Browse Source

Introduce a scary rc.conf(8) knob library_aslr=(YES|NO) to turn off the

reordering of libraries by rc(8). This way machines with very slow disk I/O
have a chance of booting within reasonable time now that libcrypto is also
randomized.
Discussed with various;
input & ok from deraadt ajacoutot
OPENBSD_6_2
tb 7 years ago
parent
commit
658b6fe5a3
3 changed files with 12 additions and 8 deletions
  1. +7
    -4
      src/etc/rc
  2. +2
    -1
      src/etc/rc.conf
  3. +3
    -3
      src/etc/rc.d/rc.subr

+ 7
- 4
src/etc/rc View File

@ -1,4 +1,4 @@
# $OpenBSD: rc,v 1.497 2017/05/29 10:24:06 florian Exp $
# $OpenBSD: rc,v 1.498 2017/05/30 12:04:26 tb Exp $
# System startup script run by init on autoboot or after single-user. # System startup script run by init on autoboot or after single-user.
# Output and error are redirected to console by init, and the console is the # Output and error are redirected to console by init, and the console is the
@ -158,9 +158,12 @@ make_keys() {
# Re-link libraries, placing the objects in a random order. # Re-link libraries, placing the objects in a random order.
reorder_libs() { reorder_libs() {
local _l _liba _libas _tmpdir _remount=false _error=false
local _dkdev=$(df /usr/lib | sed '1d;s/ .*//')
local _mp=$(mount | grep "^$_dkdev")
local _dkdev _l _liba _libas _mp _tmpdir _remount=false _error=false
[[ $library_aslr == NO ]] && return
_dkdev=$(df /usr/lib | sed '1d;s/ .*//')
_mp=$(mount | grep "^$_dkdev")
# Skip if /usr/lib is on a nfs mounted filesystem. # Skip if /usr/lib is on a nfs mounted filesystem.
[[ $_mp == *' type nfs '* ]] && return [[ $_mp == *' type nfs '* ]] && return


+ 2
- 1
src/etc/rc.conf View File

@ -1,4 +1,4 @@
# $OpenBSD: rc.conf,v 1.215 2017/05/30 08:58:34 florian Exp $
# $OpenBSD: rc.conf,v 1.216 2017/05/30 12:04:26 tb Exp $
# DO NOT EDIT THIS FILE!! # DO NOT EDIT THIS FILE!!
# #
@ -100,6 +100,7 @@ multicast=NO # Reject IPv4 multicast packets by default
# miscellaneous other flags # miscellaneous other flags
amd_master=/etc/amd/master # AMD 'master' map amd_master=/etc/amd/master # AMD 'master' map
library_aslr=YES # set to NO to disable library randomization
savecore_flags= # "-z" to compress savecore_flags= # "-z" to compress
spamd_black=NO # set to YES to run spamd without greylisting spamd_black=NO # set to YES to run spamd without greylisting
shlib_dirs= # extra directories for ldconfig, separated shlib_dirs= # extra directories for ldconfig, separated


+ 3
- 3
src/etc/rc.d/rc.subr View File

@ -1,4 +1,4 @@
# $OpenBSD: rc.subr,v 1.124 2017/05/28 18:51:27 ajacoutot Exp $
# $OpenBSD: rc.subr,v 1.125 2017/05/30 12:04:26 tb Exp $
# #
# Copyright (c) 2010, 2011, 2014-2017 Antoine Jacoutot <ajacoutot@openbsd.org> # Copyright (c) 2010, 2011, 2014-2017 Antoine Jacoutot <ajacoutot@openbsd.org>
# Copyright (c) 2010, 2011 Ingo Schwarze <schwarze@openbsd.org> # Copyright (c) 2010, 2011 Ingo Schwarze <schwarze@openbsd.org>
@ -139,8 +139,8 @@ _rc_parse_conf() {
typeset -l _key typeset -l _key
local _l _rcfile _val local _l _rcfile _val
set -A _allowed_keys -- \ set -A _allowed_keys -- \
accounting amd_master check_quotas ipsec multicast nfs_server \
pexp pf pkg_scripts shlib_dirs spamd_black
accounting amd_master check_quotas ipsec library_aslr \
multicast nfs_server pexp pf pkg_scripts shlib_dirs spamd_black
[ $# -gt 0 ] || set -- /etc/rc.conf /etc/rc.conf.local [ $# -gt 0 ] || set -- /etc/rc.conf /etc/rc.conf.local
for _rcfile; do for _rcfile; do


Loading…
Cancel
Save