D32833.id.diff
No OneTemporary
Actions

Size

2 KB

Referenced Files

None

Subscribers

None

D32833.id.diff
View Options

	diff --git a/usr.sbin/bsdinstall/scripts/hardening b/usr.sbin/bsdinstall/scripts/hardening
	--- a/usr.sbin/bsdinstall/scripts/hardening
	+++ b/usr.sbin/bsdinstall/scripts/hardening
	@@ -30,22 +30,40 @@

	set_aslr_sysctls()
	{
	- for bit in 32 64; do
	- if ! sysctl -Nq kern.elf$bit.aslr.enable >/dev/null; then
	- continue
	- fi
	- cat >> $BSDINSTALL_TMPETC/sysctl.conf.hardening <<-EOF
	- kern.elf$bit.aslr.enable=1
	- kern.elf$bit.aslr.pie_enable=1
	- kern.elf$bit.aslr.honor_sbrk=0
	- EOF
	- done
	+ local bit="$1"
	+
	+ sed -i '' "/kern.elf$bit.aslr/d" $BSDINSTALL_TMPETC/sysctl.conf.hardening
	+ if ! sysctl -Nq kern.elf$bit.aslr.enable >/dev/null; then
	+ return
	+ fi
	+ cat >> $BSDINSTALL_TMPETC/sysctl.conf.hardening <<-EOF
	+ kern.elf$bit.aslr.enable=1
	+ kern.elf$bit.aslr.pie_enable=1
	+ EOF
	}

	echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening
	echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening
	echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening

	+#
	+# The ASLR feature is disabled on 32- and enabled on 64-bit
	+# architectures. In order to handle both cases in a single menu,
	+# tick the "enable_aslr" option for the latter, so the default behavior
	+# remains intact.
	+#
	+elfdump -a /boot/kernel/kernel \| grep ELFCLASS64 > /dev/null
	+if [ $? -eq 0 ]; then
	+ arch_bits=64
	+ enable_aslr="on"
	+ cat >> $BSDINSTALL_TMPETC/sysctl.conf.hardening <<-EOF
	+ kern.elf64.aslr.enable=0
	+ kern.elf64.aslr.pie_enable=0
	+ EOF
	+else
	+ arch_bits=32
	+fi
	+
	exec 3>&1
	FEATURES=$( dialog --backtitle "FreeBSD Installer" \
	--title "System Hardening" --nocancel --separate-output \
	@@ -62,7 +80,7 @@
	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
	"9 secure_console" "Enable console password prompt" ${secure_console:-off} \
	"10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \
	- "11 enable_aslr" "Enable address layout randomization" ${enable_aslr:-off} \
	+ "11 enable_aslr" "Enable address layout randomization for $arch_bits-bit executables" ${enable_aslr:-off} \
	2>&1 1>&3 )
	exec 3>&-

	@@ -102,7 +120,7 @@
	echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening
	;;
	enable_aslr)
	- set_aslr_sysctls
	+ set_aslr_sysctls $arch_bits
	;;
	esac
	done

File Metadata

Mime Type: text/plain
Expires: Sun, May 17, 3:47 PM (21 h, 33 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 33197460
Default Alt Text: D32833.id.diff (2 KB)

D32833.id.diffNo OneTemporaryActions

D32833.id.diffView Options

File Metadata

Event Timeline

D32833.id.diff
No OneTemporary
Actions

D32833.id.diff
View Options