git: 2e1c94aa1fd5 - main - Implement enforcing write XOR execute mapping policy.
Ed Maste
emaste at freebsd.org
Tue Jan 12 02:57:44 UTC 2021
On Mon, 11 Jan 2021 at 19:34, John Baldwin <jhb at freebsd.org> wrote:
>
> To be clear though, this doesn't set the default to enforcing W^X, it just
> adds a knob that can be set to enforce that on most binaries. My guess is
> that the plan is to get some testing/exposure of this on head (e.g. doing
> an exp-run with this set would probably be a good test?) and then flip the
> default to enable this restriction in the future?
Yes, an exp-run would be useful, although I don't think it will find
too much unless we execute regression tests on the built ports.
We can ask folks to turn it on and report problems; note that any ELF
binary requesting an executable stack will (appear to) abort at
startup, and will have to be fixed to request a non-executable stack.
Other than that I have seen no fallout after enabling this on my
laptop.
To enable set the two sysctls:
kern.elf32.allow_wx=0
kern.elf64.allow_wx=0
More information about the dev-commits-src-all
mailing list