HardenedBSD issueshttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues2022-01-17T20:32:19Zhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/70Implement static PIE support2022-01-17T20:32:19ZShawn WebbImplement static PIE supportIt'd be great if we could randomize the execution base address of static PIE images. Though OpenBSD's static PIE support is somewhat hacky, we could potentially use that as inspiration for our own implementation.It'd be great if we could randomize the execution base address of static PIE images. Though OpenBSD's static PIE support is somewhat hacky, we could potentially use that as inspiration for our own implementation.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/69Implement mremap2023-11-30T22:45:28ZShawn WebbImplement mremapThe llvm Cross-DSO CFI implementation depends on mremap, a syscall we currently lack. NetBSD provides an implementation, which we may be able to pull in.
Historically, HardenedBSD maintained syscall compatibility with FreeBSD. We should...The llvm Cross-DSO CFI implementation depends on mremap, a syscall we currently lack. NetBSD provides an implementation, which we may be able to pull in.
Historically, HardenedBSD maintained syscall compatibility with FreeBSD. We should investigate ways to implement (or emulate) mremap such that we can use it in llvm's Cross-DSO CFI implementation. It would be preferred if we could keep syscall compat with FreeBSD.Control-Flow IntegrityShawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/64Installer: disable optional distset prompt2023-03-30T17:17:17ZShawn WebbInstaller: disable optional distset promptWe don't currently support the optional distsets shown in the installer. Remove the capability to install optional distsets in the installer.We don't currently support the optional distsets shown in the installer. Remove the capability to install optional distsets in the installer.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/61Bring in secadm2021-09-13T20:59:35ZShawn WebbBring in secadmDevelopment of secadm should still be done out-of-tree, but we can bring it into base via `git subtree`, similar to what I did with liblattzfs.Development of secadm should still be done out-of-tree, but we can bring it into base via `git subtree`, similar to what I did with liblattzfs.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/58Potentially bad idea: investigate using arc4random(3) for rand(3)2021-08-21T00:55:42ZShawn WebbPotentially bad idea: investigate using arc4random(3) for rand(3)I wonder what, if any, issues this may cause. The rand(3) API is meant to produce reproducible output when using the same seed. Using arc4random would break such determinism. I what what ramifications this has in 2021.I wonder what, if any, issues this may cause. The rand(3) API is meant to produce reproducible output when using the same seed. Using arc4random would break such determinism. I what what ramifications this has in 2021.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/54Implement Cross-DSO CFI support2023-11-30T22:43:52ZShawn WebbImplement Cross-DSO CFI supportHardenedBSD currently supports non-Cross-DSO CFI. One major goal for HardenedBSD is to support building all of HardenedBSD with CFI. Meaning, we need to apply CFI to both static/shared libraries and applications.HardenedBSD currently supports non-Cross-DSO CFI. One major goal for HardenedBSD is to support building all of HardenedBSD with CFI. Meaning, we need to apply CFI to both static/shared libraries and applications.Control-Flow IntegrityShawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/53Release engineering: Create bittorrent files2021-10-17T16:47:49ZShawn WebbRelease engineering: Create bittorrent filesWe could make it easier for the community to mirror and distribute HardenedBSD builds. Using only tools in base, we could create the bittorrent files used for downloading and seeding. There may be some infrastructure needed to provide th...We could make it easier for the community to mirror and distribute HardenedBSD builds. Using only tools in base, we could create the bittorrent files used for downloading and seeding. There may be some infrastructure needed to provide the initial seed. That is something HardenedBSD could provide, given a set of instructions (in this issue) to build out that infrastructure.
