Re: [PATCH] Add swich to enable/disable re-link the kernel at startup

Mon, 20 May 2019 01:48:15 -0700 

On Sun, May 19, 2019 at 01:04:53PM +0200, Ricardo Fraile wrote:
| Hi all,
| 
| As exists the variable "library_aslr" to disable library randomization on
| rc, it would be helpful to have the same option for the kernel. Here is the
| patch to add the "kernel_aslr" swich.

If you must do this: `doas sha256 -h /var/db/kernel.SHA256 /dev/null`

To undo: `doas sha256 -h /var/db/kernel.SHA256 /bsd`

You can put these in a simple script to make it easier for you, or in
/etc/rc.local to survive upgrades.


However, library_aslr delays the boot sequence (because libraries must
be completed before the system can boot up) while kernel_aslr does not
- it only introduces a bit of extra load on your machine.  What
problem are you trying to solve?

Paul 'WEiRD' de Weerd

| Regards,
| Ricardo F.
| 
| 
| diff --git etc/rc etc/rc
| index 9a3917986cc..df2abbaa652 100644
| --- etc/rc
| +++ etc/rc
| @@ -615,7 +615,9 @@ echo '.'
| 
|  # Re-link the kernel, placing the objects in a random order.
|  # Replace current with relinked kernel and inform root about it.
| -/usr/libexec/reorder_kernel &
| +if [[ $kernel_aslr == YES ]]; then
| +     /usr/libexec/reorder_kernel &
| +fi
| 
|  date
|  exit 0
| diff --git etc/rc.conf etc/rc.conf
| index a513b7575d4..30d1ca8953b 100644
| --- etc/rc.conf
| +++ etc/rc.conf
| @@ -101,6 +101,7 @@ multicast=NO              # Reject IPv4 multicast packets 
by default
|  # miscellaneous other flags
|  amd_master=/etc/amd/master   # AMD 'master' map
|  library_aslr=YES             # set to NO to disable library randomization
| +kernel_aslr=YES                      # set to NO to disable kernel 
randomization
|  savecore_flags=                      # "-z" to compress
|  spamd_black=NO                       # set to YES to run spamd without 
greylisting
|  shlib_dirs=                  # extra directories for ldconfig, separated
| diff --git etc/rc.d/rc.subr etc/rc.d/rc.subr
| index 6a8e05e3b3e..3dafbba3e7e 100644
| --- etc/rc.d/rc.subr
| +++ etc/rc.d/rc.subr
| @@ -140,8 +140,9 @@ _rc_parse_conf() {
|       typeset -l _key
|       local _l _rcfile _val
|       set -A _allowed_keys -- \
| -             accounting amd_master check_quotas ipsec library_aslr \
| -             multicast nfs_server pexp pf pkg_scripts shlib_dirs spamd_black
| +             accounting amd_master check_quotas ipsec kernel_aslr \
| +             library_aslr multicast nfs_server pexp pf pkg_scripts \
| +             shlib_dirs spamd_black
| 
|       [ $# -gt 0 ] || set -- /etc/rc.conf /etc/rc.conf.local
|       for _rcfile; do
| 

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to