HardenedBSD src tree https://hardenedbsd.org/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

618 lines
18 KiB

  1. [20200221] Removal of LibreSSL and OpenNTPD
  2. __HardenedBSD_version = 1300061
  3. LibreSSL and OpenNTPD were removed from the HardenedBSD base
  4. system. Users who set WITH_LIBRESSL or WITH_OPENNTPD will need
  5. to rebuild ports.
  6. [20191214] Jail parameter: {no}allow.extattr
  7. __HardenedBSD_version = 1300060
  8. Provide a new jail configuration parameter: allow.extattr (and
  9. noallow.extattr). Default: allow.
  10. Allow setting system-level filesystem extended attributes by
  11. default in a jailed environment.
  12. Change the default system behavior to be more relaxed. Prior
  13. to this change, privileged accounts in a jail could not set
  14. system-level filesystem extended attributes. This change now
  15. enables that ability by default.
  16. This is iin preparation for hbsdcontrol integration with
  17. ports/packages.
  18. [20191019] FreeBSD ASR with HardenedBSD ASLR
  19. __HardenedBSD_version = 1300059
  20. FreeBSD merged in their incomplete Address Space Randomization
  21. (ASR) patch. Undo the reversion of the ASR patch and rely on
  22. HardenedBSD's PaX ASLR implementation for the stack and shared
  23. page when FreeBSD's ASR is enabled.
  24. FreeBSD's ASR is disabled by default, but can be enabled at
  25. runtime by setting the `kern.elf64.aslr.pie_enable` and
  26. `kern.elf64.aslr.enable` sysctl nodes to 1. If HardenedBSD's
  27. `hardening.pax.aslr.status' sysctl node is greater than or
  28. equal to 2, the PaX ASLR implementation will only be in effect
  29. for the stack and the shared page.
  30. [20181019] shift to FreeBSD 13-CURRENT
  31. __HardenedBSD_version = 1300058
  32. FreeBSD started 13-CURRENT, do the same here.
  33. [20180701] OpenSSL
  34. __HardenedBSD_version = 1200058
  35. Switch back to OpenSSL as the default crypto library in base.
  36. [20180123] retpoline
  37. __HardenedBSD_version = 1200057
  38. Integrated the retpoline patch from llvm. The object
  39. tree should be removed fully prior to rebuilding
  40. world/kernel.
  41. [20180103] PAX_JAIL_SUPPORT
  42. __HardenedBSD_version = 1200056
  43. Added infrastructure to change hardening settings at
  44. jail creating time. You can use the same "mibs" as
  45. jail params, which exists under the hardening sysctl
  46. leaf. See the example jail.conf sniplet:
  47. exec.start = "/bin/sh /etc/rc";
  48. exec.stop = "/bin/sh /etc/rc.shutdown";
  49. exec.clean;
  50. mount.devfs;
  51. path = "/usr/jails/$name";
  52. host.hostname = "$name";
  53. hbsdnx {
  54. hardening.pax.segvguard.status = 3;
  55. hardening.pax.mprotect.status = 3;
  56. hardening.pax.pageexec.status = 3;
  57. hardening.pax.aslr.status = 3;
  58. persist;
  59. }
  60. In the current implementation the settings are still
  61. modifiable via sysctls inside from the jail, but this
  62. will change in the future. The same is true for the
  63. nested jails.
  64. [20170914] TOCTOU fix, PAX_CONTROL_{ACL,EXTATTR}
  65. __HardenedBSD_version = 1200055
  66. hbsdcontrol
  67. -----------------------------------------------------------------------
  68. The hbsdcontrol subsystem is an extattr(9) based control pane for
  69. HardenedBSD's security settings.
  70. Currently only the system namespace supported. (The FreeBSD's extattr
  71. subsystem has two namespace: system and user. The system namespace is
  72. writeable only from non-jail root user, the user namespace is writeable
  73. from all users.)
  74. This means only the root can assign rules to specific file. The other
  75. restriction is similar, only from the host is allowed to set rules to
  76. specific file, and prohibited a such operation from jails, for jail's
  77. root user too prohibited.
  78. To enable the hbsdcontrol subsystem, you should add the
  79. options PAX_CONTROL_EXTATTR
  80. kernel knob to your kernel config.
