HardenedBSD January 2024 Status Report
14 views
Skip to first unread message
Shawn Webb
Jan 31, 2024, 10:18:37 PMJan 31
to HardenedBSD Users
Hey all,
Happy new year! January saw a few changes in the src repository:
1. Update some internal netlink(4) functions to use an unsigned integer for
buffer size.
2. The NETLINK option is now effectively required by our upstream FreeBSD. I
would encourage the community to study its code for potential issues.
3. The sysctl knobs vm.objects and vm.swap_objects are now only made available
to privileged unjailed processes.
4. A new sysctl node is introduced that disables new USB device connections:
hardening.pax.prohibit_new_usb. Possible values to set it to:
* 0: disabled
* 1: enabled
* 2: enabled without possibility to disable without incurring a reboot
It would be cool to see a new option: 3, enforce a USB device allowlist. I
would like to delegate that to anyone who wants to volunteer to do that work.
:-)
In ports:
1. An unneeded patch for dns/c-ares was remooved now that the port has been
updated by upstream
2. Fix build of devel/ivykis
3. Bump default llvm ports version to 17
In the infrastructure:
As detailed in this below-linked announcement[1], HardenedBSD will slow its
OS/update build cadence from bi-weekly to monthly.
The issue plaguing `git clone https://...` of src or ports has been resolved!
Major thanks to h3artbl33d[2] for helping resolve this issue.
[1]: https://hardenedbsd.org/article/shawn-webb/2024-01-17/change-build-cadence
[2]: https://exquisite.social/@h3artbl33d
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Happy new year! January saw a few changes in the src repository:
1. Update some internal netlink(4) functions to use an unsigned integer for
buffer size.
2. The NETLINK option is now effectively required by our upstream FreeBSD. I
would encourage the community to study its code for potential issues.
3. The sysctl knobs vm.objects and vm.swap_objects are now only made available
to privileged unjailed processes.
4. A new sysctl node is introduced that disables new USB device connections:
hardening.pax.prohibit_new_usb. Possible values to set it to:
* 0: disabled
* 1: enabled
* 2: enabled without possibility to disable without incurring a reboot
It would be cool to see a new option: 3, enforce a USB device allowlist. I
would like to delegate that to anyone who wants to volunteer to do that work.
:-)
In ports:
1. An unneeded patch for dns/c-ares was remooved now that the port has been
updated by upstream
2. Fix build of devel/ivykis
3. Bump default llvm ports version to 17
In the infrastructure:
As detailed in this below-linked announcement[1], HardenedBSD will slow its
OS/update build cadence from bi-weekly to monthly.
The issue plaguing `git clone https://...` of src or ports has been resolved!
Major thanks to h3artbl33d[2] for helping resolve this issue.
[1]: https://hardenedbsd.org/article/shawn-webb/2024-01-17/change-build-cadence
[2]: https://exquisite.social/@h3artbl33d
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages