Age | Commit message (Collapse) | Author |
|
unwind can be started (silently) before pf is configured (for those
few weirdos who use hostnames in pf.conf...). Other unidentified concerns
may be improved by this startup re-ordering, so let's give it a try.
discussed with florian.
|
|
|
|
other methods failed to inject/churn the rng enough. Move it up far earlier.
ok naddy sthen kettenis
|
|
as found the hard way by d.rauschenb@gmail on an old fujitsu siemens
machine, reading all of hw (notable hw.setperf) can have unexpected
side-effects. ok deraadt
|
|
as a one-shot at boot without more complex kernel work, and also includes
some serial numbers/guids which may add a little more entropy e.g. for
systems where /etc/random.seed may be known (e.g. cloned disk images).
"why not" deraadt@
|
|
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later
ok kettenis@
|
|
|
|
ok deraadt
|
|
As of usr.bin/xinstall/install.c revision 1.68, -S is a no-op and
install(1) will always create files safely, thus clean the option usage
from the tree.
Diff from Lauri Tirkkonen <lotheac at iki dot fi>, thanks.
|
|
Loop over df(1)'s output directly, ensure the resulting list of block
devices is unique to avoid later duplicity checks and redundant mount(8)
invocations.
This allows direct bail out on invalid types and simpler saving for later
remount.
OK deraadt
|
|
|
|
suggested by and ok deraadt@ ("I think we never hang there anymore")
|
|
Many arm64 systems use device trees instead of ACPI and acpidump is
expectected to fail on those systems. And vmm(4) doesn't provide ACPI
information either.
ok deraadt@
|
|
Remove rtadvd(8) from rc(8).
OK deraadt, phessler
|
|
|
|
to running VMs (at least for OpenBSD ones), but the stop routine for system
daemons is not usually called at shutdown.
Earlier version with just "vmd stop" ok reyk@ kn@, ajacoutot@ reminded me
to hide the contextless "vmd(ok)" text which looks bad, I did so and wrapped
it with a "stopping VMs" message (it can take some time, especially when you
have multiple VMs, so better to have some clear feedback).
|
|
OK(failed) phessler
OK deraadt
|
|
|
|
Add soii.key to changelist (pointed out by semarie) and mtree/special
(suggest by Craig Skinner).
OK naddy, sthen, rpe, tb
|
|
|
|
OK tb@
|
|
one location under /usr/share/relink.
Be more specific in src/etc/rc reorder_libs() what filesystems
need r/w remount and ensure that their mount state is restored.
Idea and positive feedback from deraadt@
OK aja@ tb@
|
|
sysctl_conf() spawns a subshell. This prevents that the new process
limits affect the daemons started during boot.
OK rpe@ halex@
|
|
Move tmpdir for reordering library from /tmp to /usr/lib.
This allows to have /tmp mounted noexec.
prompted by reports on misc@
OK deraadt@ tj@ tb@
|
|
|
|
reorder_libs() resulting in a unique ld.so on every system start.
Idea from and OK deraadt@
OK tb@
|
|
machines, running sysmerge(8) can take a little while so don't let people
wonder about why the output seems stuck.
ok sthen@ tb@ rpe@
|
|
/usr/libexec/reorder_kernel. Requested by ajacoutot@ to be able to
relink the kernel from within syspatch(8).
OK deraadt@ tb@
|
|
reverse order on shutdown.
OK aja@ tb@
|
|
being reordered.
okay tb@ deraadt@
|
|
OK tb@
|
|
|
|
Diff from Klemens Nanni
OK tb@ zhuk@
|
|
it after remounting the filesystem containing /usr/lib as rw:
the former is pointless if the latter should happen to fail.
From Klemens Nanni
ok rpe
|
|
reorder_libs().
From Klemens Nanni with input from rpe.
ok rpe, zhuk
|
|
and to write the logfile inside the kernel compile dir.
- turn the whole reorder_kernel function into a subshell {} -> ()
- create kernel compile dir early on
- redirect all stdout/stderr to a logfile inside this dir
- setup ERR trap handler that
- disables the EXIT trap handler
- syslogs the error and hints to the logfile
- additionally sends this message to the console
- setup EXIT trap handler that syslogs success
- wipe only the content instead of the whole kernel compile dir
- reestablish stdout redirection to the log after the wipe
- remove -q option of sha256 to log check result
- run reorder_kernel() in the background
OK deraadt@ tb@
|
|
- check for and exit if /usr/share is on a nfs mounted filesystem
- add trap handlers that mail the logfile to the admin user
- use $_compile instead of $_compile_dir like in the installer
- use $_compile/$_kernel instead of $_kernel_dir
- remove the now redundant sha256 -h ... after make newinstall
- write stdout/stderr of the background subshell to a logfile
OK tb@ deraadt@
|
|
|
|
users and developers.
diff from rpe, ok tb
|
|
presume we booted from. If you boot from another kernel, we cannot help
you later with hibernate, sorry -- The kernel does not get a useable
filename from the bootblocks.
In the bootblocks, detect a live hibernate signature and boot from
/bsd.booted instead.
with yasuoka, lots of discussion with mlarkin, ok tom
|
|
new kernel in the background on system startup. It stores the hash
of the new kernel and sends a notification email to the admin or
root user. If it finds /usr/share/compile.tgz, it removes the
existing compile dir and replaces it with the content of (new)
archive. If the hash of /bsd does not match the stored one, no
relinking happens.
Idea from, joint work with and OK deraadt@
OK tb@ halex@
unnoticed by many
|
|
setup.
Input & OK deraadt@
|
|
Perform the same kind of test for relinked libcrypto, using an openssl
sequence (proposed by sthen)
|
|
prying eyes were already been hindered at determining kernel addresses, now
local prying eyes are also hindered.
ok tb rpe
|
|
reordering of libraries by rc(8). This way machines with very slow disk I/O
have a chance of booting within reasonable time now that libcrypto is also
randomized.
Discussed with various;
input & ok from deraadt ajacoutot
|
|
OK phessler, deraadt
|
|
has many small functions without significant local storage, therefore
less tail protection from -fstack-protector-strong to prevent their use
as ROP gadgets. It is used in security contexts. Also many functions
dribble pointers onto the stack, allowing discovery of gadgets via the
fixed relative addresses, so let's randomly bias those.
ok tedu jsing
The rc script will soon need a strategy for skipping this step on
machines with poor IO performance. Or maybe do it less often? However,
I don't see many more libraries we'll do this with, these are the two
most important ones.
|
|
|
|
documentation if the first line of the file is blank.
Quirk reported by Anthony Coulter <bsd at anthonycoulter dot name>.
OK rpe@
|
|
Do it now deraadt@
|