Re: git: b014e0f15bc7 - main - Enable ASLR by default for 64-bit executables

On Tue, 16 Nov 2021 at 18:42, Kubilay Kocak <koobs@freebsd.org> wrote:
>
> The current description seems ambiguous with respect to the added
> comment. If the sysctl (=1) applies ASLR "only" for PIE binaries, where
> the =0 (sysctl disabled) case applies it unconditionally, a better
> description might be:
>
> "Enable address map randomization only for PIE binaries"

The "only" is in a confusing spot there.

For ET_EXEC ELF objects (traditional binaries) randomization is
controlled by aslr_enable.

For ET_DYN ELF objects (PIE binaries) randomization is controlled by
pie_aslr_enable.

> Might aslr_enabled_pie_only also be a better OID name? Perhaps not worth
> the churn, but long term it would be great if OID names reflected what
> they are/do, rather than what they're not/don't do.

That's true, and I think aslr_enable_pie may be a better name. I don't
see how "they're not/don't do" applies here though.

> > +static int __elfN(aslr_honor_sbrk) = 0;
> >   SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, honor_sbrk, CTLFLAG_RW,
> >       &__elfN(aslr_honor_sbrk), 0,
> >       __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": assume sbrk is used");
> >
>
> Can we add (DEPRECATED) to the control description, and/or otherwise
> mark the control as deprecated if the sysctl framework supports an
> attribute marking them as such?

The sbrk system call is deprecated, not the sysctl node.