Re: Improving security for pkgsrc

[Pierre Pronchery <khorben%defora.org@localhost>]

			Hi there,

On 07/30/15 08:42, Martin Husemann wrote:
> On Thu, Jul 30, 2015 at 02:04:34AM +0200, Pierre Pronchery wrote:
>> As before, I will welcome your feedback while trying to get this
>> integrated.
> 
> If you want to ever turn this on by default, it needs to be per OS/arch/abi
> tuple. If not on by default, it should probably explicitly bail out if
> the user enables it on targets where it can not work.

This is already what this patch does, in mk/pax.mk:

 19 . if empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-386) || \
 20         empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-x86_64)
 21 PAXCTL?=        /usr/sbin/paxctl
 22 . endif

Or did you mean something else?

If you speak about enabling ASLR globally in NetBSD, this involves the
kernel and base system, not pkgsrc. Therefore it will be a different
debate, taking place on another mailing-list (tech-kern probably). This
change should have no impact on the functionality of the packages
modified by paxctl(8) where supported (NetBSD/amd64 and NetBSD/i386 so
far), except for being marked as not supporting PaX.

In the case of packages setting NOT_PAX_ASLR_SAFE or
NOT_PAX_MPROTECT_SAFE, it can easily be refined per package for each
platform where it is known to run fine. This will happen typically for
Linux, where ASLR is already well supported (grsecurity...), and most
probably for OpenBSD. It can even be set per executable actually.

As I mentioned, I will get in touch with the respective package
maintainers to get these parameters set.

Cheers,
-- 
khorben