HardenedBSD issueshttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues2022-12-03T18:05:27Zhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/77IPFW not loading2022-12-03T18:05:27ZUlas SAYGINIPFW not loadingwhen i want to load ipfw by service ipfw onestart command it gives error below and logs.
is hardenedbsd deleted ipfw from base system? i didnt compile custom kernel. everything is normal.
```
# service ipfw onestart
kldload: an error o...when i want to load ipfw by service ipfw onestart command it gives error below and logs.
is hardenedbsd deleted ipfw from base system? i didnt compile custom kernel. everything is normal.
```
# service ipfw onestart
kldload: an error occurred while loading module ipfw. Please check dmesg(8) for more details.
/etc/rc.d/ipfw: WARNING: Unable to load kernel module ipfw
```
logs.
```
Mar 13 06:48:02 root[81563]: /etc/rc.d/ipfw: WARNING: Unable to load kernel module ipfw
Mar 13 06:48:02 kernel: [53100] KLD ipfw.ko: depends on kernel - not available or version mismatch
Mar 13 06:48:02 kernel: [53100] linker_load_file: /boot/kernel/ipfw.ko - unsupported file type
```https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/76[SOLVED] ghci cannot start2022-03-12T12:03:06ZMr. UNIX[SOLVED] ghci cannot startI have this problem with Haskell Interpreter (GHCI), When I start it it crashes immediately and I get this:
```
~ | ghci
GHCi, version 8.10.7: https://www.haskell.org/ghc/ :? for help
ghc: internal error: setExecutable: failed to prote...I have this problem with Haskell Interpreter (GHCI), When I start it it crashes immediately and I get this:
```
~ | ghci
GHCi, version 8.10.7: https://www.haskell.org/ghc/ :? for help
ghc: internal error: setExecutable: failed to protect 0x0x2928c5f0000
(GHC version 8.10.7 for x86_64_portbld_freebsd)
Please report this as a GHC bug: https://www.haskell.org/ghc/reportabug
zsh: abort (core dumped) ghci
~ |
```https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/75dbopen(3): Develop mechanism for cfi-icall-safe function pointer calls2023-11-30T22:43:41ZShawn Webbdbopen(3): Develop mechanism for cfi-icall-safe function pointer callsThe `dbopen(3)` API (and ABI) present issues with the cfi-icall scheme. Function pointers are stuffed into a structure whereby the function pointers usually point to functions in libc. This presents a problem since we don't support Cross...The `dbopen(3)` API (and ABI) present issues with the cfi-icall scheme. Function pointers are stuffed into a structure whereby the function pointers usually point to functions in libc. This presents a problem since we don't support Cross-DSO CFI, causing the CFI checks to fail on an uninstrumented function pointer address.
```
typedef struct {
DBTYPE type;
int (*close)(DB *db);
int (*del)(const DB *db, const DBT *key, u_int flags);
int (*fd)(const DB *db);
int (*get)(const DB *db, const DBT *key, DBT *data, u_int flags);
int (*put)(const DB *db, DBT *key, const DBT *data,
u_int flags);
int (*sync)(const DB *db, u_int flags);
int (*seq)(const DB *db, DBT *key, DBT *data, u_int flags);
} DB;
```
The `dbopen(3)` function sets these function pointers to functions within libc. Applications are expected to call these function pointers directly.
We can solve this in one of two ways:
1. Provide wrapper functions in libc that calls the function pointers.
1. Provide wrapper functions in `sa(8)` that calls the function pointers. These wrapper functions would need to have cfi-icall disabled.
Option 1 is likely the best route to go. Ideally, applications wouldn't want to access this ABI at all since changes to it (which are unlikely) could cause ripples downstream.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/74Booting on PC Engines APU boards broken2022-04-12T10:01:59ZShawn WebbBooting on PC Engines APU boards brokenThe bootloader seems to crash almost immediately. The initial spinner stops spinning after displaying the first slash. No further output is seen. I'll upload a screenshot soon.The bootloader seems to crash almost immediately. The initial spinner stops spinning after displaying the first slash. No further output is seen. I'll upload a screenshot soon.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/73Reject execve when new argc is zero2022-10-28T12:21:14ZShawn WebbReject execve when new argc is zeroOpenBSD has this nifty hardening feature whereby they disallow execve when the new executable image has zero arguments. I like that idea. We should make execve return EPERM when the argument count is zero.OpenBSD has this nifty hardening feature whereby they disallow execve when the new executable image has zero arguments. I like that idea. We should make execve return EPERM when the argument count is zero.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/72Harden kernel crash dump interface2022-03-15T10:01:56ZShawn WebbHarden kernel crash dump interface`dumpon -l` works within a jail. We should harden it in similar fashion as the KLD interfaces.`dumpon -l` works within a jail. We should harden it in similar fashion as the KLD interfaces.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/71Deorbit Intel SGX support2022-03-15T16:27:28ZShawn WebbDeorbit Intel SGX supportIntel is deprecating SGX support in 11th and 12th gen CPUs. And for good reason.Intel is deprecating SGX support in 11th and 12th gen CPUs. And for good reason.LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/70Implement static PIE support2022-01-17T20:32:19ZShawn WebbImplement static PIE supportIt'd be great if we could randomize the execution base address of static PIE images. Though OpenBSD's static PIE support is somewhat hacky, we could potentially use that as inspiration for our own implementation.It'd be great if we could randomize the execution base address of static PIE images. Though OpenBSD's static PIE support is somewhat hacky, we could potentially use that as inspiration for our own implementation.https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/69Implement mremap2023-11-30T22:45:28ZShawn WebbImplement mremapThe llvm Cross-DSO CFI implementation depends on mremap, a syscall we currently lack. NetBSD provides an implementation, which we may be able to pull in.
