HBSD: cleanups, smaller reverts and review

* Remove default HT disable hardening for now * Remove default tempaddr IPv6 for now * Whitespace changes vs. FreeBSD
2018-10-07 17:29:46 +02:00 · 2018-10-07 17:29:46 +02:00 · 0c0e584f24
parent 0c60df5d32
commit 0c0e584f24
35 changed files with 20 additions and 67 deletions
--- a/etc/motd
+++ b/etc/motd
@ -14,5 +14,4 @@ HardenedBSD ?.?.?  (UNKNOWN)
 +------------------------------------------------------------------------------+
 |     keyword: sysctl, secadm, git, github.com/hardenedbsd hardenedbsd.org     |
 +------------------------------------------------------------------------------+
-                Edit /etc/motd to change this login announcement.               
-
+                Edit /etc/motd to change this login announcement.
--- a/etc/pkg/FreeBSD.conf
+++ b/etc/pkg/FreeBSD.conf
@ -12,5 +12,5 @@ FreeBSD: {
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
-  enabled: no
+  enabled: yes
 }
--- a/etc/pkg/HardenedBSD.conf
+++ b/etc/pkg/HardenedBSD.conf
@ -12,5 +12,5 @@ HardenedBSD: {
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
-  enabled: yes
+  enabled: no
 }
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@ -35,7 +35,6 @@ LIBADD+=	crypto
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif

-
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@ -64,7 +64,6 @@ LIBADD+=	crypto
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif

-
 .include <bsd.prog.mk>

 .PATH:	${SSHDIR}
--- a/share/man/man5/src.conf.5
+++ b/share/man/man5/src.conf.5
@ -769,7 +769,7 @@ and related utilities.
 .It Va WITHOUT_HBSD_UPDATE
 .\" $HardenedBSD$
 Set to not build
-.Xr hbsd-update 8 
+.Xr hbsd-update 8
 and
 .Xr hbsd-update-build 8 .
 .It Va WITH_HESIOD
@ -939,7 +939,7 @@ When set, it enforces these options:
 .Va WITHOUT_LIBTHR
 .El
 .It Va WITH_LIBRESSL
-Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents. 
+Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents.
 .It Va WITH_LIBSOFT
 On armv6 only, set to enable soft float ABI compatibility libraries.
 This option is for transitioning to the new hard float ABI.
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@ -76,6 +76,7 @@ __DEFAULT_DEPENDENT_OPTIONS = \
    STAGING_MAN/STAGING \
    STAGING_PROG/STAGING \

+
 .include <bsd.mkopt.mk>

 #
--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@ -305,7 +305,6 @@ BROKEN_OPTIONS+=LOADER_UBOOT
 # profiling won't work on MIPS64 because there is only assembly for o32
 BROKEN_OPTIONS+=PROFILE
 .endif
-
 .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" || \
    ${__T} == "powerpc64" || ${__T} == "sparc64"
 __DEFAULT_YES_OPTIONS+=CXGBETOOL
--- a/sys/amd64/amd64/gdb_machdep.c
+++ b/sys/amd64/amd64/gdb_machdep.c
@ -138,4 +138,3 @@ gdb_end_write(void *arg)

 	load_cr0((u_long)arg);
 }
-
--- a/sys/arm64/include/elf.h
+++ b/sys/arm64/include/elf.h
@ -90,7 +90,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */
--- a/sys/dev/random/fortuna.c
+++ b/sys/dev/random/fortuna.c
@ -88,7 +88,7 @@ __FBSDID("$FreeBSD$");
 * and too small may compromise initial security but get faster reseeds.
 */
 #define	RANDOM_FORTUNA_MINPOOLSIZE 16
-#define	RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX 
+#define	RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX
 CTASSERT(RANDOM_FORTUNA_MINPOOLSIZE <= RANDOM_FORTUNA_DEFPOOLSIZE);
 CTASSERT(RANDOM_FORTUNA_DEFPOOLSIZE <= RANDOM_FORTUNA_MAXPOOLSIZE);

