HBSD: cleanups, smaller reverts and review
* Remove default HT disable hardening for now * Remove default tempaddr IPv6 for now * Whitespace changes vs. FreeBSD
This commit is contained in:
parent
0c60df5d32
commit
0c0e584f24
3
etc/motd
3
etc/motd
|
@ -14,5 +14,4 @@ HardenedBSD ?.?.? (UNKNOWN)
|
|||
+------------------------------------------------------------------------------+
|
||||
| keyword: sysctl, secadm, git, github.com/hardenedbsd hardenedbsd.org |
|
||||
+------------------------------------------------------------------------------+
|
||||
Edit /etc/motd to change this login announcement.
|
||||
|
||||
Edit /etc/motd to change this login announcement.
|
||||
|
|
|
@ -12,5 +12,5 @@ FreeBSD: {
|
|||
mirror_type: "srv",
|
||||
signature_type: "fingerprints",
|
||||
fingerprints: "/usr/share/keys/pkg",
|
||||
enabled: no
|
||||
enabled: yes
|
||||
}
|
||||
|
|
|
@ -12,5 +12,5 @@ HardenedBSD: {
|
|||
mirror_type: "srv",
|
||||
signature_type: "fingerprints",
|
||||
fingerprints: "/usr/share/keys/pkg",
|
||||
enabled: yes
|
||||
enabled: no
|
||||
}
|
||||
|
|
|
@ -35,7 +35,6 @@ LIBADD+= crypto
|
|||
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
|
||||
.endif
|
||||
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
||||
.PATH: ${SSHDIR}
|
||||
|
|
|
@ -64,7 +64,6 @@ LIBADD+= crypto
|
|||
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
|
||||
.endif
|
||||
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
||||
.PATH: ${SSHDIR}
|
||||
|
|
|
@ -769,7 +769,7 @@ and related utilities.
|
|||
.It Va WITHOUT_HBSD_UPDATE
|
||||
.\" $HardenedBSD$
|
||||
Set to not build
|
||||
.Xr hbsd-update 8
|
||||
.Xr hbsd-update 8
|
||||
and
|
||||
.Xr hbsd-update-build 8 .
|
||||
.It Va WITH_HESIOD
|
||||
|
@ -939,7 +939,7 @@ When set, it enforces these options:
|
|||
.Va WITHOUT_LIBTHR
|
||||
.El
|
||||
.It Va WITH_LIBRESSL
|
||||
Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents.
|
||||
Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents.
|
||||
.It Va WITH_LIBSOFT
|
||||
On armv6 only, set to enable soft float ABI compatibility libraries.
|
||||
This option is for transitioning to the new hard float ABI.
|
||||
|
|
|
@ -76,6 +76,7 @@ __DEFAULT_DEPENDENT_OPTIONS = \
|
|||
STAGING_MAN/STAGING \
|
||||
STAGING_PROG/STAGING \
|
||||
|
||||
|
||||
.include <bsd.mkopt.mk>
|
||||
|
||||
#
|
||||
|
|
|
@ -305,7 +305,6 @@ BROKEN_OPTIONS+=LOADER_UBOOT
|
|||
# profiling won't work on MIPS64 because there is only assembly for o32
|
||||
BROKEN_OPTIONS+=PROFILE
|
||||
.endif
|
||||
|
||||
.if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" || \
|
||||
${__T} == "powerpc64" || ${__T} == "sparc64"
|
||||
__DEFAULT_YES_OPTIONS+=CXGBETOOL
|
||||
|
|
|
@ -138,4 +138,3 @@ gdb_end_write(void *arg)
|
|||
|
||||
load_cr0((u_long)arg);
|
||||
}
|
||||
|
||||
|
|
|
@ -90,7 +90,6 @@ __ElfType(Auxinfo);
|
|||
#define AT_PAGESIZESLEN 21 /* Number of pagesizes. */
|
||||
#define AT_TIMEKEEP 22 /* Pointer to timehands. */
|
||||
#define AT_STACKPROT 23 /* Initial stack protection. */
|
||||
|
||||
#define AT_EHDRFLAGS 24 /* e_flags field from elf hdr */
|
||||
#define AT_HWCAP 25 /* CPU feature flags. */
|
||||
#define AT_HWCAP2 26 /* CPU feature flags 2. */
|
||||
|
|
|
@ -88,7 +88,7 @@ __FBSDID("$FreeBSD$");
|
|||
* and too small may compromise initial security but get faster reseeds.
|
||||
*/
|
||||
#define RANDOM_FORTUNA_MINPOOLSIZE 16
|
||||
#define RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX
|
||||
#define RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX
|
||||
CTASSERT(RANDOM_FORTUNA_MINPOOLSIZE <= RANDOM_FORTUNA_DEFPOOLSIZE);
|
||||
CTASSERT(RANDOM_FORTUNA_DEFPOOLSIZE <= RANDOM_FORTUNA_MAXPOOLSIZE);
|
||||
|
||||
|
|
|
@ -763,9 +763,11 @@ vpanic(const char *fmt, va_list ap)
|
|||
#ifdef SMP
|
||||
printf("cpuid = %d\n", PCPU_GET(cpuid));
|
||||
#endif
|
||||
|
||||
#ifdef PAX
|
||||
pax_print_hbsd_context();
|
||||
#endif
|
||||
|
||||
#ifdef KDB
|
||||
if (newpanic && trace_on_panic)
|
||||
kdb_backtrace();
|
||||
|
|
|
@ -33,7 +33,6 @@
|
|||
__FBSDID("$FreeBSD$");
|
||||
|
||||
#include "opt_compat.h"
|
||||
#include "opt_pax.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
@ -46,7 +45,6 @@ __FBSDID("$FreeBSD$");
|
|||
#include <sys/priv.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/vnode.h>
|
||||
#include <sys/pax.h>
|
||||
#include <sys/ptrace.h>
|
||||
#include <sys/rwlock.h>
|
||||
#include <sys/sx.h>
|
||||
|
|
|
@ -144,7 +144,6 @@ __ElfType(Auxinfo);
|
|||
#define AT_PAGESIZESLEN 21 /* Number of pagesizes. */
|
||||
#define AT_TIMEKEEP 22 /* Pointer to timehands. */
|
||||
#define AT_STACKPROT 23 /* Initial stack protection. */
|
||||
|
||||
#define AT_EHDRFLAGS 24 /* e_flags field from elf hdr */
|
||||
#define AT_HWCAP 25 /* CPU feature flags. */
|
||||
#define AT_HWCAP2 26 /* CPU feature flags 2. */
|
||||
|
|
|
@ -35,7 +35,6 @@ __FBSDID("$FreeBSD$");
|
|||
#include "opt_bootp.h"
|
||||
#include "opt_ipstealth.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_pax.h"
|
||||
#include "opt_route.h"
|
||||
#include "opt_rss.h"
|
||||
|
||||
|
@ -127,12 +126,7 @@ SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_VNET | CTLFLAG_R
|
|||
* to the loopback interface instead of the interface where the
|
||||
* packets for those addresses are received.
|
||||
*/
|
||||
#ifdef PAX_HARDENING
|
||||
static VNET_DEFINE(int, ip_checkinterface) = 1;
|
||||
#else
|
||||
static VNET_DEFINE(int, ip_checkinterface);
|
||||
#endif
|
||||
|
||||
#define V_ip_checkinterface VNET(ip_checkinterface)
|
||||
SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_VNET | CTLFLAG_RW,
|
||||
&VNET_NAME(ip_checkinterface), 0,
|
||||
|
|
|
@ -69,7 +69,6 @@ __FBSDID("$FreeBSD$");
|
|||
#include "opt_ipstealth.h"
|
||||
#include "opt_sctp.h"
|
||||
#include "opt_mpath.h"
|
||||
#include "opt_pax.h"
|
||||
#include "opt_route.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
|
@ -375,12 +374,8 @@ VNET_DOMAIN_SET(inet6);
|
|||
#endif /* !IPV6FORWARDING */
|
||||
|
||||
#ifndef IPV6_SENDREDIRECTS
|
||||
#ifdef PAX_HARDENING
|
||||
#define IPV6_SENDREDIRECTS 0
|
||||
#else
|
||||
#define IPV6_SENDREDIRECTS 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
VNET_DEFINE(int, ip6_forwarding) = IPV6FORWARDING; /* act as router? */
|
||||
VNET_DEFINE(int, ip6_sendredirects) = IPV6_SENDREDIRECTS;
|
||||
|
@ -397,13 +392,8 @@ VNET_DEFINE(int, ip6_hdrnestlimit) = 15;/* How many header options will we
|
|||
* process? */
|
||||
VNET_DEFINE(int, ip6_dad_count) = 1; /* DupAddrDetectionTransmits */
|
||||
VNET_DEFINE(int, ip6_auto_flowlabel) = 1;
|
||||
#ifdef PAX_HARDENING
|
||||
VNET_DEFINE(int, ip6_use_deprecated) = 0;/* allow deprecated addr
|
||||
* (RFC2462 5.5.4) */
|
||||
#else
|
||||
VNET_DEFINE(int, ip6_use_deprecated) = 1;/* allow deprecated addr
|
||||
* (RFC2462 5.5.4) */
|
||||
#endif
|
||||
