HardenedBSD issueshttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues2023-05-01T19:59:12Zhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/84Add OpenBSD's "doas" to the base2023-05-01T19:59:12ZMr. UNIXAdd OpenBSD's "doas" to the base`doas` is a command line utility that OpenBSD has which is similar to `sudo` but has a smaller codebase.
I believe it would be a great idea to include it into HardenedBSD's base, what do other people here think?`doas` is a command line utility that OpenBSD has which is similar to `sudo` but has a smaller codebase.
I believe it would be a great idea to include it into HardenedBSD's base, what do other people here think?https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/32Rewrite hbsd-update and hbsd-update-build in C2021-04-16T19:49:28ZShawn WebbRewrite hbsd-update and hbsd-update-build in CCurrently, `hbsd-update` and `hbsd-update-build` are written in shell script. Using `/bin/sh` as the language presents issues for more complex setups. By rewriting the tools in C, we can gain more complex features. Those features will be...Currently, `hbsd-update` and `hbsd-update-build` are written in shell script. Using `/bin/sh` as the language presents issues for more complex setups. By rewriting the tools in C, we can gain more complex features. Those features will be detailed in separate bug reports as they're out-of-scope for this report.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/98libhbsdcontrol: functions can hard exit rather than return control to the caller2024-03-10T00:43:42Z0x1eeflibhbsdcontrol: functions can hard exit rather than return control to the callerThe functions within libhbsdcontrol can hard exit rather than return an error to the caller. I think a hard exit makes sense for application code, but for library code it's not what I'd usually expect. So far I have worked around this by...The functions within libhbsdcontrol can hard exit rather than return an error to the caller. I think a hard exit makes sense for application code, but for library code it's not what I'd usually expect. So far I have worked around this by catching error conditions before I call libhbsdcontrol functions but it's not ideal. It seems like a common pattern within libhbsdcontrol. An isolated example:
```c
#include <libhbsdcontrol.h>
int
main()
{
hbsdcontrol_set_feature_state("/does/not/exist", "mprotect", 1);
}
```
Result:
```
$ cc -lhbsdcontrol test.c -o testx
$ ./testx
hbsdcontrol_extattr_set_attr: No such file or directory
testx: abort
```Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/97hbsdcontrol_set_feature_state can set invalid states2024-03-06T21:21:08Z0x1eefhbsdcontrol_set_feature_state can set invalid statesThe `hbsdcontrol_set_feature_state` function accepts `pax_feature_state_t` as its last argument.
Valid values include -2 (conflict), -1 (sysdef), 0 (disable), and 1 (enable). But it appears that
only 0 (disable) and 1 (enable) are valid...The `hbsdcontrol_set_feature_state` function accepts `pax_feature_state_t` as its last argument.
Valid values include -2 (conflict), -1 (sysdef), 0 (disable), and 1 (enable). But it appears that
only 0 (disable) and 1 (enable) are valid values. Other invalid values, like 5, do not return an
error. The problem only becomes obvious when you check `/var/log/messages`, and see that an invalid
state has been set.
```c
// invalid
hbsdcontrol_set_feature_state("/bin/ls", "mprotect", -1);
hbsdcontrol_set_feature_state("/bin/ls", "mprotect", -2);
hbsdcontrol_set_feature_state("/bin/ls", "mprotect", 5);
```Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/96vm.objects possible regression2024-01-17T14:32:27ZJoe apache2vm.objects possible regressionThis commit fixes an infoleak in the `vm.objects` and `vm.swap_objects` sysctls, where filenames and sizes of all files loaded since boot were exposed to unprivileged users. The fix was to mark the sysctls `CTLFLAG_ROOTONLY`:
https://git...This commit fixes an infoleak in the `vm.objects` and `vm.swap_objects` sysctls, where filenames and sizes of all files loaded since boot were exposed to unprivileged users. The fix was to mark the sysctls `CTLFLAG_ROOTONLY`:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/20177e60364cbf56df0b71b74a00e10e9646d087
We should check if this breaks something in userland; the `vm.objects` syscall is used here:
```
lib/libutil/kinfo_getvmobject.c:kinfo_getvmobject
lib/libutil/kinfo_getvmobject.c:kinfo_getswapvmobject
```
```
usr.bin/vmstat/vmstat.c: kvo = kinfo_getvmobject(&cnt);
usr.bin/systat/proc.c: kvo = kinfo_getswapvmobject(&cnt);
