c9b8bc0 · c9b8bc0
1 parent fd60516
commit c9b8bc0
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/UPDATING-HardenedBSD b/UPDATING-HardenedBSD
@@ -1,3 +1,33 @@
+[20180103] PAX_JAIL_SUPPORT
+__HardenedBSD_version = 1200056
+
+	Added infrastructure to change hardening settings at
+	jail creating time. You can use the same "mibs" as
+	jail params, which exists under the hardening sysctl
+	leaf. See the example jail.conf sniplet:
+
+	  exec.start = "/bin/sh /etc/rc";
+	  exec.stop = "/bin/sh /etc/rc.shutdown";
+	  exec.clean;
+	  mount.devfs;
+
+	  path = "/usr/jails/$name";
+	  host.hostname = "$name";
+
+	  hbsdnx {
+	          hardening.pax.segvguard.status = 3;
+	          hardening.pax.mprotect.status = 3;
+	          hardening.pax.pageexec.status = 3;
+	          hardening.pax.aslr.status = 3;
+	          persist;
+	  }
+
+	In the current implementation the settings are still
+	modifiable via sysctls inside from the jail, but this
+	will change in the future. The same is true for the
+	nested jails.
+
+
 [20170914] TOCTOU fix, PAX_CONTROL_{ACL,EXTATTR}
 __HardenedBSD_version = 1200055
 

diff --git a/sys/sys/pax.h b/sys/sys/pax.h
@@ -32,7 +32,7 @@
 #ifndef	_SYS_PAX_H
 #define	_SYS_PAX_H
 
-#define	__HardenedBSD_version	1200055UL
+#define	__HardenedBSD_version	1200056UL
 
 #if defined(_KERNEL) || defined(_WANT_PRISON)
 typedef	uint32_t	pax_state_t;