HardenedBSD merge requestshttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests2022-10-08T18:20:18Zhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/85HBSD: Use HTTPS instead of HTTP for repos2022-10-08T18:20:18ZMr. UNIXHBSD: Use HTTPS instead of HTTP for reposLoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/82Default to enabling the serial console in addition to the video console in /e...2022-09-04T08:50:57ZJoe apache2Default to enabling the serial console in addition to the video console in /etc/loader.conf.Change default speed 115200 (as opposed to 9600).
Add an entry for /dev/ttyV0.0 (virtio / Linux KVM) "onifconsole" to enable serial console out-of-the-box for Linux KVM.
The `comconsole` setting makes the kernel emit messages at boot (a...Change default speed 115200 (as opposed to 9600).
Add an entry for /dev/ttyV0.0 (virtio / Linux KVM) "onifconsole" to enable serial console out-of-the-box for Linux KVM.
The `comconsole` setting makes the kernel emit messages at boot (and while running).
A slightly less invasive option would be to have ttyV0.0 set to "onifexists" instead (enabling interactive logins, but no console message output).
Relevant reading:
- Handbook section 27.6.3: Setting a Faster Serial Port Speed
- man 8 loader
- FreeBSD D29873 (which adds a Xen-compatible virtual serial console entry)https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/78HBSD: Update the sysctl from bsdinstall2022-08-25T04:38:52ZLoicHBSD: Update the sysctl from bsdinstall```
The sysctl values `security.bsd.see_other_uids`, `security.bsd.see_other_gids`,
`security.bsd.unprivileged_read_msgbuf` and `security.bsd.unprivileged_proc_debug`
are already modified via the PAX_HARDENING option in the kernel.
It i...```
The sysctl values `security.bsd.see_other_uids`, `security.bsd.see_other_gids`,
`security.bsd.unprivileged_read_msgbuf` and `security.bsd.unprivileged_proc_debug`
are already modified via the PAX_HARDENING option in the kernel.
It is therefore better to remove all the sysctl quoted above because it can be confusing.
Added two new sysctl entries not enabled by default that we leave to the user's decision.
Signed-off-by: Loic <loic.f@hardenedbsd.org>
MFC-to: 13-STABLE
```LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/77HBSD: Add a basic firewall option in bsdinstall2022-06-17T19:13:13ZLoicHBSD: Add a basic firewall option in bsdinstall```
HBSD: Add a basic firewall
Signed-off-by: Loic <loic.f@hardenedbsd.org>
MFC-to: 13-STABLE
``````
HBSD: Add a basic firewall
Signed-off-by: Loic <loic.f@hardenedbsd.org>
MFC-to: 13-STABLE
```LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/76HBSD: Harden the RTLD2022-06-11T20:58:51ZShawn WebbHBSD: Harden the RTLDAdd a new sysctl node, hardening.harden_rtld, that will drive the RTLD's
hardening logic. Hardening LD_PRELOAD is a good first step towards a
generalized RTLD hardening approach. LD_PRELOAD is a common code
injection technique.
Signed-o...Add a new sysctl node, hardening.harden_rtld, that will drive the RTLD's
hardening logic. Hardening LD_PRELOAD is a good first step towards a
generalized RTLD hardening approach. LD_PRELOAD is a common code
injection technique.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
MFC-to: 13-STABLEShawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/75HBSD: Introduce Trusted Path Execution (TPE) support2022-06-10T19:12:33ZShawn WebbHBSD: Introduce Trusted Path Execution (TPE) supportTPE limits the scope of what files can be executed. By default, TPE is
left disabled, but can be enabled via the `hardening.pax.tpe.status`
sysctl tunable.
When enabled, TPE will check the to-be-executed file's parent directory
to deter...TPE limits the scope of what files can be executed. By default, TPE is
left disabled, but can be enabled via the `hardening.pax.tpe.status`
sysctl tunable.
When enabled, TPE will check the to-be-executed file's parent directory
to determine whether the directory is owned by the caller and is
writable to users/groups other than the owner.
The above logic is only run when:
1. The hardening.pax.tpe.all sysctl tunable is non-zero;
2. The user's primary group is the group specified in the
hardening.pax.tpe.gid group;
3. When the hardening.pax.tpe.negate sysctl tunable is non-zero, the
user's primary group is *NOT* the group specified in the
hardening.pax.tpe.gid group.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
MFC-to: 13-STABLEShawn WebbShawn Webbhttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/74HBSD: Aesthetic change for HARDENEDBSD amd64 kernel configurations2022-06-04T06:54:08ZLoicHBSD: Aesthetic change for HARDENEDBSD amd64 kernel configurations- HBSD: Aesthetic change for HARDENEDBSD amd64 kernel configurations
Signed-off-by: Loic <loic.f@hardenedbsd.org>- HBSD: Aesthetic change for HARDENEDBSD amd64 kernel configurations
Signed-off-by: Loic <loic.f@hardenedbsd.org>LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/73[13-stable] HBSD: include std.nodebug in HARDENEDBSD-NODEBUG2022-05-30T16:21:25ZLoic[13-stable] HBSD: include std.nodebug in HARDENEDBSD-NODEBUG HBSD: include std.nodebug in HARDENEDBSD-NODEBUG
Using "std.nodebug" is like adding this to the old configuration file:
nooptions DEBUG_VFS_LOCKS
nooptions IEEE80211_DEBUG
nooptions USB_DEBUG
... HBSD: include std.nodebug in HARDENEDBSD-NODEBUG
Using "std.nodebug" is like adding this to the old configuration file:
nooptions DEBUG_VFS_LOCKS
nooptions IEEE80211_DEBUG
nooptions USB_DEBUG
nooptions HID_DEBUG
nooptions CAMDEBUG
nooptions CAM_DEBUG_FLAGS
Signed-off-by: Loic <loic.f@hardenedbsd.org>
(cherry picked from commit 404d7f9441390997da8fb3e949875fb89d922045)LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/72HBSD: include std.nodebug in HARDENEDBSD-NODEBUG2022-05-28T07:21:10ZLoicHBSD: include std.nodebug in HARDENEDBSD-NODEBUG```
Using "std.nodebug" is like adding this to the old configuration file:
nooptions DEBUG_VFS_LOCKS
nooptions IEEE80211_DEBUG
nooptions USB_DEBUG
nooptions HID_DEBUG
nooptions CAMDEBUG
nooptions CAM_DEBUG_FLAGS
Signed-off-by: Loic <loi...```
Using "std.nodebug" is like adding this to the old configuration file:
nooptions DEBUG_VFS_LOCKS
nooptions IEEE80211_DEBUG
nooptions USB_DEBUG
nooptions HID_DEBUG
nooptions CAMDEBUG
nooptions CAM_DEBUG_FLAGS
Signed-off-by: Loic <loic.f@hardenedbsd.org>
```LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/71[For 13-stable] HBSD: Get PaX flags with the processes exited on signal2022-05-23T18:39:22ZLoic[For 13-stable] HBSD: Get PaX flags with the processes exited on signal```
before:
[97] pid 72474 (aqemu), jid 0, uid 0: exited on signal 11
after:
[97] [HBSD INTERNAL] aqemu (jid 0, uid 1001) exited on signal 11
[97] -> pid: 72474 ppid: 29495 p_pax: 0x55a<NOPAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,SHLIBRANDOM,...```
before:
[97] pid 72474 (aqemu), jid 0, uid 0: exited on signal 11
after:
[97] [HBSD INTERNAL] aqemu (jid 0, uid 1001) exited on signal 11
[97] -> pid: 72474 ppid: 29495 p_pax: 0x55a<NOPAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,SHLIBRANDOM,DISALLOWMAP32BIT>
Signed-off-by: Loic <loic.f@hardenedbsd.org>
MFC-to: 13-STABLE
(cherry picked from commit 989a5f5a3398240fe23e802b4a7499c1b7994a7c)
```LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/70HBSD: backport the logo for the loader menu2022-05-20T15:24:10ZLoicHBSD: backport the logo for the loader menuI had not asked to integrate this in 13-stable but why ? :)
Signed-off-by: Loic <loic.f@hardenedbsd.org>I had not asked to integrate this in 13-stable but why ? :)
Signed-off-by: Loic <loic.f@hardenedbsd.org>LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/69HBSD: Update hbsd-update for 13-stable2022-05-20T12:18:56ZLoicHBSD: Update hbsd-update for 13-stable- HBSD: Fix the Remote Hash display
- HBSD: improve the debug_print display
- HBSD: improve the help options
- HBSD: exclude /boot/efi with tar
- HBSD: Fix 'find' for the revoked directory
- HBSD: use fetch_update for 'download only'
- ...- HBSD: Fix the Remote Hash display
- HBSD: improve the debug_print display
- HBSD: improve the help options
- HBSD: exclude /boot/efi with tar
- HBSD: Fix 'find' for the revoked directory
- HBSD: use fetch_update for 'download only'