--- a/sys/kern/kern_shutdown.c
+++ b/sys/kern/kern_shutdown.c
@ -763,9 +763,11 @@ vpanic(const char *fmt, va_list ap)
 #ifdef SMP
 	printf("cpuid = %d\n", PCPU_GET(cpuid));
 #endif
+
 #ifdef PAX
 	pax_print_hbsd_context();
 #endif
+
 #ifdef KDB
 	if (newpanic && trace_on_panic)
 		kdb_backtrace();
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@ -33,7 +33,6 @@
 __FBSDID("$FreeBSD$");

 #include "opt_compat.h"
-#include "opt_pax.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -46,7 +45,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/vnode.h>
-#include <sys/pax.h>
 #include <sys/ptrace.h>
 #include <sys/rwlock.h>
 #include <sys/sx.h>
--- a/sys/mips/include/elf.h
+++ b/sys/mips/include/elf.h
@ -144,7 +144,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -35,7 +35,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_bootp.h"
 #include "opt_ipstealth.h"
 #include "opt_ipsec.h"
-#include "opt_pax.h"
 #include "opt_route.h"
 #include "opt_rss.h"

@ -127,12 +126,7 @@ SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_VNET | CTLFLAG_R
 * to the loopback interface instead of the interface where the
 * packets for those addresses are received.
 */
-#ifdef PAX_HARDENING
-static VNET_DEFINE(int, ip_checkinterface) = 1;
-#else
 static VNET_DEFINE(int, ip_checkinterface);
-#endif
-
 #define	V_ip_checkinterface	VNET(ip_checkinterface)
 SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_VNET | CTLFLAG_RW,
    &VNET_NAME(ip_checkinterface), 0,
--- a/sys/netinet6/in6_proto.c
+++ b/sys/netinet6/in6_proto.c
@ -69,7 +69,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_ipstealth.h"
 #include "opt_sctp.h"
 #include "opt_mpath.h"
-#include "opt_pax.h"
 #include "opt_route.h"

 #include <sys/param.h>
@ -375,12 +374,8 @@ VNET_DOMAIN_SET(inet6);
 #endif /* !IPV6FORWARDING */

 #ifndef	IPV6_SENDREDIRECTS
-#ifdef PAX_HARDENING
-#define	IPV6_SENDREDIRECTS	0
-#else
 #define	IPV6_SENDREDIRECTS	1
 #endif
-#endif

 VNET_DEFINE(int, ip6_forwarding) = IPV6FORWARDING;	/* act as router? */
 VNET_DEFINE(int, ip6_sendredirects) = IPV6_SENDREDIRECTS;
@ -397,13 +392,8 @@ VNET_DEFINE(int, ip6_hdrnestlimit) = 15;/* How many header options will we
 					 * process? */
 VNET_DEFINE(int, ip6_dad_count) = 1;	/* DupAddrDetectionTransmits */
 VNET_DEFINE(int, ip6_auto_flowlabel) = 1;
-#ifdef PAX_HARDENING
-VNET_DEFINE(int, ip6_use_deprecated) = 0;/* allow deprecated addr
-					 * (RFC2462 5.5.4) */
-#else
 VNET_DEFINE(int, ip6_use_deprecated) = 1;/* allow deprecated addr
 					 * (RFC2462 5.5.4) */
-#endif
 VNET_DEFINE(int, ip6_rr_prune) = 5;	/* router renumbering prefix
 					 * walk list every 5 sec. */
 VNET_DEFINE(int, ip6_mcast_pmtu) = 0;	/* enable pMTU discovery for multicast? */
@ -426,11 +416,7 @@ VNET_DEFINE(int, pmtu_expire) = 60*10;
 VNET_DEFINE(int, pmtu_probe) = 60*2;

