From 658b6fe5a3a545d0998b1249ac7ed0c0780f37fa Mon Sep 17 00:00:00 2001 From: tb <> Date: Tue, 30 May 2017 12:04:26 +0000 Subject: [PATCH] Introduce a scary rc.conf(8) knob library_aslr=(YES|NO) to turn off the reordering of libraries by rc(8). This way machines with very slow disk I/O have a chance of booting within reasonable time now that libcrypto is also randomized. Discussed with various; input & ok from deraadt ajacoutot --- src/etc/rc | 11 +++++++---- src/etc/rc.conf | 3 ++- src/etc/rc.d/rc.subr | 6 +++--- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/src/etc/rc b/src/etc/rc index aa75b505..e2ade104 100644 --- a/src/etc/rc +++ b/src/etc/rc @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.497 2017/05/29 10:24:06 florian Exp $ +# $OpenBSD: rc,v 1.498 2017/05/30 12:04:26 tb Exp $ # System startup script run by init on autoboot or after single-user. # Output and error are redirected to console by init, and the console is the @@ -158,9 +158,12 @@ make_keys() { # Re-link libraries, placing the objects in a random order. reorder_libs() { - local _l _liba _libas _tmpdir _remount=false _error=false - local _dkdev=$(df /usr/lib | sed '1d;s/ .*//') - local _mp=$(mount | grep "^$_dkdev") + local _dkdev _l _liba _libas _mp _tmpdir _remount=false _error=false + + [[ $library_aslr == NO ]] && return + + _dkdev=$(df /usr/lib | sed '1d;s/ .*//') + _mp=$(mount | grep "^$_dkdev") # Skip if /usr/lib is on a nfs mounted filesystem. [[ $_mp == *' type nfs '* ]] && return diff --git a/src/etc/rc.conf b/src/etc/rc.conf index c303e364..05146d58 100644 --- a/src/etc/rc.conf +++ b/src/etc/rc.conf @@ -1,4 +1,4 @@ -# $OpenBSD: rc.conf,v 1.215 2017/05/30 08:58:34 florian Exp $ +# $OpenBSD: rc.conf,v 1.216 2017/05/30 12:04:26 tb Exp $ # DO NOT EDIT THIS FILE!! # @@ -100,6 +100,7 @@ multicast=NO # Reject IPv4 multicast packets by default # miscellaneous other flags amd_master=/etc/amd/master # AMD 'master' map +library_aslr=YES # set to NO to disable library randomization savecore_flags= # "-z" to compress spamd_black=NO # set to YES to run spamd without greylisting shlib_dirs= # extra directories for ldconfig, separated diff --git a/src/etc/rc.d/rc.subr b/src/etc/rc.d/rc.subr index 49f9f233..e87f0b4b 100644 --- a/src/etc/rc.d/rc.subr +++ b/src/etc/rc.d/rc.subr @@ -1,4 +1,4 @@ -# $OpenBSD: rc.subr,v 1.124 2017/05/28 18:51:27 ajacoutot Exp $ +# $OpenBSD: rc.subr,v 1.125 2017/05/30 12:04:26 tb Exp $ # # Copyright (c) 2010, 2011, 2014-2017 Antoine Jacoutot # Copyright (c) 2010, 2011 Ingo Schwarze @@ -139,8 +139,8 @@ _rc_parse_conf() { typeset -l _key local _l _rcfile _val set -A _allowed_keys -- \ - accounting amd_master check_quotas ipsec multicast nfs_server \ - pexp pf pkg_scripts shlib_dirs spamd_black + accounting amd_master check_quotas ipsec library_aslr \ + multicast nfs_server pexp pf pkg_scripts shlib_dirs spamd_black [ $# -gt 0 ] || set -- /etc/rc.conf /etc/rc.conf.local for _rcfile; do