HardenedBSD August 2024 Status Report

This month was focused on ${LIFE} for me. One of our two dogs, Darth Vader, had a planned surgery that ended up being more intensive than originally anticipated. Just today (03 Sep 2024), he got a good bill of health from the veterinarian. He still can't use our doggy door to the backyard, but is a healthy good boy otherwise. :-)

We launched our first Signal group for the HardenedBSD community.

FreeBSD implemented a mechnism to prohibit local connections to wildcard addresses (like 0.0.0.0 or ::0). With commit 8624aac8cefa38382a1ae3f40b604581bc4cf69f, we now enable the prohibition by default. Commit d2d91bf7ba3eaf7bda029f3004553c6b45b90fe4 causes certain syscalls to have in-kernel dynamic data structures zeroed by default.

FreeBSD recently made changes to the in-kernel heap implementation (see malloc(9)). Those changes are incompatible with our hardening.kmalloc_zero feature. I have not had ample time to address this incompatibility, but hope to soon. As such, users who run 15-CURRENT and have set hardening.kmalloc_zero=1 should temporarily disable the feature prior to upgrading to the 01 Sep 2024 build.

In ports:

  1. net-p2p/heartwood and related ports have been updated to 1.0.0-rc16.
  2. A fix for _FORTIFY_SOURCE support has been pulled in for devel/libudev-devd.
  3. 0x1eef updated hardenedbsd/sourcezap to v1.0.0.
  4. 0x1eef updated hardenedbsd/portzap to v1.0.0.

A new (currently untested) build of hbsdfw has been published and can be found here. As usual, your upgrade steps are:

  1. Backup your config
  2. Reinstall using the new image
  3. Restore your config

Default username: root
Default password: hbsdfw

$ sha256 hbsdfw_installer_vga_14.1-20240831-231050.iso.xz
SHA256 (hbsdfw_installer_vga_14.1-20240831-231050.iso.xz) = 124a1be571bc0b316fd9a070be8ed4c6950c7a40531240e6ade15e7c21598483
$ wc -c hbsdfw_installer_vga_14.1-20240831-231050.iso.xz
 1564133444 hbsdfw_installer_vga_14.1-20240831-231050.iso.xz

To conclude this status report, I would like to thank the community for the continued support of HardenedBSD. All contributions, no matter the form in which they take, are immensely appreciated. Patches, advocacy, funding, or otherwise--it's all important and helpful.\