  81. The hbsdcontrol subsystem use the following extended attributes:
  82. hbsd.pax.aslr
  83. hbsd.pax.noaslr
  84. hbsd.pax.segvguard
  85. hbsd.pax.nosegvguard
  86. hbsd.pax.pageexec
  87. hbsd.pax.nopageexec
  88. hbsd.pax.mprotect
  89. hbsd.pax.nomprotect
  90. hbsd.pax.shlibrandom
  91. hbsd.pax.noshlibrandom
  92. hbsd.pax.disallow_map32bit
  93. hbsd.pax.nodisallow_map32bit
  94. Valid values are only the 0 (= disabled) and 1 (= enabled).
  95. Valid settings are the following in system FS-EA namespace (with the ASLR
  96. example, the same is true for the other settings):
  97. * no hbsd.pax.aslr, nor hbsd.pax.noaslr assigned to the file -> system default
  98. * hbsd.pax.aslr = 1 and hbsd.pax.noaslr = 0 -> enabled ASLR
  99. * hbsd.pax.aslr = 0 and hbsd.pax.noaslr = 1 -> disabled ASLR
  100. * hbsd.pax.aslr = 0 and hbsd.pax.noaslr = 0 -> invalid, warning message + execution error
  101. * hbsd.pax.aslr = 1 and hbsd.pax.noaslr = 1 -> invalid, warning message + execution error
  102. Attributes in user namespace are ignored.
  103. TOCTOU fix, PAX_ACL
  104. -----------------------------------------------------------------------
  105. As preparation to hbsdcontrol, and to clean up the whole control logic
  106. there is some new kernel knob:
  107. * PAX_CONTROL_ACL
  108. * PAX_CONTROL_ACL_OVERRIDE_SUPPORT
  109. * PAX_CONTROL_EXTATTR
  110. If you want to use the external secadm utility to manage hardenedbsd's
  111. security features, then you should add
  112. options PAX_CONTROL_ACL
  113. to your kernel config.
  114. If you want to use the extattr(9) based hbsdcontrol, you should add
  115. the
  116. options PAX_CONTROL_EXTATTR
  117. kernel knob.
  118. If you want to use both hbsdcontrol and secadm, and it's nice to add
  119. option PAX_CONTROL_ACL_OVERRIDE_SUPPORT
  120. too. This is nice in very special case, when you set rules both
  121. from hbsdcontrol and from secadm on the _same_ file. By default
  122. always the hbsdcontrol wins this situation, and what was set up
  123. by hbsdcontrol gets applied as policy. To override this behavior
  124. you can add a special flag in you secadm conf to override this
  125. behavior. For more details consult with secadm's source code /
  126. readme / man page.
  127. [20170914] Changed auxvector after e5ea82a50dd64a3e47767b132a16281242ff396d
  128. __HardenedBSD_version = 1200054
  129. After the following commit:
  130. > commit e5ea82a50dd64a3e47767b132a16281242ff396d
  131. > Author: jhb <jhb@FreeBSD.org>
  132. > Date: Thu Sep 14 14:26:55 2017 +0000
  133. > Add AT_HWCAP and AT_EHDRFLAGS on all platforms.
  134. >
  135. > A new 'u_long *sv_hwcap' field is added to 'struct sysentvec'. A
  136. > process ABI can set this field to point to a value holding a mask of
  137. > architecture-specific CPU feature flags. If an ABI does not wish to
  138. > supply AT_HWCAP to processes the field can be left as NULL.
  139. >
  140. > The support code for AT_EHDRFLAGS was already present on all systems,
  141. > just the #define was not present. This is a step towards unifying the
  142. > AT_* constants across platforms.
  143. >
  144. > Reviewed by: kib
  145. > MFC after: 1 month
  146. > Differential Revision: https://reviews.freebsd.org/D12290
  147. > Notes:
  148. > svn path=/head/; revision=323579
  149. the AT_PAXFLAGS has been changed from 24 to 26 position in
  150. elf auxvector. This may break some functionality, especially
  151. the SHLIBRAND feature, when you running on a newer kernel
  152. with an older user-space.
  153. [20170831] Changed pax_elf API
  154. __HardenedBSD_version = 1200053
  155. As preparation to hardenedBSD rationalize
  156. the pax_elf(...) functions signature, to
  157. follow the codes in kern_exec's style.
  158. For the details, see the code.
  159. [20170709] Enforced KPI
  160. __HardenedBSD_version = 1200052
  161. Enfore the KPI version at compile time. This
  162. will implicate the recompilation of external
  163. modules even once __HardenedBSD_version or
  164. __FreeBSD_version gets bumped.
  165. [20170624] Enable OpenNTPd by default
  166. __HardenedBSD_version = 1200051
  167. Enable WITH_OPENNTPD by default on HardenedBSD.
  168. After this point we deliver OpenNTPd as base
  169. ntp provider for HardenedBSD. ISC ntpd is still
  170. available, and accessible with WITHOUT_OPENNTPD=
  171. knob in src.conf(5).
  172. [20170616] Changed __HardenedBSD_version scheme
  173. __HardenedBSD_version = 1200050
  174. The version numbers may differ in different branches (10-STABLE,
  175. 11-STABLE, 12-CURRENT) and to keep the version number in pair
  176. with the features state, there is a need to allow to bump they
  177. differently.
  178. [20170616] Changed default protection settings for text section
  179. __HardenedBSD_version = 50
  180. Fixes the (theoretically) last outstanding memory
  181. protection related weakness in HBSD's user-space detectable
  182. with paxtest.
  183. [20170302] Enable CFI by default for amd64
  184. __HardenedBSD_version = 49
  185. Enable WITH_CFI by default on HardenedBSD/amd64.
  186. Control-Flow Integrity (CFI) is an exploit mitigation
  187. technique developed in the clang/llvm project. Now that
  188. base has clang 4.0.0, which brings a linker that supports
  189. Link-Time Optimization (LTO), lld, we can now make use of
  190. CFI, which requires LTO.
  191. This also enables lld by default for amd64 and arm64. Disable
  192. CFI by setting WITHOUT_CFI in src.conf(5).
  193. [20170112] Enable SafeStack by default for amd64
  194. __HardenedBSD_version = 48
  195. Enable WITH_SAFESTACK by default on HardenedBSD/amd64.
  196. SafeStack is an exploit mitigation technique developed in the
  197. clang/llvm project, born in the Code-Pointer Integrity
  198. (CPI) project. Now that base has clang 3.9.1, which contains
  199. a more mature CFI/CPI implementation, SafeStack can be enabled
  200. by default for amd64.
  201. Disable SafeStack for base by setting WITHOUT_SAFESTACK in
  202. src.conf(5).
  203. [20160820] Enable LibreSSL by default
  204. __HardenedBSD_version = 47
  205. Enable WITH_LIBRESSL by default on HardenedBSD.
  206. After this we point we deliver LibreSSL as base
  207. SSL engine for HardenedBSD. The OpenSSL is still
  208. available, and accessable with WITHOUT_LIBRESSL=
  209. knob in src.conf.
  210. [20160423] RELRO + BIND_NOW
  211. __HardenedBSD_version = 46
  212. Enable RELRO + BIND_NOW for base.
  213. Introduce WITHOUT_RELRO and WITHOUT_BIND_NOW.
  214. Setting WITHOUT_RELRO also sets WITHOUT_BIND_NOW.
  215. [20160408] PIEified base for amd64 and i386
  216. __HardenedBSD_version = 45
  217. Remove WANTS_PIE.
  218. Default PIE for base for amd64 and i386 only.
  219. When PIE is enabled, compile non-static libraries with -fPIC.
  220. Default WITH_SHARED_TOOLCHAIN to enabled by default.
  221. If you encounter build problems during make buildworld,
  222. try to clean the object files directory, which is typically
  223. /usr/obj:
  224. cd /usr/obj; rm -rf *
  225. And retry to build the world. This will require due to not
  226. proper cleaning mechanizm of FreeBSD's build framework.
  227. [201603XX] noexec and ASLR changes
  228. __HardenedBSD_version = 44
  229. Fixed noexec's paxflags parser to get usable system on
  230. bronen setups too.
  231. Changed ASLR stack randomization settings on 32 machines.
  232. [20160316] ASLR cleanup
  233. __HardenedBSD_version = 43
  234. Since the hardening.pax.aslr.*_len variables are no longer
  235. available outside of loader.conf(5), remove them from
  236. struct hbsd_features, which gets embedded in struct
  237. prison. This change makes the hardening.pax.aslr.*_len
  238. variables a global setting, rather than a per-jail setting.
