The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=020f4112559ebf7e94665c9a69f89d21929ce82a
commit 020f4112559ebf7e94665c9a69f89d21929ce82a Author: Ed Maste <[email protected]> AuthorDate: 2021-01-29 19:15:28 +0000 Commit: Ed Maste <[email protected]> CommitDate: 2021-02-20 16:55:00 +0000 bsdinstall: add knob to set ASLR sysctls Reviewed by: mw Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28418 --- usr.sbin/bsdinstall/scripts/hardening | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/usr.sbin/bsdinstall/scripts/hardening b/usr.sbin/bsdinstall/scripts/hardening index 58ea0a112e26..67ee3672712d 100755 --- a/usr.sbin/bsdinstall/scripts/hardening +++ b/usr.sbin/bsdinstall/scripts/hardening @@ -28,6 +28,20 @@ : ${DIALOG_OK=0} +set_aslr_sysctls() +{ + for bit in 32 64; do + if ! sysctl -Nq kern.elf$bit.aslr.enable >/dev/null; then + continue + fi + cat >> $BSDINSTALL_TMPETC/sysctl.conf.hardening <<-EOF + kern.elf$bit.aslr.enable=1 + kern.elf$bit.aslr.pie_enable=1 + kern.elf$bit.aslr.honor_sbrk=0 + EOF + done +} + echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening @@ -48,6 +62,7 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ "10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \ + "11 enable_aslr" "Enable address layout randomization" ${enable_aslr:-off} \ 2>&1 1>&3 ) exec 3>&- @@ -86,6 +101,9 @@ for feature in $FEATURES; do disable_ddtrace) echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening ;; + enable_aslr) + set_aslr_sysctls + ;; esac done _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
