ASLR/PIE status in FreeBSD HEAD
Ed Maste
emaste at freebsd.org
Tue May 5 23:59:34 UTC 2020
On Mon, 4 May 2020 at 19:39, Dewayne Geraghty
<dewayne at heuristicsystems.com.au> wrote:
>
> It would be palatable to have a "secure.mk" under /usr/ports/Mk/Uses
> that enables pie, relro, now, noexecstack and elfctl features. Then
> port users can enable/disable their (elfctl) default features as they wish.
The general intent for elfctl isn't to have a lot of knobs to worry
about, either user- or developer-facing, and they'll generally be
opt-outs. Ports with known incompatibilities will be tagged at build
time (regardless of whether mitigations are enabled), and mitigations
should be able to be turned on system-wide.
We should be able to address non-executable stack in a similar way -
virtually all ports should have a RW GNU_STACK segment indicating that
the stack is not executable, so a ports build stage could check for
that and produce an error if not, with some sort of override for any
exceptional cases.
We definitely want some global infrastructure for pie, relro, and bind_now.
More information about the freebsd-security
mailing list