Now that we have replaced 90% of our old build servers with newer ones, we can utilize the decommissioned servers to perform non-build-related tasks. We have three such systems.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/52Update libexpat in base2021-05-26T20:30:39ZShawn WebbUpdate libexpat in baseThe version of libexpat in base is 2.2.9. The latest release is 2.4.1. Bring libexpat up-to-date.The version of libexpat in base is 2.2.9. The latest release is 2.4.1. Bring libexpat up-to-date.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/51vmrun.sh: Reorder devices2021-05-24T17:17:16ZShawn Webbvmrun.sh: Reorder devicesBooting from DVD is broken due to a conflict with virtual PCI slot 31. We changed LPC to slot 31 since that's what Windows requires. That change conflicts with the DVD booting logic.Booting from DVD is broken due to a conflict with virtual PCI slot 31. We changed LPC to slot 31 since that's what Windows requires. That change conflicts with the DVD booting logic.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/49Harden the kenv syscalls2021-09-21T22:02:05ZShawn WebbHarden the kenv syscallsThe `kenv(2)` syscall currently allows anyone to inspect the kernel environment, regardless of privilege or jail. Since `kenv` can expose potentially sensitive information, we should limit its access to privileged, unjailed accounts.The `kenv(2)` syscall currently allows anyone to inspect the kernel environment, regardless of privilege or jail. Since `kenv` can expose potentially sensitive information, we should limit its access to privileged, unjailed accounts.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/48Resolve cfi-icall violations2023-11-30T22:45:14ZShawn WebbResolve cfi-icall violationsMany applications violate the cfi-icall scheme. A cursory list, found by grep, is listed below. This bug report should be the master issue, tracking sub-issues to fix each individual application. So this ticket should be broken out for e...Many applications violate the cfi-icall scheme. A cursory list, found by grep, is listed below. This bug report should be the master issue, tracking sub-issues to fix each individual application. So this ticket should be broken out for each application (for example: one for md5, another for mount_nfs, another for bhyveload, etc.)
Some of these cannot be fixed until we gain Cross-DSO CFI support. For example, if a function pointer crosses a DSO boundary (dlopen/dlsym).
```
hbsd-current-01[shawn]:/usr/src $ grep -rnF CFI_OVERRIDE .
./sbin/md5/Makefile:7:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./sbin/mount_nfs/Makefile:14:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.yppasswdd/Makefile:18:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/bhyveload/Makefile:8:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/mountd/Makefile:7:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/pwd_mkdb/Makefile:11:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/blacklistd/Makefile:23:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.ypupdated/Makefile:11:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.umntall/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.ypxfrd/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/ppp/Makefile:19:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/unbound/checkconf/Makefile:16:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/rpcbind/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/services_mkdb/Makefile:10:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/sendmail/Makefile:31:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/rpc.lockd/Makefile:12:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.statd/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/rpcgen/Makefile:7:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/showmount/Makefile:7:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/mail/Makefile:15:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/rpcinfo/Makefile:12:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/nc/Makefile:13:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/svn/svn/Makefile:70:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.bin/vi/Makefile:19:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/tsort/Makefile:6:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./kerberos5/usr.sbin/kstash/Makefile:12:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.sbin/iprop-log/Makefile:14:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.sbin/ktutil/Makefile:19:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/hprop/Makefile:19:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/hpropd/Makefile:12:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kcm/Makefile:20:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/ipropd-slave/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kadmind/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kdigest/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kdc/Makefile:11:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kpasswdd/Makefile:11:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/digest-service/Makefile:15:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/ipropd-master/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kimpersonate/Makefile:11:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/libexec/kfd/Makefile:9:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kdestroy/Makefile:8:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kcc/Makefile:19:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/string2key/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kadmin/Makefile:27:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kf/Makefile:9:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kpasswd/Makefile:8:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kinit/Makefile:7:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kgetcred/Makefile:8:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/hxtool/Makefile:14:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/verify_krb5_conf/Makefile:9:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/ksu/Makefile:13:CFI_OVERRIDE= -fno-sanitize=cfi-icall
```Control-Flow IntegrityLoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/46Bring in jemalloc sized-delete size-checking patch2021-05-18T16:24:00ZShawn WebbBring in jemalloc sized-delete size-checking patchThis hit my radar: https://github.com/jemalloc/jemalloc/commit/eaed1e39be8574b1a59d21824b68e31af378cd0fThis hit my radar: https://github.com/jemalloc/jemalloc/commit/eaed1e39be8574b1a59d21824b68e31af378cd0fhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/36Update manual pages2021-05-23T08:46:25ZShawn WebbUpdate manual pagesThe aslr.4 and security.7 manpages need to be updated to reflect recent enhancements in HardenedBSD. Additionally, FreeBSD's ASR and W^X sysctl knobs need to removed from the security.7 manpage.The aslr.4 and security.7 manpages need to be updated to reflect recent enhancements in HardenedBSD. Additionally, FreeBSD's ASR and W^X sysctl knobs need to removed from the security.7 manpage.LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/12jls -s: jls: unknown parameter: hardening.log.log2023-09-19T00:01:33ZShawn Webbjls -s: jls: unknown parameter: hardening.log.log*Created by: esbjerg*
When trying to use jls -s on HBSD-12-stable I get an error instead of the parameters for the jail. The host is a HBSD-12-stable updated with hbsd-update.
