Re: NetBSD + ASLR

[Matthew Mondor <mm_lists%pulsar-zone.net@localhost>]

On Tue, 25 Aug 2009 09:53:10 -0700
Michael Litchard <michael%schmong.org@localhost> wrote:

> I'm confused. Is this feature only in the HEAD branch? I installed 5.0.1,
> and I have the man pages. I  also have the following in my kernel config
> michael# config -x ./netbsd | grep ASLR
> options         PAX_ASLR=0              # PaX Address Space Layout
> Randomization
> 
> but I get this from sysctl
> michael# sysctl -a | grep security
> security.curtain = 0
> security.models.bsd44.name = Traditional NetBSD (4.4BSD)
> security.models.bsd44.securelevel = -1
> security.models.bsd44.curtain = 0
> michael#
> see, something is missing. Is it because I'm not using -current?

On a recently tracked netbsd-5, but I have the following:

behemoth$ sysctl -a | grep security
security.curtain = 0
security.models.bsd44.name = Traditional NetBSD (4.4BSD)
security.models.bsd44.securelevel = -1
security.models.bsd44.curtain = 0
security.pax.mprotect.enabled = 1
security.pax.mprotect.global = 0
security.pax.aslr.enabled = 1
security.pax.aslr.global = 0
security.pax.aslr.mmap_len = 16
security.pax.aslr.stack_len = 12
security.pax.aslr.exec_len = 12

With:
behemoth$ config -x /netbsd | grep PAX
options         PAX_MPROTECT=0          # PaX mprotect(2) restrictions
options         PAX_ASLR=0              # PaX Address Space Layout Randomization

NetBSD behemoth.xisop 5.0_STABLE NetBSD 5.0_STABLE (GENERIC_MM) #4: Thu Aug  6 
01:01:17 EDT 2009  
root%behemoth.xisop@localhost:/usr/obj/sys/arch/i386/compile/GENERIC_MM i386

I am both using mprotect and aslr but not globally, they're only
enabled for some services via paxctl(8) (and am using curtain on some
systems).  If it matters, this is a kernel built without options
MODULAR or LKM...
-- 
Matt