On Mon, Apr 20, 2020 at 10:00:06AM -0400, Ed Maste wrote: > On Sat, 18 Apr 2020 at 04:19, Dewayne Geraghty > <dewa...@heuristicsystems.com.au> wrote: > > > > I'm on a similar ride. We run applications in both i386 and amd64 jails > > with FreeBSD's ASLR enabled (sendmail, squid, apache, ...) and all good. > > Great! > > > On the build server, the i386 jail with aslr enabled wasn't able to > > build gcc9; so this was disabled kern.elf32.*. > > i386 has little spare address space and compiling applications as PIE > has a significant performance impact there, so enabling it only on > 64-bit seems quite reasonable. With 4/4 i386 gained +1G for UVA, which makes i386 binaries behaviour on i386 kernel almost identical to amd64 kernel.
> > > ntp was the only real application that didn't play nicely with aslr. > > Fortunately, this was very helpful: > > > > /usr/bin/proccontrol -m aslr -s disable /usr/local/sbin/ntpd... It is really -m stackgap that hurted ntpd, but I remember that the code which was causing problems, was removed since then. > > Yes, and you can now (if using stable/12 or -CURRENT) use elfctl to > tag the binary with a note to request randomization be disabled for > the process, although we really should address the underlying issue. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