VNET_DEFINE(int, ip6_rr_prune) = 5; /* router renumbering prefix
|
||||
* walk list every 5 sec. */
|
||||
VNET_DEFINE(int, ip6_mcast_pmtu) = 0; /* enable pMTU discovery for multicast? */
|
||||
|
@ -426,11 +416,7 @@ VNET_DEFINE(int, pmtu_expire) = 60*10;
|
|||
VNET_DEFINE(int, pmtu_probe) = 60*2;
|
||||
|
||||
/* ICMPV6 parameters */
|
||||
#ifdef PAX_HARDENING
|
||||
VNET_DEFINE(int, icmp6_rediraccept) = 0;/* accept and process redirects */
|
||||
#else
|
||||
VNET_DEFINE(int, icmp6_rediraccept) = 1;/* accept and process redirects */
|
||||
#endif
|
||||
VNET_DEFINE(int, icmp6_redirtimeout) = 10 * 60; /* 10 minutes */
|
||||
VNET_DEFINE(int, icmp6errppslim) = 100; /* 100pps */
|
||||
/* control how to respond to NI queries */
|
||||
|
|
|
@ -66,7 +66,6 @@ __FBSDID("$FreeBSD$");
|
|||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_mpath.h"
|
||||
#include "opt_pax.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
@ -129,11 +128,7 @@ static struct sx addrsel_sxlock;
|
|||
static VNET_DEFINE(struct in6_addrpolicy, defaultaddrpolicy);
|
||||
#define V_defaultaddrpolicy VNET(defaultaddrpolicy)
|
||||
|
||||
#ifdef PAX_HARDENING
|
||||
VNET_DEFINE(int, ip6_prefer_tempaddr) = 1;
|
||||
#else
|
||||
VNET_DEFINE(int, ip6_prefer_tempaddr) = 0;
|
||||
#endif
|
||||
|
||||
static int selectroute(struct sockaddr_in6 *, struct ip6_pktopts *,
|
||||
struct ip6_moptions *, struct route_in6 *, struct ifnet **,
|
||||
|
|
|
@ -34,7 +34,6 @@ __FBSDID("$FreeBSD$");
|
|||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_pax.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
@ -97,11 +96,7 @@ static VNET_DEFINE(struct ifnet *, nd6_defifp);
|
|||
VNET_DEFINE(int, nd6_defifindex);
|
||||
#define V_nd6_defifp VNET(nd6_defifp)
|
||||
|
||||
#ifdef PAX_HARDENING
|
||||
VNET_DEFINE(int, ip6_use_tempaddr) = 1;
|
||||
#else
|
||||
VNET_DEFINE(int, ip6_use_tempaddr) = 0;
|
||||
#endif
|
||||
|
||||
VNET_DEFINE(int, ip6_desync_factor);
|
||||
VNET_DEFINE(u_int32_t, ip6_temp_preferred_lifetime) = DEF_TEMP_PREFERRED_LIFETIME;
|
||||
|
|
|
@ -107,7 +107,6 @@ __ElfType(Auxinfo);
|
|||
#define AT_PAGESIZESLEN 19 /* Number of pagesizes. */
|
||||
#define AT_STACKPROT 21 /* Initial stack protection. */
|
||||
#define AT_TIMEKEEP 22 /* Pointer to timehands. */
|
||||
|
||||
#define AT_EHDRFLAGS 24 /* e_flags field from elf hdr */
|
||||
#define AT_HWCAP 25 /* CPU feature flags. */
|
||||
#define AT_HWCAP2 26 /* CPU feature flags 2. */
|
||||
|
|
|
@ -90,7 +90,6 @@ __ElfType(Auxinfo);
|
|||
#define AT_PAGESIZESLEN 21 /* Number of pagesizes. */
|
||||
#define AT_TIMEKEEP 22 /* Pointer to timehands. */
|
||||
#define AT_STACKPROT 23 /* Initial stack protection. */
|
||||
|
||||
#define AT_EHDRFLAGS 24 /* e_flags field from elf hdr */
|
||||
#define AT_HWCAP 25 /* CPU feature flags. */
|
||||
#define AT_HWCAP2 26 /* CPU feature flags 2. */
|
||||
|
|
|
@ -100,7 +100,6 @@ __ElfType(Auxinfo);
|
|||
#define AT_PAGESIZESLEN 21 /* Number of pagesizes. */
|
||||
#define AT_TIMEKEEP 22 /* Pointer to timehands. */
|
||||
#define AT_STACKPROT 23 /* Initial stack protection. */
|
||||
|
||||
#define AT_EHDRFLAGS 24 /* e_flags field from elf hdr */
|
||||
#define AT_HWCAP 25 /* CPU feature flags. */
|
||||
#define AT_HWCAP2 26 /* CPU feature flags 2. */
|
||||
|
@ -189,7 +188,6 @@ __ElfType(Auxinfo);
|
|||
#define AT_PAGESIZESLEN 21 /* Number of pagesizes. */
|
||||
#define AT_TIMEKEEP 22 /* Pointer to timehands. */
|
||||
#define AT_STACKPROT 23 /* Initial stack protection. */
|
||||
|
||||
#define AT_EHDRFLAGS 24 /* e_flags field from elf hdr */
