git: bf410c6eda51 - main - Revert "bsdinstall: add knob to set ASLR sysctls"

Tue, 16 Nov 2021 14:27:19 -0800 

The branch main has been updated by mw:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=bf410c6eda515364db5f6ed74b765efdec0595ae

commit bf410c6eda515364db5f6ed74b765efdec0595ae
Author:     Marcin Wojtas <m...@freebsd.org>
AuthorDate: 2021-11-12 19:32:57 +0000
Commit:     Marcin Wojtas <m...@freebsd.org>
CommitDate: 2021-11-16 22:16:10 +0000

    Revert "bsdinstall: add knob to set ASLR sysctls"
    
    This reverts commit 020f4112559ebf7e94665c9a69f89d21929ce82a.
    
    Because now ASLR is enabled by default for 64-bit architectures
    and the purpose of the installation menu is to allow choosing
    additional 'mitigation'/'hardening' options that are originally
    disabled, remove the ASLR knob from bsdinstall.
    
    Discussed with: emaste
    Obtained from: Semihalf
    Sponsored by: Stormshield
---
 usr.sbin/bsdinstall/scripts/hardening | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/usr.sbin/bsdinstall/scripts/hardening 
b/usr.sbin/bsdinstall/scripts/hardening
index 67ee3672712d..58ea0a112e26 100755
--- a/usr.sbin/bsdinstall/scripts/hardening
+++ b/usr.sbin/bsdinstall/scripts/hardening
@@ -28,20 +28,6 @@
 
 : ${DIALOG_OK=0}
 
-set_aslr_sysctls()
-{
-       for bit in 32 64; do
-               if ! sysctl -Nq kern.elf$bit.aslr.enable >/dev/null; then
-                       continue
-               fi
-               cat >> $BSDINSTALL_TMPETC/sysctl.conf.hardening <<-EOF
-                       kern.elf$bit.aslr.enable=1
-                       kern.elf$bit.aslr.pie_enable=1
-                       kern.elf$bit.aslr.honor_sbrk=0
-               EOF
-       done
-}
-
 echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening
 echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening
 echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening
@@ -62,7 +48,6 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
        "8 disable_sendmail" "Disable Sendmail service" 
${disable_sendmail:-off} \
        "9 secure_console" "Enable console password prompt" 
${secure_console:-off} \
        "10 disable_ddtrace" "Disallow DTrace destructive-mode" 
${disable_ddtrace:-off} \
-       "11 enable_aslr" "Enable address layout randomization" 
${enable_aslr:-off} \
 2>&1 1>&3 )
 exec 3>&-
 
@@ -101,9 +86,6 @@ for feature in $FEATURES; do
        disable_ddtrace)
                echo 'security.bsd.allow_destructive_dtrace=0' >> 
$BSDINSTALL_TMPBOOT/loader.conf.hardening
                ;;
-       enable_aslr)
-               set_aslr_sysctls
-               ;;
        esac
 done

Reply via email to