Date: Sat, 24 May 2014 12:22:36 -0400 From: Shawn Webb <lattera@gmail.com> To: Pedro Giffuni <pfg@freebsd.org> Cc: freebsd-current@freebsd.org, "Wojciech A. Koszek" <wkoszek@freebsd.org>, Oliver Pinter <oliver.pntr@gmail.com> Subject: Re: [CFT] ASLR, PIE, and segvguard on 11-current and 10-stable Message-ID: <20140524162236.GG2029@pwnie.vrt.sourcefire.com> In-Reply-To: <4E5105B9-54F7-4780-B954-65BDD42EF331@freebsd.org> References: <4E5105B9-54F7-4780-B954-65BDD42EF331@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--yQbNiKLmgenwUfTN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On May 23, 2014 07:44 PM -0500, Pedro Giffuni wrote: > (Dropped the cross-posting, which *is* frowned upon) >=20 > While I do very much appreciate this work being done, and I agree we shou= ld have it in the tree, I would really prefer it opt-in rather opt-out, at = least initially. >=20 > I know this may very well be the subject of a bikeshed of historical prop= ortions but: >=20 > 1) Understand this may break some applications (?). Yup. This is why we provide both ugidfw support for dynamic rulesets and per-jail settings. We'll soon be adding FS extended attributes as well. >=20 > 2) It is yet undetermined what the performance effect will be. Very early on, Oliver ran unixbench against the ASLR implementation. There was some anomalous behaviors. Our implementation has drastically changed since then and we ought to run unixbench again against the current implementation. I've got a lot going on right now, but when things settle down, I'll run unixbench under these conditions: 1) Vanilla FreeBSD 11-CURRENT with WITNESS and other debugging features turned off. 2) FreeBSD 11-CURRENT with ASLR patches applied, but with ASLR turned off, and with WITNESS and other debugging features turned off. 3) FreeBSD 11-CURRENT with ASLR patches applied, but with ASLR turned on, and with WITNESS and other debugging features turned off. I hope to have the tests done within the next two weeks. >=20 > I find it very neat that it can be enabled for jails though. That's my second favorite feature of our implementation, the first being ugidfw integration. I'm glad to see you like the jails integration. Thanks, Shawn --yQbNiKLmgenwUfTN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTgMdLAAoJEGqEZY9SRW7u6BQQAJa3ncro8LB6rf9bTWJS1lUb iQfB6DVqVxttNSVcWIUv2ykUDAU210N/oUOdvoaCz1pjYx3aBEAXMsuQwXzGFdop nJI/OFJ1MUozMACSWJEsiM0H10NbetKblRW/AFbX913V7gDSaRcwC6G1mNb8Vd6b xt1sljQPGdEPdOHUdCOrvCIXK1LGCjgOeP2z8AmyzFDms8G+hBgK/Q+5vuwpAigH 4Fbd9A+w0byVYtCIH3q1JG8dce1RbP8ycF/sAcITPU0lHc63c+8PgQAxCxkK7e1U rY+LA6XdH+AXyrMQyLimTUUnMF3yMcaQQ5s8gm0QthAhcDgE9e4w57P7Yo55VLeC A8KppO9nSCDt4TB3JyGbeGZ7Enjo9vl9KXIFhZnbfEctdSUl2fyZoWAWAeKteA0N WtXOOFjTpRFp2Yi7SRxZS3eaZZNvtmlM+wYKvJjALmH07TnmjdjE3gz9oKgAbDPR z+BgvuWMj5PzKuwrW20opqeaqSccy1GRcxyI8ujfs2spHvgcCa7MHmNmeJ2On9/a YQ8sSPP9jEZoZp26R8VGqbl1gO/+I/jI/WDjh83Ombtj9VZzDUASzwlSsiCimIh2 fa+2WsZkJ0dRiaiomRAk7qrKB1kyhcWi3y/LhnHsyr0FKJ3heb8eRC54yjlkAoAJ y7d1VG2dv7G6tMeut8Qs =yRoO -----END PGP SIGNATURE----- --yQbNiKLmgenwUfTN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140524162236.GG2029>