  239. [20160225] RTLD noexec
  240. __HardenedBSD_version = 42
  241. Enforce nonexec thread stacks, driven by the RTLD.
  242. [20160213] rewritten internals
  243. __HardenedBSD_version = 41
  244. Changed hardenedBSD core structures.
  245. Dropped ptrace_hardening.
  246. Dropped ASLR bit settings.
  247. Fixed hbsd_update_build bug.
  248. Added skeleton file.
  249. Changed feature strings.
  250. Changed noexec implicit rules.
  251. [20160123] add pax_get_hardenedbsd_version API
  252. __HardenedBSD_version = 40
  253. Add pax_get_hardenedbsd_version() API to query hardening's version
  254. from kernel codes.
  255. Add new types, which represents the PAX_FLAGS.
  256. [20151225] redo rework internal structures
  257. __HardenedBSD_version = 39
  258. Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
  259. Fix one segvguard related issue.
  260. Changed pax_elf signature.
  261. We reverted this code in version 37, because we observed weird
  262. issue, but this issues was unrelated to the reworked internals.
  263. The true root of the problem was a secadm bug and the issue fixed
  264. with version 38.
  265. [20151218] reworked MAP_32BIT mmap randomization
  266. __HardenedBSD_version = 38
  267. Previously the MAP_32BIT case mmap randomization was an ASR,
  268. to fix this and some other issue with the MAP_32BIT related
  269. mmap, implement a proper ASLR.
  270. Upstream fixed stability issues with higher order PID randomization
  271. [20151208] revert the reworked internal structures
  272. __HardenedBSD_version = 37
  273. revert: Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
  274. revert: Changed pax_elf signature.
  275. [20151206] rework internal structures
  276. __HardenedBSD_version = 36
  277. Change pax_get_prison(...) to pax_get_prison_td(...) where possible.
  278. Change noexec's sysctl handlers.
  279. Fix one segvguard related issue.
  280. Fix randompid related issue.
  281. Changed pax_elf signature.
  282. [20151123] changed proc structure : added p_timekeep_base
  283. __HardenedBSD_version = 35
  284. Follow the recent VDSO changes from kib@.
  285. This required to introduce new field to struct proc.
  286. [20151018] disabled lib32 build by default
  287. __HardenedBSD_version = 34
  288. Do not build lib32 and 32bit related stuffs on 64bit platforms
  289. by default.
  290. [20150924] changed stack-protector level
  291. __HardenedBSD_version = 33
  292. Bump the default build settings from the --stack-protector
  293. to --stack-protector-strong.