- HBSD: add 'Download only' optionLoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/68HBSD: Update hbsd-update for 12-stable2022-05-20T12:14:53ZLoicHBSD: Update hbsd-update for 12-stable1. HBSD: Fix the Remote Hash display
1. HBSD: improve the debug_print display
1. HBSD: improve the help options
1. HBSD: exclude /boot/efi with tar
1. HBSD: Fix 'find' for the revoked directory
1. HBSD: use fetch_update for 'download on...1. HBSD: Fix the Remote Hash display
1. HBSD: improve the debug_print display
1. HBSD: improve the help options
1. HBSD: exclude /boot/efi with tar
1. HBSD: Fix 'find' for the revoked directory
1. HBSD: use fetch_update for 'download only'
1. HBSD: add 'Download only' optionLoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/62HBSD: Get PaX flags with the processes exited on signal2022-03-23T17:50:16ZLoicHBSD: Get PaX flags with the processes exited on signal```
before:
[97] pid 72474 (aqemu), jid 0, uid 0: exited on signal 11
after:
[97] [HBSD INTERNAL] aqemu (jid 0, uid 1001) exited on signal 11
[97] -> pid: 72474 ppid: 29495 p_pax: 0x55a<NOPAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,SHLIBRANDOM,...```
before:
[97] pid 72474 (aqemu), jid 0, uid 0: exited on signal 11
after:
[97] [HBSD INTERNAL] aqemu (jid 0, uid 1001) exited on signal 11
[97] -> pid: 72474 ppid: 29495 p_pax: 0x55a<NOPAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,SHLIBRANDOM,DISALLOWMAP32BIT>
Signed-off-by: Loic <loic.f@hardenedbsd.org>
MFC-to: 13-STABLE
```LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/61HBSD: Use bootverbose for a process started warning2022-09-07T16:53:55ZLoicHBSD: Use bootverbose for a process started warning```
HBSD: Use bootverbose for a process started warning
It is preferable to display this warning only in bootverbose
mode in order not to pollute the logs.
Moreover this warning appeared too often with python
...```
HBSD: Use bootverbose for a process started warning
It is preferable to display this warning only in bootverbose
mode in order not to pollute the logs.
Moreover this warning appeared too often with python
or disturbed the display of utilities like htop.
Signed-off-by: Loic <loic.f@hardenedbsd.org>
MFC-to: 13-STABLE
```LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/58HBSD: improve usr.sbin/hbsd-update/hbsd-update2022-03-18T21:47:06ZLoicHBSD: improve usr.sbin/hbsd-update/hbsd-update```
1. HBSD: exclude /boot/efi with tar
2. HBSD: improve the help options
3. HBSD: improve the debug_print display
Signed-off-by: Loic <loic.f@hardenedbsd.org>
MFC-to: 13-STABLE
MFC-to: 12-STABLE
``````
1. HBSD: exclude /boot/efi with tar
2. HBSD: improve the help options
3. HBSD: improve the debug_print display
Signed-off-by: Loic <loic.f@hardenedbsd.org>
MFC-to: 13-STABLE
MFC-to: 12-STABLE
```LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/55HBSD: adjust the message of bsdconfig2022-04-09T16:29:06ZLoicHBSD: adjust the message of bsdconfig- HBSD: adjust the message of bsdconfig
Signed-off-by: Loic <loic.f@hardenedbsd.org>- HBSD: adjust the message of bsdconfig
Signed-off-by: Loic <loic.f@hardenedbsd.org>LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/41HBSD: disable coredump files by default2021-07-08T17:01:15ZLoicHBSD: disable coredump files by defaultDisable core dumps by default to avoid slowdowns and information leaks.
If needed it is always possible to reactivate this by "sysctl kern.coredump=1".
Signed-off-by: Loic <loic.f@hardenedbsd.org>Disable core dumps by default to avoid slowdowns and information leaks.
If needed it is always possible to reactivate this by "sysctl kern.coredump=1".
Signed-off-by: Loic <loic.f@hardenedbsd.org>LoicLoichttps://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/40HBSD: add 'Download only' option2021-07-10T18:55:30ZLoicHBSD: add 'Download only' optionAdd option '-F' for download the latest update archive.
The option is able to resume an interrupted download.
Fix issues [#57](https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/57) signaled by @shawn.webb.
Signed-off-by: Loi...Add option '-F' for download the latest update archive.
The option is able to resume an interrupted download.
Fix issues [#57](https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/57) signaled by @shawn.webb.
Signed-off-by: Loic <loic.f@hardenedbsd.org>LoicLoic