Dynamically link these /sbin daemons: dhcpleased, mountd, nfsd, pflogd,

resolvd, slaacd, unwind.
The mitigation story is way better: syscalls are in a randomly located
libc, and every syscall stub is randomly located inside that due to
random relinking.  As opposed to fixed offset inside a release binary.
There is one known consequence: /usr nfs mounting must use statically
configured IP addresses.
ok kettenis florian, others

diff --git a/sbin/dhcpleased/Makefile b/sbin/dhcpleased/Makefile
index 7806992..ee60fee 100644 (file)
--- a/sbin/dhcpleased/Makefile
+++ b/sbin/dhcpleased/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.2 2021/07/26 09:26:36 florian Exp $
+#      $OpenBSD: Makefile,v 1.3 2022/08/29 17:00:29 deraadt Exp $
 
 PROG=  dhcpleased
 SRCS=  bpf.c checksum.c control.c dhcpleased.c engine.c frontend.c log.c
@@ -18,3 +18,6 @@ LDADD+=       -levent -lutil
 DPADD+= ${LIBEVENT} ${LIBUTIL}
 
 .include <bsd.prog.mk>
+
+# Don't compile dhcpleased as static binary by default
+LDSTATIC=       

diff --git a/sbin/mountd/Makefile b/sbin/mountd/Makefile
index ced4a78..784ded1 100644 (file)
--- a/sbin/mountd/Makefile
+++ b/sbin/mountd/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.4 2015/12/23 21:16:17 tim Exp $
+#      $OpenBSD: Makefile,v 1.5 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=  mountd
 MAN=   exports.5 mountd.8
@@ -7,3 +7,6 @@ LDADD=  -lutil
 DPADD= ${LIBUTIL}
 
 .include <bsd.prog.mk>
+
+# Don't compile mountd as static binary by default
+LDSTATIC=       

diff --git a/sbin/nfsd/Makefile b/sbin/nfsd/Makefile
index 5d5d130..938b002 100644 (file)
--- a/sbin/nfsd/Makefile
+++ b/sbin/nfsd/Makefile
@@ -1,6 +1,9 @@
-#      $OpenBSD: Makefile,v 1.8 2015/10/02 00:47:48 deraadt Exp $
+#      $OpenBSD: Makefile,v 1.9 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=  nfsd
 MAN=   nfsd.8
 
 .include <bsd.prog.mk>
+
+# Don't compile nfsd as static binary by default
+LDSTATIC=       

diff --git a/sbin/pflogd/Makefile b/sbin/pflogd/Makefile
index 826ed0a..6d79f35 100644 (file)
--- a/sbin/pflogd/Makefile
+++ b/sbin/pflogd/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.9 2013/06/19 03:51:30 lteo Exp $
+#      $OpenBSD: Makefile,v 1.10 2022/08/29 17:00:30 deraadt Exp $
 
 CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
 
@@ -13,3 +13,6 @@ SRCS= pflogd.c privsep.c privsep_fdpass.c
 MAN=   pflogd.8
 
 .include <bsd.prog.mk>
+
+# Don't compile pflogd as static binary by default
+LDSTATIC=       

diff --git a/sbin/resolvd/Makefile b/sbin/resolvd/Makefile
index 9628105..5ec376f 100644 (file)
--- a/sbin/resolvd/Makefile
+++ b/sbin/resolvd/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.1 2021/02/24 18:10:41 florian Exp $
+#      $OpenBSD: Makefile,v 1.2 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=  resolvd
 SRCS=  resolvd.c
@@ -14,3 +14,6 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual
 CFLAGS+= -Wsign-compare
 
 .include <bsd.prog.mk>
+
+# Don't compile resolvd as static binary by default
+LDSTATIC=       

diff --git a/sbin/slaacd/Makefile b/sbin/slaacd/Makefile
index 84fa0be..f158a98 100644 (file)
--- a/sbin/slaacd/Makefile
+++ b/sbin/slaacd/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.2 2019/11/07 08:45:31 florian Exp $
+#      $OpenBSD: Makefile,v 1.3 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=  slaacd
 SRCS=  control.c engine.c frontend.c log.c slaacd.c
@@ -17,3 +17,6 @@ LDADD+=       -levent -lutil
 DPADD+= ${LIBEVENT} ${LIBUTIL}
 
 .include <bsd.prog.mk>
+
+# Don't compile slaacd as static binary by default
+LDSTATIC=       

diff --git a/sbin/unwind/Makefile b/sbin/unwind/Makefile
index dab7293..83fc381 100644 (file)
--- a/sbin/unwind/Makefile
+++ b/sbin/unwind/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.8 2021/01/24 18:29:15 florian Exp $
+#      $OpenBSD: Makefile,v 1.9 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=  unwind
 SRCS=  control.c resolver.c frontend.c log.c unwind.c parse.y printconf.c
@@ -19,3 +19,6 @@ LDADD+=       -levent -lutil -lssl -lcrypto
 DPADD+= ${LIBEVENT} ${LIBUTIL} ${LIBSSL} ${LIBCRYPTO}
 
 .include <bsd.prog.mk>
+
+# Don't compile unwind as static binary by default
+LDSTATIC=