On Sun, May 19, 2019 at 01:04:53PM +0200, Ricardo Fraile wrote: | Hi all, | | As exists the variable "library_aslr" to disable library randomization on | rc, it would be helpful to have the same option for the kernel. Here is the | patch to add the "kernel_aslr" swich.
If you must do this: `doas sha256 -h /var/db/kernel.SHA256 /dev/null` To undo: `doas sha256 -h /var/db/kernel.SHA256 /bsd` You can put these in a simple script to make it easier for you, or in /etc/rc.local to survive upgrades. However, library_aslr delays the boot sequence (because libraries must be completed before the system can boot up) while kernel_aslr does not - it only introduces a bit of extra load on your machine. What problem are you trying to solve? Paul 'WEiRD' de Weerd | Regards, | Ricardo F. | | | diff --git etc/rc etc/rc | index 9a3917986cc..df2abbaa652 100644 | --- etc/rc | +++ etc/rc | @@ -615,7 +615,9 @@ echo '.' | | # Re-link the kernel, placing the objects in a random order. | # Replace current with relinked kernel and inform root about it. | -/usr/libexec/reorder_kernel & | +if [[ $kernel_aslr == YES ]]; then | + /usr/libexec/reorder_kernel & | +fi | | date | exit 0 | diff --git etc/rc.conf etc/rc.conf | index a513b7575d4..30d1ca8953b 100644 | --- etc/rc.conf | +++ etc/rc.conf | @@ -101,6 +101,7 @@ multicast=NO # Reject IPv4 multicast packets by default | # miscellaneous other flags | amd_master=/etc/amd/master # AMD 'master' map | library_aslr=YES # set to NO to disable library randomization | +kernel_aslr=YES # set to NO to disable kernel randomization | savecore_flags= # "-z" to compress | spamd_black=NO # set to YES to run spamd without greylisting | shlib_dirs= # extra directories for ldconfig, separated | diff --git etc/rc.d/rc.subr etc/rc.d/rc.subr | index 6a8e05e3b3e..3dafbba3e7e 100644 | --- etc/rc.d/rc.subr | +++ etc/rc.d/rc.subr | @@ -140,8 +140,9 @@ _rc_parse_conf() { | typeset -l _key | local _l _rcfile _val | set -A _allowed_keys -- \ | - accounting amd_master check_quotas ipsec library_aslr \ | - multicast nfs_server pexp pf pkg_scripts shlib_dirs spamd_black | + accounting amd_master check_quotas ipsec kernel_aslr \ | + library_aslr multicast nfs_server pexp pf pkg_scripts \ | + shlib_dirs spamd_black | | [ $# -gt 0 ] || set -- /etc/rc.conf /etc/rc.conf.local | for _rcfile; do | -- >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] http://www.weirdnet.nl/