On Sat, 18 Apr 2020 at 04:19, Dewayne Geraghty <dewa...@heuristicsystems.com.au> wrote: > > I'm on a similar ride. We run applications in both i386 and amd64 jails > with FreeBSD's ASLR enabled (sendmail, squid, apache, ...) and all good.
Great! > On the build server, the i386 jail with aslr enabled wasn't able to > build gcc9; so this was disabled kern.elf32.*. i386 has little spare address space and compiling applications as PIE has a significant performance impact there, so enabling it only on 64-bit seems quite reasonable. > ntp was the only real application that didn't play nicely with aslr. > Fortunately, this was very helpful: > > /usr/bin/proccontrol -m aslr -s disable /usr/local/sbin/ntpd... Yes, and you can now (if using stable/12 or -CURRENT) use elfctl to tag the binary with a note to request randomization be disabled for the process, although we really should address the underlying issue. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
