|
|
The following applications need special handling with respect to exploit mitigation features in HardenedBSD. Sample rules these applications, and more, can be found [here](https://github.com/HardenedBSD/secadm-rules).
|
|
|
|
|
|
`hbsdcontrol` is the easiest way to set the flags, which are done per binary.
|
|
|
something like:
|
|
|
```hbsdcontrol pax disable mprotect /usr/local/lib/firefox/firefox```
|
|
|
|
|
|
| Port | Path | Incompatibility |
|
|
|
| ---- | ---- | --------------- |
|
|
|
| www/chromium | /usr/local/share/chromium/chrome | mprotect, pageexec |
|
... | ... | @@ -14,6 +18,7 @@ The following applications need special handling with respect to exploit mitigat |
|
|
| editors/libreoffice | /usr/local/lib/libreoffice/program/soffice.bin | mprotect, pageexec |
|
|
|
| grub2-bhyve | | pageexec, mprotect, disable_map32bit |
|
|
|
|
|
|
|
|
|
# Building Applications
|
|
|
|
|
|
Lots of applications will not build very well under all the hardening, but might run OK. HardenedBSD during builds of the ports tree, disables lots of hardening for build purposes.
|
... | ... | |