[RFC] Enable nxstack by default
Oliver Pinter
oliver.pntr at gmail.com
Wed Nov 16 00:09:22 UTC 2011
On 11/15/11, Jeremie Le Hen <jeremie at le-hen.org> wrote:
> Hi,
>
> On Wed, Oct 19, 2011 at 12:37:44AM +0200, Oliver Pinter wrote:
>> In NetBSD has been some PaX feature [0] implemented. (ASLR, W^X
>> (~nxstack), mprotect restriction, veriexec, mmap randomization[2]...)
>>
>> [0] http://pax.grsecurity.net/docs/index.html
>> [1] http://www.netbsd.org/~elad/recent/man/security.8.html
>> [2] http://people.freebsd.org/~ssouhlal/testing/stackgap-20050527.diff
>
> Suleiman actually wrought two patches, one randomizing the stack (the
> one you pointed out) and another one randomizing non-fixed mmap(2)
> calls:
>
> http://people.freebsd.org/~ssouhlal/testing/mmap_random-20050528.diff
>
>
> FYI, they do not apply cleanly on recent source trees (the patches were
> made in 2005), but they can be applied with little fiddling. I'm
> running multiple 8.x production machines with them without any problem.
Yeah, I use thins patch in 7-STABLE and 9-STABLE too.
Patch for 9-STABLE has attached.
>
> I've always wanted them to be committed as opt-in knobs, but I can't
> remember why they hadn't at the time.
>
> Cheers,
> --
> Jeremie Le Hen
>
> Men are born free and equal. Later on, they're on their own.
> Jean Yanne
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: randomize-stack-and-mmap.diff
Type: text/x-diff
Size: 4190 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20111116/b67a9b75/randomize-stack-and-mmap.bin
More information about the freebsd-current
mailing list