```
ping @shawn.webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/95Kernel: Integrate LLVM kCFI2023-11-30T22:51:09ZShawn WebbKernel: Integrate LLVM kCFILLVM kCFI is suitable for integration in the kernel.LLVM kCFI is suitable for integration in the kernel.Control-Flow IntegrityShawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/91hbsd-update hard-link errors on latest 15-CURRENT build2023-11-30T14:02:40ZMichael Shirkhbsd-update hard-link errors on latest 15-CURRENT buildWhen running hbsd-update for the following version:
hbsd-v1500000-e01b2bc36ab09ba248a5295dd4dc1563a73aa194
After downloading the update, tar exits on multiple errors on files in "/etc/ssl"
`./usr/share/certs/untrusted/E-Tugra_Global_R...When running hbsd-update for the following version:
hbsd-v1500000-e01b2bc36ab09ba248a5295dd4dc1563a73aa194
After downloading the update, tar exits on multiple errors on files in "/etc/ssl"
`./usr/share/certs/untrusted/E-Tugra_Global_Root_CA_ECC_v3.pem: Hard-link target './etc/ssl/untrusted/5a7722fb.0' does not exist.: No such file or directory
./usr/share/certs/untrusted/Staat_der_Nederlanden_EV_Root_CA.pem: Hard-link target './etc/ssl/untrusted/03179a64.0' does not exist.: No such file or directory`https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/89Text file not saved in krusader via SFTP2023-10-18T14:36:18ZVujoText file not saved in krusader via SFTPHello.
If you open a text file for editing in krusader via "sftp://...", the changes are not saved.
Today I installed a clean installation of stable build-22 (2023.10.01) and the problem was reproduced.
To reproduce the problem you nee...Hello.
If you open a text file for editing in krusader via "sftp://...", the changes are not saved.
Today I installed a clean installation of stable build-22 (2023.10.01) and the problem was reproduced.
To reproduce the problem you need to install:
`pkg install krusader kio-extras`
kio-extras is needed to support SFTP in krusader
The problem is not reproduced on FreeBSD-13.2-RELEASE.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/87adb devices - execution delay in 2min 33sec2023-05-21T23:03:47ZVujoadb devices - execution delay in 2min 33secHello.
If adb service is not running, it takes 2min 33sec to start.
The issue has been confirmed by other members.
```
root@home # time adb devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of d...Hello.
If adb service is not running, it takes 2min 33sec to start.
The issue has been confirmed by other members.
```
root@home # time adb devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
0.009u 0.000s 2:33.19 0.0% 0+0k 0+0io 0pf+0w
root@home # time adb devices
List of devices attached
0.007u 0.000s 0:00.00 0.0% 0+0k 0+0io 0pf+0w
root@home # time adb kill-server
0.006u 0.000s 0:00.00 0.0% 0+0k 0+0io 0pf+0w
root@home # time adb devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
0.007u 0.000s 2:33.02 0.0% 0+0k 0+0io 0pf+0w
```
```
root@home # time adb start-server
* daemon not running; starting now at tcp:5037
* daemon started successfully
0.009u 0.000s 2:33.08 0.0% 0+0k 0+0io 0pf+0w
root@home # time adb devices
List of devices attached
0.008u 0.000s 0:00.00 0.0% 0+0k 0+0io 0pf+0w
```https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/74Booting on PC Engines APU boards broken2022-04-12T10:01:59ZShawn WebbBooting on PC Engines APU boards brokenThe bootloader seems to crash almost immediately. The initial spinner stops spinning after displaying the first slash. No further output is seen. I'll upload a screenshot soon.The bootloader seems to crash almost immediately. The initial spinner stops spinning after displaying the first slash. No further output is seen. I'll upload a screenshot soon.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/70Implement static PIE support2022-01-17T20:32:19ZShawn WebbImplement static PIE supportIt'd be great if we could randomize the execution base address of static PIE images. Though OpenBSD's static PIE support is somewhat hacky, we could potentially use that as inspiration for our own implementation.It'd be great if we could randomize the execution base address of static PIE images. Though OpenBSD's static PIE support is somewhat hacky, we could potentially use that as inspiration for our own implementation.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/69Implement mremap2023-11-30T22:45:28ZShawn WebbImplement mremapThe llvm Cross-DSO CFI implementation depends on mremap, a syscall we currently lack. NetBSD provides an implementation, which we may be able to pull in.
