From 67c6ae01e2046920e542d1cda09237286131eab4 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 30 May 2017 12:04:26 +0000 Subject: [PATCH] Introduce a scary rc.conf(8) knob library_aslr=(YES|NO) to turn off the reordering of libraries by rc(8). This way machines with very slow disk I/O have a chance of booting within reasonable time now that libcrypto is also randomized. Discussed with various; input & ok from deraadt ajacoutot --- etc/rc | 11 +++++++---- etc/rc.conf | 3 ++- etc/rc.d/rc.subr | 6 +++--- share/man/man8/rc.conf.8 | 6 ++++-- usr.sbin/rcctl/rcctl.sh | 5 +++-- 5 files changed, 19 insertions(+), 12 deletions(-) diff --git a/etc/rc b/etc/rc index aa75b505176..e2ade104ec1 100644 --- a/etc/rc +++ b/etc/rc @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.497 2017/05/29 10:24:06 florian Exp $ +# $OpenBSD: rc,v 1.498 2017/05/30 12:04:26 tb Exp $ # System startup script run by init on autoboot or after single-user. # Output and error are redirected to console by init, and the console is the @@ -158,9 +158,12 @@ make_keys() { # Re-link libraries, placing the objects in a random order. reorder_libs() { - local _l _liba _libas _tmpdir _remount=false _error=false - local _dkdev=$(df /usr/lib | sed '1d;s/ .*//') - local _mp=$(mount | grep "^$_dkdev") + local _dkdev _l _liba _libas _mp _tmpdir _remount=false _error=false + + [[ $library_aslr == NO ]] && return + + _dkdev=$(df /usr/lib | sed '1d;s/ .*//') + _mp=$(mount | grep "^$_dkdev") # Skip if /usr/lib is on a nfs mounted filesystem. [[ $_mp == *' type nfs '* ]] && return diff --git a/etc/rc.conf b/etc/rc.conf index c303e364fa4..05146d58a4e 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -1,4 +1,4 @@ -# $OpenBSD: rc.conf,v 1.215 2017/05/30 08:58:34 florian Exp $ +# $OpenBSD: rc.conf,v 1.216 2017/05/30 12:04:26 tb Exp $ # DO NOT EDIT THIS FILE!! # @@ -100,6 +100,7 @@ multicast=NO # Reject IPv4 multicast packets by default # miscellaneous other flags amd_master=/etc/amd/master # AMD 'master' map +library_aslr=YES # set to NO to disable library randomization savecore_flags= # "-z" to compress spamd_black=NO # set to YES to run spamd without greylisting shlib_dirs= # extra directories for ldconfig, separated diff --git a/etc/rc.d/rc.subr b/etc/rc.d/rc.subr index 49f9f233e6d..e87f0b4b00c 100644 --- a/etc/rc.d/rc.subr +++ b/etc/rc.d/rc.subr @@ -1,4 +1,4 @@ -# $OpenBSD: rc.subr,v 1.124 2017/05/28 18:51:27 ajacoutot Exp $ +# $OpenBSD: rc.subr,v 1.125 2017/05/30 12:04:26 tb Exp $ # # Copyright (c) 2010, 2011, 2014-2017 Antoine Jacoutot # Copyright (c) 2010, 2011 Ingo Schwarze @@ -139,8 +139,8 @@ _rc_parse_conf() { typeset -l _key local _l _rcfile _val set -A _allowed_keys -- \ - accounting amd_master check_quotas ipsec multicast nfs_server \ - pexp pf pkg_scripts shlib_dirs spamd_black + accounting amd_master check_quotas ipsec library_aslr \ + multicast nfs_server pexp pf pkg_scripts shlib_dirs spamd_black [ $# -gt 0 ] || set -- /etc/rc.conf /etc/rc.conf.local for _rcfile; do diff --git a/share/man/man8/rc.conf.8 b/share/man/man8/rc.conf.8 index af34c8de9e1..5a2df20649a 100644 --- a/share/man/man8/rc.conf.8 +++ b/share/man/man8/rc.conf.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rc.conf.8,v 1.28 2015/12/05 21:35:46 jmc Exp $ +.\" $OpenBSD: rc.conf.8,v 1.29 2017/05/30 12:04:27 tb Exp $ .\" .\" Copyright (c) 1997 Ian F. Darwin .\" Copyright (c) 2014 Ingo Schwarze @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: December 5 2015 $ +.Dd $Mdocdate: May 30 2017 $ .Dt RC.CONF 8 .Os .Sh NAME @@ -139,6 +139,8 @@ rc calls: rc calls: .Xr ipsecctl 8 .Fl f Pa /etc/ipsec.conf +.It Cm library_aslr +rc reorders some libraries for improved protection against ROP. .It Cm multicast See .Xr netstart 8 . diff --git a/usr.sbin/rcctl/rcctl.sh b/usr.sbin/rcctl/rcctl.sh index ea64c078f86..61ad76a4987 100644 --- a/usr.sbin/rcctl/rcctl.sh +++ b/usr.sbin/rcctl/rcctl.sh @@ -1,6 +1,6 @@ #!/bin/ksh # -# $OpenBSD: rcctl.sh,v 1.105 2016/09/07 13:13:13 ajacoutot Exp $ +# $OpenBSD: rcctl.sh,v 1.106 2017/05/30 12:04:27 tb Exp $ # # Copyright (c) 2014, 2015 Antoine Jacoutot # Copyright (c) 2014 Ingo Schwarze @@ -17,7 +17,8 @@ # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -_special_svcs="accounting check_quotas ipsec multicast pf spamd_black" +_special_svcs="accounting check_quotas ipsec library_aslr multicast pf + spamd_black" readonly _special_svcs # get local functions from rc.subr(8) -- 2.20.1