Historically, HardenedBSD maintained syscall compatibility with FreeBSD. We should...The llvm Cross-DSO CFI implementation depends on mremap, a syscall we currently lack. NetBSD provides an implementation, which we may be able to pull in.
Historically, HardenedBSD maintained syscall compatibility with FreeBSD. We should investigate ways to implement (or emulate) mremap such that we can use it in llvm's Cross-DSO CFI implementation. It would be preferred if we could keep syscall compat with FreeBSD.Control-Flow IntegrityShawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/68/etc/motd is not updated at boot2021-12-03T13:52:27ZCarlos Lopez/etc/motd is not updated at bootGood morning,
/etc/motd is not updated at boot under HardenedBSD 13-STABLE.
Running “sh -x /etc/rc.d/motd start” returns:
+ [ start '!=' start ]
+ [ -n update_motd -a start '!=' rcvar -a start '!=' stop -a start '!=' delete -a start '...Good morning,
/etc/motd is not updated at boot under HardenedBSD 13-STABLE.
Running “sh -x /etc/rc.d/motd start” returns:
+ [ start '!=' start ]
+ [ -n update_motd -a start '!=' rcvar -a start '!=' stop -a start '!=' delete -a start '!=' enable -a start '!=' describe ]
+ checkyesno update_motd
+ eval '_value=$update_motd'
+ _value=YES
+ debug 'checkyesno: update_motd is set to YES.'
+ return 0
+ [ start '=' start -a -z '' -a -n '' ]
+ eval '_cmd=$start_cmd' '_precmd=$start_precmd' '_postcmd=$start_postcmd'
+ _cmd=motd_start _precmd='' _postcmd=''
+ [ -n motd_start ]
+ [ -n '' ]
+ _run_rc_precmd
+ check_required_before start
+ local _f
+ return 0
+ [ -n '' ]
+ check_required_after start
+ local _f _args
+ return 0
+ return 0
+ _run_rc_doit 'motd_start '
+ debug 'run_rc_command: doit: motd_start '
+ eval 'motd_start '
+ motd_start
+ check_startmsgs
+ [ -n '' ]
+ return 0
+ echo -n 'Updating motd:'
Updating motd:+ [ ! -f /etc/motd.template ]
+ mktemp -t motd
+ T=/tmp/motd.CgZi7Rlv
+ uname -v
+ sed -e 's,^\([^#]*\) #\(.* [1-2][0-9][0-9][0-9]\).*/\([^\]*\) $,\1 (\3) #\2,'
+ awk '{if (NR == 1) {if ($1 == "FreeBSD" || $1 == "HardenedBSD") {next} else {print "\n"$0}} else {print}}'
eval: cannot open /etc/motd: No such file or directory
+ install -C -o root -g wheel -m 644 /tmp/motd.CgZi7Rlv /var/run/motd
+ rm -f /tmp/motd.CgZi7Rlv
+ check_startmsgs
+ [ -n '' ]
+ return 0
+ echo .
.
+ _return=0
+ [ 0 -ne 0 ]
+ return 0
+ _run_rc_postcmd
+ [ -n '' ]
+ return 0
+ return 0LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/67Hbsd update kernel update.2021-10-03T20:07:33ZMaxime GuilleminHbsd update kernel update.I think Jenkins (or me) built the wrong kernel, I applied it doing hbsd-update install.
Old :
![IMG_20210928_005142](/uploads/16fa7e2d160840b959916c1549785407/IMG_20210928_005142.jpg)
New:
![IMG_20210928_010920](/uploads/3238f30eefd182...I think Jenkins (or me) built the wrong kernel, I applied it doing hbsd-update install.
Old :
![IMG_20210928_005142](/uploads/16fa7e2d160840b959916c1549785407/IMG_20210928_005142.jpg)
New:
![IMG_20210928_010920](/uploads/3238f30eefd1829037d948893b423566/IMG_20210928_010920.jpg)https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/66Address WITH_LLVM_BINUTILS fallout2023-03-29T18:59:41ZShawn WebbAddress WITH_LLVM_BINUTILS falloutWith commit 8da1f6e996c50106ee646dd4180616bb658c8eb9, we switched to using a full compiler toolchain for not only base, but ports. We see some issues with llvm-objcopy in [this](http://ci-08.md.hardenedbsd.org/build.html?mastername=harde...With commit 8da1f6e996c50106ee646dd4180616bb658c8eb9, we switched to using a full compiler toolchain for not only base, but ports. We see some issues with llvm-objcopy in [this](http://ci-08.md.hardenedbsd.org/build.html?mastername=hardenedbsd-current_amd64-local&build=2021-09-13_14h34m33s) package build.