  294. [20150915] ASLR changes
  295. __HardenedBSD_version = 32
  296. Changed default VDSO randomization from 20 bits to 28 bits.
  297. Fixed div by zero in rare cases in pax_aslr_init_vmspace.
  298. [20150907] Reworked DISALLOWMAP32BIT and changes some internal functions
  299. __HardenedBSD_version = 31
  300. Rename and correctly paxify the DISALLOWMAP32BIT.
  301. Changed pax flags setup.
  302. [20150905] Added MAP32_PROTECT
  303. __HardenedBSD_version = 30
  304. Added per-process mode to disable MAP_32BIT mode mmap(2).
  305. [20150823] Fixed pkg bootstrap
  306. __HardenedBSD_version = 29
  307. With FreeBSD commit 671f0b9, use of pubkey signature_type method is explicitly disallowed.
  308. This breaks bootstrapping with pubkey signature_type.
  309. [20150715] Fixed vdso randomization
  310. __HardenedBSD_version = 28
  311. Fixed and simplified vdso and stack mapping.
  312. [20150706] Added shared-page (vdso) randomization
  313. __HardenedBSD_version = 27
  314. This version brings in true stack randomization.
  315. Changed ASLR settings:
  316. vdso random : 20 bit
  317. [20150701] Rewriten stack randomization, and bumped ASLR settings
  318. __HardenedBSD_version = 26
  319. This version brings in true stack randomization.
  320. Changed ASLR settings:
  321. stack random : 26 -> 42 bit
  322. exec random : 21 -> 30 bit
  323. [20150605] ASLR "rewrite" and NOEXEC fixes after jhb's vm_mmap.c changes
  324. __HardenedBSD_version = 25
  325. __HardenedBSD_version = 24
  326. Move the mmap randomization to it's own place and add more state enforcements (KASSERTs).
  327. Added locking around pax_aslr_mmap(...).
  328. Factore out the MAP_32BIT related code from pax_aslr_mmap(...), and move to pax_aslr_mmap_map_32bit(...)
  329. [20150604] fix ASLR - randomize the rtld's shared object too
  330. __HardenedBSD_version = 23
  331. Randomize the rtld's address before load them in imgact_elf.c
  332. [20150604] added PAX_NOTE_{,NO}SHLIBRANDOM extension
  333. __HardenedBSD_version = 22
  334. This feature will fix the issue mentioned on issue #137
  335. [20150528] Changed internal structure, removed hardening.pax.segvguard.debug sysctl
  336. __HardenedBSD_version = 21
  337. Changed internal structure
  338. Removed hardening.pax.segvguard.debug sysctl
  339. [20150415] Bumped stack randomization
  340. __HardenedBSD_version = 20
  341. Increased stack randomization from 20 bit to 26 bit.
  342. [20150415] Fixed stack randomization
  343. __HardenedBSD_version = 19
  344. [20150408] How to get HardenedBSD and HardenedBSD-ports?
  345. Without git/svnlite:
  346. HardenedBSD source:
  347. # fetch https://github.com/HardenedBSD/hardenedBSD/archive/hardened/current/master.tar.gz -o hardenedbsd-src.tar.gz
  348. # tar xf hardenedbsd-src.tar.gz
  349. # mv hardenedBSD-hardened-current-master /usr/src
  350. HardenedBSD ports:
  351. # fetch https://github.com/HardenedBSD/freebsd-ports/archive/master.tar.gz -o hardenedbsd-ports.tar.gz
  352. # tar xf hardenedbsd-ports.tar.gz
  353. # mv freebsd-ports-master /usr/ports
  354. Secadm:
  355. # fetch https://github.com/HardenedBSD/secadm/archive/master.tar.gz -o secadm.tar.gz
  356. # tar xf secadm.tar.gz
  357. With git:
  358. HardenedBSD-source:
  359. # git clone https://github.com/HardenedBSD/hardenedBSD.git /usr/src
  360. HardenedBSD ports:
  361. # git clone https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
  362. Secadm:
  363. # git clone https://github.com/HardenedBSD/secadm.git
  364. With svnlite (much more slower than git version):
  365. HardenedBSD-source:
  366. # svnlite co https://github.com/HardenedBSD/hardenedBSD.git /usr/src
  367. HardenedBSD ports:
  368. # svnlite co https://github.com/HardenedBSD/freebsd-ports.git /usr/ports
  369. Secadm:
  370. # svnlite co https://github.com/HardenedBSD/secadm.git
  371. [20150404] Added secadm hook to rtld
  372. __HardenedBSD_version = 18
  373. Added integriforce secadm hook to rtld to validate
  374. shared object before loading them.
  375. [20150318] Merged first part of NOEXEC project
  376. __HardenedBSD_version = 17
  377. This is the first part of PaX's MPROTECT restriction:
  378. * this merge brings per process level restriction settings
  379. * eliminated the linux's sound related mmap weakness
  380. * improved the logging
  381. ...
  382. If you have problem with your application, then install
  383. secadm:
  384. * from pkg:
  385. pkg install secadm
  386. * or from github:
  387. # git clone https://github.com/hardenedbsd/secadm
  388. # cd secadm
  389. # make && make install
  390. [201502011] Changed kernel knobs
  391. Added ``options PAX`` to enable the HardenedBSD framework.
  392. All other PAX_* knob depends on PAX knob.
  393. [20150131] Upgrading from systems before "HBSD: Revert the chacha20 import in full."
  394. After the "HBSD: Revert the chacha20 import in full." commit
  395. we lost the compatibility with the previous version, this
  396. means ABI break, and the system is unable to properly boot.
  397. In the background is the removed VM_INHERIT_ZERO flag, which
  398. was previously used in libc.
  399. The solution is to install the new world, before you booting to the new kernel.
  400. 1. make buildworld kernel
  401. 2. IMPORTANT: install world before you reboot
  402. 2.1. mergemaster -p && make installworld && mergemaster
  403. 3. reboot
  404. 4. start in single user mode
  405. 5. cd /usr/src
  406. 6. make delete-old delete-old-libs
  407. 7. if you have buildworld or buildkernel error,
  408. where the cc aborting and dumping core,
  409. then you need to delete the content of /usr/obj directory:
  410. 7.1 cd /usr/obj
  411. 7.2 rm -rf *
  412. And probably a full ports rebuild required too...