HardenedBSD November 2023 Status Report

Submitted by Shawn Webb on

The focus in November was navigating and closing the purchase of a new home. I worked a little bit on the change to jemalloc that will optionally return NULL for zero-sized allocation requests. I realized that I lack a lot of knowledge on how jemalloc works and I need to fill those gaps fully before landing this feature.

I worked a bit on Cross-DSO CFI, including working in the ports tree. I started toying around a little with applying CFI (via LLVM kCFI) to select kernel modules. Some work needs to happen in the kernel ELF linker to support newer relocation types ld.lld emits when linking with -fsanitize=kcfi.

In src:

  1. The vfs.zfs.bclone_enabled sysctl tunable is set to 0 by default. We hope to re-enable it after a long soak time in FreeBSD.
  2. Generation of OpenSSH RSA host keys is disabled by default.

In ports:

  1. Loic F fixed the lang/gcc11 and lang/gcc12 ports
  2. Shawn Webb fixed the databases/postgresql*-server ports
  3. Shawn Webb fixed dns/void-zones-tools
  4. Shawn Webb added a new port: security/evilginx2

IMPORTANT INFRASTRUCTURE NOTE:

I'm hoping to move the HardenedBSD development/build infrastructure over to the new house as soon as this weekend. Electrical work still needs to happen, but I might have a workaround available until a proper solution is in place.

If the move does not happen this weekend (02-03 Dec 2023), then it will definitely happen the following weekend.

Other projects:

While writing this very status report, I've kicked off another build of hbsdfw. This includes the latest ZFS changes from upstream and more OpenSSL fixes. I'm hoping to have it tested and uploaded this weekend.

Once I have the jemalloc feature sorted out, I plan to resume work on libhijack. I've been letting my brain think about what needs to happen next over the past few months. Implementing an RTLD over the PTrace boundary is a bit more difficult than one might think. :-)

I've also started writing a little HardenedBSD testing framework. This will help us identify and resolve regressions (like the PaX NOEXEC regression I still have yet to fully resolve.)

If you would like to help with HardenedBSD development, but aren't sure where to start, there's this nifty issue board that shows all the bugs, features, and other work we would like help with: https://git.hardenedbsd.org/groups/hardenedbsd/-/boards/11