Browse Source

HBSD: Bump __HardenedBSD_version due to FreeBSD ASR

FreeBSD's ASR implementation is now optionally available to HardenedBSD
users. As such, bump __HardenedBSD_version due to subtle changes in how
ASLR/ASR interact.

Note that allocation clustering is disabled by default, causing large
memory fragmentation with FreeBSD's ASR implementation (no additional
memory fragmentation with HardenedBSD's PaX ASLR). Enabling clustering
negatively impacts both ASR and ASLR implementations.

Signed-off-by:	Shawn Webb <>
Shawn Webb 1 year ago
Signed by: Shawn Webb <> GPG Key ID: FF2E67A277F8E1FA
2 changed files with 17 additions and 1 deletions
  1. +16
  2. +1

+ 16
- 0
UPDATING-HardenedBSD View File

@@ -1,3 +1,19 @@
[20181019] FreeBSD ASR with HardenedBSD ASLR
__HardenedBSD_version = 1300059

FreeBSD merged in their incomplete Address Space Randomization
(ASR) patch. Undo the reversion of the ASR patch and rely on
HardenedBSD's PaX ASLR implementation for the stack and shared
page when FreeBSD's ASR is enabled.

FreeBSD's ASR is disabled by default, but can be enabled at
runtime by setting the `kern.elf64.aslr.pie_enable` and
`kern.elf64.aslr.enable` sysctl nodes to 1. If HardenedBSD's
`hardening.pax.aslr.status' sysctl node is greater than or
equal to 2, the PaX ASLR implementation will only be in effect
for the stack and the shared page.

[20181019] shift to FreeBSD 13-CURRENT
__HardenedBSD_version = 1300058

+ 1
- 1
sys/sys/pax.h View File

@@ -32,7 +32,7 @@
#ifndef _SYS_PAX_H
#define _SYS_PAX_H

#define __HardenedBSD_version 1300058UL
#define __HardenedBSD_version 1300059UL

#if defined(_KERNEL) || defined(_WANT_PRISON)
typedef uint32_t pax_state_t;