 /* ICMPV6 parameters */
-#ifdef PAX_HARDENING
-VNET_DEFINE(int, icmp6_rediraccept) = 0;/* accept and process redirects */
-#else
 VNET_DEFINE(int, icmp6_rediraccept) = 1;/* accept and process redirects */
-#endif
 VNET_DEFINE(int, icmp6_redirtimeout) = 10 * 60;	/* 10 minutes */
 VNET_DEFINE(int, icmp6errppslim) = 100;		/* 100pps */
 /* control how to respond to NI queries */
--- a/sys/netinet6/in6_src.c
+++ b/sys/netinet6/in6_src.c
@ -66,7 +66,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_mpath.h"
-#include "opt_pax.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -129,11 +128,7 @@ static struct sx addrsel_sxlock;
 static VNET_DEFINE(struct in6_addrpolicy, defaultaddrpolicy);
 #define	V_defaultaddrpolicy		VNET(defaultaddrpolicy)

-#ifdef PAX_HARDENING
-VNET_DEFINE(int, ip6_prefer_tempaddr) = 1;
-#else
 VNET_DEFINE(int, ip6_prefer_tempaddr) = 0;
-#endif

 static int selectroute(struct sockaddr_in6 *, struct ip6_pktopts *,
 	struct ip6_moptions *, struct route_in6 *, struct ifnet **,
--- a/sys/netinet6/nd6_rtr.c
+++ b/sys/netinet6/nd6_rtr.c
@ -34,7 +34,6 @@ __FBSDID("$FreeBSD$");

 #include "opt_inet.h"
 #include "opt_inet6.h"
-#include "opt_pax.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -97,11 +96,7 @@ static VNET_DEFINE(struct ifnet *, nd6_defifp);
 VNET_DEFINE(int, nd6_defifindex);
 #define	V_nd6_defifp			VNET(nd6_defifp)

-#ifdef PAX_HARDENING
-VNET_DEFINE(int, ip6_use_tempaddr) = 1;
-#else
 VNET_DEFINE(int, ip6_use_tempaddr) = 0;
-#endif

 VNET_DEFINE(int, ip6_desync_factor);
 VNET_DEFINE(u_int32_t, ip6_temp_preferred_lifetime) = DEF_TEMP_PREFERRED_LIFETIME;
--- a/sys/powerpc/include/elf.h
+++ b/sys/powerpc/include/elf.h
@ -107,7 +107,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	19	/* Number of pagesizes. */
 #define	AT_STACKPROT	21	/* Initial stack protection. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */
--- a/sys/riscv/include/elf.h
+++ b/sys/riscv/include/elf.h
@ -90,7 +90,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */
--- a/sys/x86/include/elf.h
+++ b/sys/x86/include/elf.h
@ -100,7 +100,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */
@ -189,7 +188,6 @@ __ElfType(Auxinfo);
 #define	AT_PAGESIZESLEN	21	/* Number of pagesizes. */
 #define	AT_TIMEKEEP	22	/* Pointer to timehands. */
 #define	AT_STACKPROT	23	/* Initial stack protection. */
-
 #define	AT_EHDRFLAGS	24	/* e_flags field from elf hdr */
 #define	AT_HWCAP	25	/* CPU feature flags. */
 #define	AT_HWCAP2	26	/* CPU feature flags 2. */
--- a/sys/x86/x86/mp_x86.c
+++ b/sys/x86/x86/mp_x86.c
@ -33,7 +33,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_cpu.h"
 #include "opt_isa.h"
 #include "opt_kstack_pages.h"
-#include "opt_pax.h"
 #include "opt_pmap.h"
 #include "opt_sched.h"
 #include "opt_smp.h"
@ -138,11 +137,7 @@ volatile u_int cpu_ipi_pending[MAXCPU];
 static void	release_aps(void *dummy);
 static void	cpustop_handler_post(u_int cpu);

-#ifdef PAX_HARDENING
-static int	hyperthreading_allowed;
-#else
 static int	hyperthreading_allowed = 1;
-#endif
 SYSCTL_INT(_machdep, OID_AUTO, hyperthreading_allowed, CTLFLAG_RDTUN,
 	&hyperthreading_allowed, 0, "Use Intel HTT logical CPUs");

