git: 41b9a5af2e19 - stable/13 - bsdinstall: add knob to set ASLR sysctls

Ed Maste emaste at FreeBSD.org
Fri Mar 5 17:52:15 UTC 2021 

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=41b9a5af2e19cc3715028b9a6e45e0a2e1bceb74

commit 41b9a5af2e19cc3715028b9a6e45e0a2e1bceb74
Author:     Ed Maste <emaste at FreeBSD.org>
AuthorDate: 2021-01-29 19:15:28 +0000
Commit:     Ed Maste <emaste at FreeBSD.org>
CommitDate: 2021-03-05 17:51:04 +0000

    bsdinstall: add knob to set ASLR sysctls
    
    Reviewed by:    mw
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D28418
    
    (cherry picked from commit 020f4112559ebf7e94665c9a69f89d21929ce82a)
---
 usr.sbin/bsdinstall/scripts/hardening | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/usr.sbin/bsdinstall/scripts/hardening b/usr.sbin/bsdinstall/scripts/hardening
index 58ea0a112e26..67ee3672712d 100755
--- a/usr.sbin/bsdinstall/scripts/hardening
+++ b/usr.sbin/bsdinstall/scripts/hardening
@@ -28,6 +28,20 @@
 
 : ${DIALOG_OK=0}
 
+set_aslr_sysctls()
+{
+	for bit in 32 64; do
+		if ! sysctl -Nq kern.elf$bit.aslr.enable >/dev/null; then
+			continue
+		fi
+		cat >> $BSDINSTALL_TMPETC/sysctl.conf.hardening <<-EOF
+			kern.elf$bit.aslr.enable=1
+			kern.elf$bit.aslr.pie_enable=1
+			kern.elf$bit.aslr.honor_sbrk=0
+		EOF
+	done
+}
+
 echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening
 echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening
 echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening
@@ -48,6 +62,7 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
 	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
 	"9 secure_console" "Enable console password prompt" ${secure_console:-off} \
 	"10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \
+	"11 enable_aslr" "Enable address layout randomization" ${enable_aslr:-off} \
 2>&1 1>&3 )
 exec 3>&-
 
@@ -86,6 +101,9 @@ for feature in $FEATURES; do
 	disable_ddtrace)
 		echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening
 		;;
+	enable_aslr)
+		set_aslr_sysctls
+		;;
 	esac
 done

More information about the dev-commits-src-all mailing list