This issue is to track fixing those issues. My initial plan is to study llvm-objcopy, looking for the specific errors outputted in the build log of a few failing ports. [This](http://ci-08.md.hardenedbsd.org/data/hardenedbsd-current_amd64-local/2021-09-13_14h34m33s/logs/errors/perl5-5.32.1_1.log) is a good example of a port broken by llvm-objcopy.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/65Malloc_domainset_aligned2021-12-08T05:02:11ZMaxime GuilleminMalloc_domainset_alignedI encountered a problem with the installation of hardenedbsd on my machine.
After selecting "boot multiuser" I have a panic :
panic : malloc_domainset_aligned : align 0x8000 (size0xc00) too large.
Cpuid =0
Time =1
My conf :
Intel cor...I encountered a problem with the installation of hardenedbsd on my machine.
After selecting "boot multiuser" I have a panic :
panic : malloc_domainset_aligned : align 0x8000 (size0xc00) too large.
Cpuid =0
Time =1
My conf :
Intel core 2 quad Cpu q9300
8g ram ddr2
Asus p5k premium motherboard
1to hd
250 go ssd
Installation is good on freebsd amd64 image.
Really frustrating 😉LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/64Installer: disable optional distset prompt2023-03-30T17:17:17ZShawn WebbInstaller: disable optional distset promptWe don't currently support the optional distsets shown in the installer. Remove the capability to install optional distsets in the installer.We don't currently support the optional distsets shown in the installer. Remove the capability to install optional distsets in the installer.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/63Connexion to git.hardenedbsd.org2021-09-12T00:04:31ZMaxime GuilleminConnexion to git.hardenedbsd.orgI am not able to connect form firefox installed on HardenedBSD.
I succeded on my mobile phone, same network or not.
EDIT : My bad, the timezone, wasn't set on my PcI am not able to connect form firefox installed on HardenedBSD.
I succeded on my mobile phone, same network or not.
EDIT : My bad, the timezone, wasn't set on my Pchttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/62Thunderbird segfault2021-09-10T16:09:28ZMaxime GuilleminThunderbird segfaultHi,
Thunderbird segfaults until you disable mprotect with hbsdcontrol.Hi,
Thunderbird segfaults until you disable mprotect with hbsdcontrol.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/61Bring in secadm2021-09-13T20:59:35ZShawn WebbBring in secadmDevelopment of secadm should still be done out-of-tree, but we can bring it into base via `git subtree`, similar to what I did with liblattzfs.Development of secadm should still be done out-of-tree, but we can bring it into base via `git subtree`, similar to what I did with liblattzfs.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/60Bring in liblattzfs2021-10-01T18:04:09ZShawn WebbBring in liblattzfsshawn.webb/liblattzfs> is a little shim around libzfs to make it easy for out-of-tree applications to make use of ZFS (hbsdmon is my use case). For now, liblattzfs only supports getting the status of a ZFS pool, but that's all we need.shawn.webb/liblattzfs> is a little shim around libzfs to make it easy for out-of-tree applications to make use of ZFS (hbsdmon is my use case). For now, liblattzfs only supports getting the status of a ZFS pool, but that's all we need.Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/59[13-stable amd64] pkg fails to update the HardenedBSD repository2021-08-16T15:39:42Zh3artbl33d[13-stable amd64] pkg fails to update the HardenedBSD repositoryInstalled a fresh VM with 13-stable (amd64), upon bootstrapping `pkg` it errors with the following lines:
```
# pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: ...Installed a fresh VM with 13-stable (amd64), upon bootstrapping `pkg` it errors with the following lines:
```
# pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:13:amd64, please wait...
Verifying signature with trusted certificate pkg.hardenedbsd.org.2014-09-04... done
Installing pkg-1.17.1...
Extracting pkg-1.17.1: 100%
Updating HardenedBSD repository catalogue...
Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
Fetching packagesite.pkg: 100% 6 MiB 2.2MB/s 00:03
pkg: No signature found
Unable to update repository HardenedBSD
Error updating repositories!
```
I am not familiar with the `pkg` internals; how are the signatures distributed?Shawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/58Potentially bad idea: investigate using arc4random(3) for rand(3)2021-08-21T00:55:42ZShawn WebbPotentially bad idea: investigate using arc4random(3) for rand(3)I wonder what, if any, issues this may cause. The rand(3) API is meant to produce reproducible output when using the same seed. Using arc4random would break such determinism. I what what ramifications this has in 2021.I wonder what, if any, issues this may cause. The rand(3) API is meant to produce reproducible output when using the same seed. Using arc4random would break such determinism. I what what ramifications this has in 2021.