|
||||
#define AT_HWCAP 25 /* CPU feature flags. */
|
||||
#define AT_HWCAP2 26 /* CPU feature flags 2. */
|
||||
|
|
|
@ -33,7 +33,6 @@ __FBSDID("$FreeBSD$");
|
|||
#include "opt_cpu.h"
|
||||
#include "opt_isa.h"
|
||||
#include "opt_kstack_pages.h"
|
||||
#include "opt_pax.h"
|
||||
#include "opt_pmap.h"
|
||||
#include "opt_sched.h"
|
||||
#include "opt_smp.h"
|
||||
|
@ -138,11 +137,7 @@ volatile u_int cpu_ipi_pending[MAXCPU];
|
|||
static void release_aps(void *dummy);
|
||||
static void cpustop_handler_post(u_int cpu);
|
||||
|
||||
#ifdef PAX_HARDENING
|
||||
static int hyperthreading_allowed;
|
||||
#else
|
||||
static int hyperthreading_allowed = 1;
|
||||
#endif
|
||||
SYSCTL_INT(_machdep, OID_AUTO, hyperthreading_allowed, CTLFLAG_RDTUN,
|
||||
&hyperthreading_allowed, 0, "Use Intel HTT logical CPUs");
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ ATF_TC_BODY(kern_copyin, tc)
|
|||
/*
|
||||
* On HardenedBSD, the last page not always mapped in contrast
|
||||
* to FreeBSD, where the last page always mapped as shared page.
|
||||
*
|
||||
*
|
||||
* To fix this test, which expects the existence of the last page
|
||||
* just map them in at the test start, and unmap them at the end.
|
||||
*/
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
.\" $HardenedBSD$
|
||||
.\" $FreeBSD$
|
||||
Set to not build
|
||||
.Xr hbsd-update 8
|
||||
.Xr hbsd-update 8
|
||||
and
|
||||
.Xr hbsd-update-build 8 .
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
.\" $FreeBSD: $
|
||||
Set to build OpenSSL as libcrypto/libssl provider as replacement of the LibreSSL equivalents.
|
||||
.\" $FreeBSD$
|
||||
Set to build OpenSSL as libcrypto/libssl provider as replacement of the LibreSSL equivalents.
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
.\" $FreeBSD$
|
||||
Disable building of Position-Independent Executables (PIEs).
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
.\" $FreeBSD: $
|
||||
Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents.
|
||||
.\" $FreeBSD$
|
||||
Set to build LibreSSL as libcrypto/libssl provider as replacement of the OpenSSL equivalents.
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
.\" $FreeBSD$
|
||||
Set to compile with SafeStack.
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
.\" $FreeBSD$
|
||||
Enable randomizing the load order of shared objects.
|
||||
|
|
|
@ -17,7 +17,6 @@ MAN= ctld.8 ctl.conf.5
|
|||
|
||||
LIBADD= bsdxml l md sbuf util ucl m
|
||||
|
||||
|
||||
YFLAGS+= -v
|
||||
CLEANFILES= y.tab.c y.tab.h y.output
|
||||
|
||||
|
|
|
@ -29,5 +29,4 @@ CFLAGS+= -DIPSEC
|
|||
LIBADD+= ipsec
|
||||
.endif
|
||||
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
|
|
@ -11,7 +11,6 @@ MAN= iscsid.8
|
|||
|
||||
LIBADD= md util
|
||||
|
||||
|
||||
WARNS= 6
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
|
|
@ -129,7 +129,7 @@ auth_CheckPasswd(const char *name, const char *data, const char *key)
|
|||
struct passwd *pw;
|
||||
int result = 0;
|
||||
char *cryptpw;
|
||||
|
||||
|
||||
pw = getpwnam(name);
|
||||
|
||||
if (pw) {
|
||||
|
|
|
@ -21,5 +21,4 @@ SRCS= rtsold.c rtsol.c if.c probe.c dump.c rtsock.c
|
|||
|
||||
WARNS?= 3
|
||||
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
|
|
@ -198,7 +198,6 @@ CFLAGS+= -I${DESTDIR}/usr/include/openssl
|
|||
CFLAGS+= -DHAVE_LIBCRYPTO -DHAVE_OPENSSL_EVP_H
|
||||
.endif
|
||||
|
||||
|
||||
.if ${MK_PF} != "no"
|
||||
SRCS+= print-pflog.c \
|
||||
print-pfsync.c
|
||||
|
|
Loading…
Reference in New Issue