ASLR/PIE status in FreeBSD HEAD
Ed Maste
emaste at freebsd.org
Mon Apr 20 14:00:21 UTC 2020
On Sat, 18 Apr 2020 at 04:19, Dewayne Geraghty
<dewayne at heuristicsystems.com.au> wrote:
>
> I'm on a similar ride. We run applications in both i386 and amd64 jails
> with FreeBSD's ASLR enabled (sendmail, squid, apache, ...) and all good.
Great!
> On the build server, the i386 jail with aslr enabled wasn't able to
> build gcc9; so this was disabled kern.elf32.*.
i386 has little spare address space and compiling applications as PIE
has a significant performance impact there, so enabling it only on
64-bit seems quite reasonable.
> ntp was the only real application that didn't play nicely with aslr.
> Fortunately, this was very helpful:
>
> /usr/bin/proccontrol -m aslr -s disable /usr/local/sbin/ntpd...
Yes, and you can now (if using stable/12 or -CURRENT) use elfctl to
tag the binary with a note to request randomization be disabled for
the process, although we really should address the underlying issue.
More information about the freebsd-security
mailing list