Historically, HardenedBSD maintained syscall compatibility with FreeBSD. We should...The llvm Cross-DSO CFI implementation depends on mremap, a syscall we currently lack. NetBSD provides an implementation, which we may be able to pull in.
Historically, HardenedBSD maintained syscall compatibility with FreeBSD. We should investigate ways to implement (or emulate) mremap such that we can use it in llvm's Cross-DSO CFI implementation. It would be preferred if we could keep syscall compat with FreeBSD.Control-Flow IntegrityShawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/58Potentially bad idea: investigate using arc4random(3) for rand(3)2021-08-21T00:55:42ZShawn WebbPotentially bad idea: investigate using arc4random(3) for rand(3)I wonder what, if any, issues this may cause. The rand(3) API is meant to produce reproducible output when using the same seed. Using arc4random would break such determinism. I what what ramifications this has in 2021.I wonder what, if any, issues this may cause. The rand(3) API is meant to produce reproducible output when using the same seed. Using arc4random would break such determinism. I what what ramifications this has in 2021.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/53Release engineering: Create bittorrent files2021-10-17T16:47:49ZShawn WebbRelease engineering: Create bittorrent filesWe could make it easier for the community to mirror and distribute HardenedBSD builds. Using only tools in base, we could create the bittorrent files used for downloading and seeding. There may be some infrastructure needed to provide th...We could make it easier for the community to mirror and distribute HardenedBSD builds. Using only tools in base, we could create the bittorrent files used for downloading and seeding. There may be some infrastructure needed to provide the initial seed. That is something HardenedBSD could provide, given a set of instructions (in this issue) to build out that infrastructure.
Now that we have replaced 90% of our old build servers with newer ones, we can utilize the decommissioned servers to perform non-build-related tasks. We have three such systems.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/52Update libexpat in base2021-05-26T20:30:39ZShawn WebbUpdate libexpat in baseThe version of libexpat in base is 2.2.9. The latest release is 2.4.1. Bring libexpat up-to-date.The version of libexpat in base is 2.2.9. The latest release is 2.4.1. Bring libexpat up-to-date.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/48Resolve cfi-icall violations2023-11-30T22:45:14ZShawn WebbResolve cfi-icall violationsMany applications violate the cfi-icall scheme. A cursory list, found by grep, is listed below. This bug report should be the master issue, tracking sub-issues to fix each individual application. So this ticket should be broken out for e...Many applications violate the cfi-icall scheme. A cursory list, found by grep, is listed below. This bug report should be the master issue, tracking sub-issues to fix each individual application. So this ticket should be broken out for each application (for example: one for md5, another for mount_nfs, another for bhyveload, etc.)
Some of these cannot be fixed until we gain Cross-DSO CFI support. For example, if a function pointer crosses a DSO boundary (dlopen/dlsym).
```
hbsd-current-01[shawn]:/usr/src $ grep -rnF CFI_OVERRIDE .
./sbin/md5/Makefile:7:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./sbin/mount_nfs/Makefile:14:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.yppasswdd/Makefile:18:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/bhyveload/Makefile:8:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/mountd/Makefile:7:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/pwd_mkdb/Makefile:11:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/blacklistd/Makefile:23:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.ypupdated/Makefile:11:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.umntall/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.ypxfrd/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/ppp/Makefile:19:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/unbound/checkconf/Makefile:16:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/rpcbind/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/services_mkdb/Makefile:10:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/sendmail/Makefile:31:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/rpc.lockd/Makefile:12:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.statd/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/rpcgen/Makefile:7:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/showmount/Makefile:7:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/mail/Makefile:15:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/rpcinfo/Makefile:12:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/nc/Makefile:13:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/svn/svn/Makefile:70:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/vi/Makefile:19:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/tsort/Makefile:6:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./kerberos5/usr.sbin/kstash/Makefile:12:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.sbin/iprop-log/Makefile:14:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.sbin/ktutil/Makefile:19:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/hprop/Makefile:19:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/hpropd/Makefile:12:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kcm/Makefile:20:