--- a/tests/sys/kern/kern_copyin.c
+++ b/tests/sys/kern/kern_copyin.c
@ -66,7 +66,7 @@ ATF_TC_BODY(kern_copyin, tc)
 	/*
 	 * On HardenedBSD, the last page not always mapped in contrast
 	 * to FreeBSD, where the last page always mapped as shared page.
-	 * 
+	 *
 	 * To fix this test, which expects the existence of the last page
 	 * just map them in at the test start, and unmap them at the end.
 	 */
--- a/tools/build/options/WITHOUT_HBSD_UPDATE
+++ b/tools/build/options/WITHOUT_HBSD_UPDATE
@ -1,5 +1,5 @@
-.\" $HardenedBSD$
+.\" $FreeBSD$
 Set to not build
-.Xr hbsd-update 8 
+.Xr hbsd-update 8
 and
 .Xr hbsd-update-build 8 .
--- a/tools/build/options/WITHOUT_LIBRESSL
+++ b/tools/build/options/WITHOUT_LIBRESSL
@ -1,2 +1,2 @@
-.\" $FreeBSD: $
-Set to build OpenSSL as libcrypto/libssl provider as replacement of the LibreSSL equivalents. 
+.\" $FreeBSD$
+Set to build OpenSSL as libcrypto/libssl provider as replacement of the LibreSSL equivalents.
--- a/tools/build/options/WITHOUT_PIE
+++ b/tools/build/options/WITHOUT_PIE
@ -1 +1,2 @@
+.\" $FreeBSD$
 Disable building of Position-Independent Executables (PIEs).
--- a/tools/build/options/WITH_LIBRESSL
+++ b/tools/build/options/WITH_LIBRESSL
@ -1,2 +1,2 @@
-.\" $FreeBSD: $
-Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents. 
+.\" $FreeBSD$
+Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents.
--- a/tools/build/options/WITH_SAFESTACK
+++ b/tools/build/options/WITH_SAFESTACK
@ -1 +1,2 @@
+.\" $FreeBSD$
 Set to compile with SafeStack.
--- a/tools/build/options/WITH_SHLIBRANDOM
+++ b/tools/build/options/WITH_SHLIBRANDOM
@ -1 +1,2 @@
+.\" $FreeBSD$
 Enable randomizing the load order of shared objects.
--- a/usr.sbin/ctld/Makefile
+++ b/usr.sbin/ctld/Makefile
@ -17,7 +17,6 @@ MAN=		ctld.8 ctl.conf.5

 LIBADD=		bsdxml l md sbuf util ucl m

-
 YFLAGS+=	-v
 CLEANFILES=	y.tab.c y.tab.h y.output

--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@ -29,5 +29,4 @@ CFLAGS+= -DIPSEC
 LIBADD+=	ipsec
 .endif

-
 .include <bsd.prog.mk>
--- a/usr.sbin/iscsid/Makefile
+++ b/usr.sbin/iscsid/Makefile
@ -11,7 +11,6 @@ MAN=		iscsid.8

 LIBADD=		md util

-
 WARNS=		6

 .include <bsd.prog.mk>
--- a/usr.sbin/ppp/auth.c
+++ b/usr.sbin/ppp/auth.c
@ -129,7 +129,7 @@ auth_CheckPasswd(const char *name, const char *data, const char *key)
    struct passwd *pw;
    int result = 0;
    char *cryptpw;
-    
+
    pw = getpwnam(name);

    if (pw) {
--- a/usr.sbin/rtsold/Makefile
+++ b/usr.sbin/rtsold/Makefile
@ -21,5 +21,4 @@ SRCS=	rtsold.c rtsol.c if.c probe.c dump.c rtsock.c

 WARNS?=	3

-
 .include <bsd.prog.mk>
--- a/usr.sbin/tcpdump/tcpdump/Makefile
+++ b/usr.sbin/tcpdump/tcpdump/Makefile
@ -198,7 +198,6 @@ CFLAGS+= -I${DESTDIR}/usr/include/openssl
 CFLAGS+= -DHAVE_LIBCRYPTO -DHAVE_OPENSSL_EVP_H
 .endif

-
 .if ${MK_PF} != "no"
 SRCS+=	print-pflog.c \
 	print-pfsync.c