$ hbsd-update -C
hbsd-v1200060-a6ef4a6485dee920caf21165c843...*Created by: esbjerg*
When trying to use jls -s on HBSD-12-stable I get an error instead of the parameters for the jail. The host is a HBSD-12-stable updated with hbsd-update.
$ hbsd-update -C
hbsd-v1200060-a6ef4a6485dee920caf21165c8438493b0e6fc56
[+] Remote version: hbsd-v1200060-a6ef4a6485dee920caf21165c8438493b0e6fc56 sha256 cf0596c18cb23d7297810a1f57673c4a5ff42b54b8e78969be8a9f7df1e485d3
root@mika:~ # jls -s
jls: unknown parameter: hardening.log.log
What I should see is something like this:
$ jls -s -j shell
devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable jid=2 name=shell osreldate=1201000 osrelease=12.1-RELEASE-p8 path=/jails/shell nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.mount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nonullfs allow.mount.noprocfs allow.noquotas allow.noraw_sockets allow.noread_msgbuf allow.reserved_ports allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=0 host.domainname=/""}"" host.hostid=0 host.hostname=shell host.hostuuid=00000000-0000-0000-0000-000000000000
(from a freebsd-12.1p8 host)Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/16hbsd-update -C confusing output2023-09-19T00:01:39ZShawn Webbhbsd-update -C confusing output*Created by: esbjerg*
A laptop was installed with HBSD-12 in August 2020. It was updated using hbsd-update on September 11.
At October 14. hbsd-update -C was run and showed
hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
[+] Re...*Created by: esbjerg*
A laptop was installed with HBSD-12 in August 2020. It was updated using hbsd-update on September 11.
At October 14. hbsd-update -C was run and showed
hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
[+] Remote version: hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
sha256 2a4d26b0e8511ecb13dfd2c6eb53568ac526fe5bc154cb783fb2e947854150c1
To me this indicated the OS was patched to the latest. I concluded that by seeing the first line matched the Remote version. /var/db/hbsd-update/version did not exist at this point.
After running hbsd-update hbsd-update -C showed
hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
[+] Local version: hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
[+] Remote version: hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5
sha256 2a4d26b0e8511ecb13dfd2c6eb53568ac526fe5bc154cb783fb2e947854150c1
So the OS did need to be patched. I guess I could have figured that out by the missing
[+] Local version.
However I think it would be easier to understand if hbsd-update always showed the installed OS version. I know the man page says that it will only show the Local version if /var/db/hbsd-update/version exists.
Example of what I think would be nice output.
Installed: hbsd-v1200060-3430f024a93e993d556c84381a4c992eac677f18
Latest: hbsd-v1200060-8249d4479f2af613019627108c25b75fa4ee9ba5Shawn WebbLoicShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/23kld* hardening breaks rc scripts in jailed environments2024-02-09T01:01:01ZShawn Webbkld* hardening breaks rc scripts in jailed environments*Created by: marinbernard*
## Context
The HardenedBSD kernel is built with the ``PAX_HARDENING`` flag, which prevents non-root users to use ``kldstat(2)`` to list loaded kernel modules. This restriction also applies to jailed root us...*Created by: marinbernard*
## Context
The HardenedBSD kernel is built with the ``PAX_HARDENING`` flag, which prevents non-root users to use ``kldstat(2)`` to list loaded kernel modules. This restriction also applies to jailed root users.
The rc framework includes a mechanism to ensure a required kernel module is loaded before a service is started. It is implemented with the special variable ``required_modules``, which allows a rc script to supply a list of required kernel modules, and have the rc framework load them automatically.
When the ``required_modules`` variable is set, module loading is handled by the ``load_kld()`` function in [/etc/rc.subr](/HardenedBSD/HardenedBSD/src/branch/hardened/current/master/libexec/rc/rc.subr#L1866). This function uses the ``kldtat(8)`` utility, which relies on the ``kldstat(2)`` syscall, to check whether a module needs be loaded.