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/ipropd-slave/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kadmind/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kdigest/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kdc/Makefile:11:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kpasswdd/Makefile:11:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/digest-service/Makefile:15:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/ipropd-master/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kimpersonate/Makefile:11:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kfd/Makefile:9:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kdestroy/Makefile:8:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kcc/Makefile:19:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/string2key/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kadmin/Makefile:27:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kf/Makefile:9:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kpasswd/Makefile:8:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kinit/Makefile:7:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kgetcred/Makefile:8:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/hxtool/Makefile:14:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/verify_krb5_conf/Makefile:9:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/ksu/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
```Control-Flow IntegrityLoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/46Bring in jemalloc sized-delete size-checking patch2021-05-18T16:24:00ZShawn WebbBring in jemalloc sized-delete size-checking patchThis hit my radar: https://github.com/jemalloc/jemalloc/commit/eaed1e39be8574b1a59d21824b68e31af378cd0fThis hit my radar: https://github.com/jemalloc/jemalloc/commit/eaed1e39be8574b1a59d21824b68e31af378cd0fhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/36Update manual pages2021-05-23T08:46:25ZShawn WebbUpdate manual pagesThe aslr.4 and security.7 manpages need to be updated to reflect recent enhancements in HardenedBSD. Additionally, FreeBSD's ASR and W^X sysctl knobs need to removed from the security.7 manpage.The aslr.4 and security.7 manpages need to be updated to reflect recent enhancements in HardenedBSD. Additionally, FreeBSD's ASR and W^X sysctl knobs need to removed from the security.7 manpage.LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/12jls -s: jls: unknown parameter: hardening.log.log2023-09-19T00:01:33ZShawn Webbjls -s: jls: unknown parameter: hardening.log.log*Created by: esbjerg*
When trying to use jls -s on HBSD-12-stable I get an error instead of the parameters for the jail. The host is a HBSD-12-stable updated with hbsd-update.
$ hbsd-update -C
hbsd-v1200060-a6ef4a6485dee920caf21165c843...*Created by: esbjerg*
When trying to use jls -s on HBSD-12-stable I get an error instead of the parameters for the jail. The host is a HBSD-12-stable updated with hbsd-update.
$ hbsd-update -C
hbsd-v1200060-a6ef4a6485dee920caf21165c8438493b0e6fc56
[+] Remote version: hbsd-v1200060-a6ef4a6485dee920caf21165c8438493b0e6fc56 sha256 cf0596c18cb23d7297810a1f57673c4a5ff42b54b8e78969be8a9f7df1e485d3
root@mika:~ # jls -s
jls: unknown parameter: hardening.log.log
What I should see is something like this:
$ jls -s -j shell
devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable jid=2 name=shell osreldate=1201000 osrelease=12.1-RELEASE-p8 path=/jails/shell nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.mount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nonullfs allow.mount.noprocfs allow.noquotas allow.noraw_sockets allow.noread_msgbuf allow.reserved_ports allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=0 host.domainname=/""}"" host.hostid=0 host.hostname=shell host.hostuuid=00000000-0000-0000-0000-000000000000
(from a freebsd-12.1p8 host)Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/16hbsd-update -C confusing output2023-09-19T00:01:39ZShawn Webbhbsd-update -C confusing output*Created by: esbjerg*
A laptop was installed with HBSD-12 in August 2020. It was updated using hbsd-update on September 11.
At October 14. hbsd-update -C was run and showed
hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
[+] Re...*Created by: esbjerg*
A laptop was installed with HBSD-12 in August 2020. It was updated using hbsd-update on September 11.
At October 14. hbsd-update -C was run and showed
hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
[+] Remote version: hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
sha256 2a4d26b0e8511ecb13dfd2c6eb53568ac526fe5bc154cb783fb2e947854150c1
To me this indicated the OS was patched to the latest. I concluded that by seeing the first line matched the Remote version. /var/db/hbsd-update/version did not exist at this point.
After running hbsd-update hbsd-update -C showed
hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
[+] Local version: hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
[+] Remote version: hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
sha256 2a4d26b0e8511ecb13dfd2c6eb53568ac526fe5bc154cb783fb2e947854150c1
So the OS did need to be patched. I guess I could have figured that out by the missing
[+] Local version.
However I think it would be easier to understand if hbsd-update always showed the installed OS version. I know the man page says that it will only show the Local version if /var/db/hbsd-update/version exists.
Example of what I think would be nice output.
Installed: hbsd-v1200060-3430f024a93e993d556c84381a4c992eac677f18
Latest: hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5Shawn WebbLoicShawn Webb