## Issue
Since the ``kldstat(8)`` utility relies on the ``kldstat(2)`` syscall to return a list of loaded kernel modules, it becomes unusable in jailed environments because of ``PAX_HARDENING`` restrictions.
As a consequence, the rc framework is unable to load kernel modules in jailed environments, and any rc script defining the ``required_modules`` variable fails to start. This issue affects the following rc scripts in base:
````
$ grep -e "^required_modules" /etc/rc.d/*
/etc/rc.d/automount:required_modules="autofs"
/etc/rc.d/automountd:required_modules="autofs"
/etc/rc.d/bluetooth:required_modules="ng_bluetooth ng_hci ng_l2cap ng_btsocket"
/etc/rc.d/ctld:required_modules="ctl"
/etc/rc.d/geli:required_modules="geom_eli:g_eli"
/etc/rc.d/hastd:required_modules="geom_gate:g_gate"
/etc/rc.d/hcsecd:required_modules="ng_btsocket"
/etc/rc.d/hostapd:required_modules="wlan_xauth wlan_wep wlan_tkip wlan_ccmp"
/etc/rc.d/ipfilter:required_modules="ipl:ipfilter"
/etc/rc.d/ipfw:required_modules="ipfw"
/etc/rc.d/ipfw_netflow:required_modules="ipfw ng_netflow ng_ipfw"
/etc/rc.d/ipnat:required_modules="ipl:ipfilter"
/etc/rc.d/ippool:required_modules="ipl:ipfilter"
/etc/rc.d/ipsec:required_modules="ipsec"
/etc/rc.d/iscsictl:required_modules="iscsi"
/etc/rc.d/iscsid:required_modules="iscsi"
/etc/rc.d/mdconfig:required_modules="geom_md:g_md"
/etc/rc.d/mdconfig2:required_modules="geom_md:g_md"
/etc/rc.d/natd:required_modules="ipdivert"
/etc/rc.d/nfsclient:required_modules="nfscl:nfs"
/etc/rc.d/pf:required_modules="pf"
/etc/rc.d/pfsync:required_modules="pf pfsync"
/etc/rc.d/rfcomm_pppd_server:required_modules="ng_btsocket"
/etc/rc.d/sdpd:required_modules="ng_btsocket"
/etc/rc.d/ugidfw:required_modules="mac_bsdextended"
/etc/rc.d/wpa_supplicant:required_modules="wlan_wep wlan_tkip wlan_ccmp"
/etc/rc.d/zfs:required_modules="zfs"
/etc/rc.d/zfsbe:required_modules="zfs"
/etc/rc.d/zvol:required_modules="zfs"
````
## Proposed resolution
The simplest way to handle this would be to make the rc framework ignore kernel module operations when:
- It runs within a jailed environment, and
- It detects an hardened kernel
This would fix this issue while still allowing rc to operate normally in regular (non-jailed or non-hardened) environments.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/25OpenSSL RSA key generation violates CFI2023-11-30T22:45:00ZShawn WebbOpenSSL RSA key generation violates CFIIn 13-CURRENT/amd64:
```
hbsd-laptop-02[shawn]:/scratch/pki/ca $ openssl genrsa -aes256 -out private/2021-01-02_updates.hardenedbsd.org.key.pem 8192
Generating RSA private key, 8192 bit long modulus (2 primes)
.............................In 13-CURRENT/amd64:
```
hbsd-laptop-02[shawn]:/scratch/pki/ca $ openssl genrsa -aes256 -out private/2021-01-02_updates.hardenedbsd.org.key.pem 8192
Generating RSA private key, 8192 bit long modulus (2 primes)
......................................................................................................................................................................................
.........................................................+++
...........................................................................................................................................................................+++
e is 65537 (0x010001)
[1] 88 illegal hardware instruction (core dumped) openssl genrsa -aes256 -out private/2021-01-02_updates.hardenedbsd.org.key.pe
hbsd-laptop-02[shawn]:/scratch/pki/ca (132) $ openssl version
OpenSSL 1.1.1i-freebsd 8 Dec 2020
```Control-Flow IntegrityShawn WebbShawn Webb