HardenedBSD October 2025 Status Report
8 views
Skip to first unread message
Shawn Webb
Nov 1, 2025, 8:11:40 PM (5 days ago) Nov 1
to HardenedBSD Users
Hey all,
This status report covers both September and October 2025. The majority of
September was spent on creating the new 15-STABLE branch
(hardened/15-stable/main) along with the associated bits of infrastructure.
In src:
1. Initial work on supporting pkgbase in the installer. This work is not ready
just yet.
2. We now build elftc-ar and elftc-nm again, regardless of whether LLVM is the
default compiler toolchain.
3. Trusted Path Execution (TPE) now checks permissions for user-owned vnodes.
4. When mapping the stack, we now use VMFS_NO_SPACE rather than VMFS_ANY_SPACE.
No functional change intended.
In ports:
1. net-p2p/heartwood and related were bumped to 1.4.0.
2. net-p2p/heartwood-httpd was bumped to 0.20.0.
3. ports-mgmt/poudriere-hbsd was bumped to to 3.4.2_2.
4. We now apply the same hardening flags to www/forgejo and www/forgejo7 as we
do www/gitea.
5. _FORTIFY_SOURCE was disabled for audio/cdparanoia.
6. PIE was disabled for autio/stk.
7. The dependency of lang/gcc11 on lang/gcc12 was removed.
8. LINUX was disabled for x11/nvidia-kmod.
I gave a presentation[1] at BSides Colorado Springs[2] about recent enhancements
to libhijack[3].
I have also started working on better error handling in {,lib}hbsdcontrol. I
plan to work on that and the censorship- and surveillance-resistant mesh network
idea. I would like to have Reticulum deployed in a lab environment.
[1]: https://git.hardenedbsd.org/shawn.webb/presentations/-/blob/master/BSidesCOS/2025/Weird%20Code%20Injection%20Techniques%20on%20FreeBSD%20With%20libhijack.pdf
[2]: https://www.bsidescos.org/
[3]: https://git.hardenedbsd.org/SoldierX/libhijack/
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
This status report covers both September and October 2025. The majority of
September was spent on creating the new 15-STABLE branch
(hardened/15-stable/main) along with the associated bits of infrastructure.
In src:
1. Initial work on supporting pkgbase in the installer. This work is not ready
just yet.
2. We now build elftc-ar and elftc-nm again, regardless of whether LLVM is the
default compiler toolchain.
3. Trusted Path Execution (TPE) now checks permissions for user-owned vnodes.
4. When mapping the stack, we now use VMFS_NO_SPACE rather than VMFS_ANY_SPACE.
No functional change intended.
In ports:
1. net-p2p/heartwood and related were bumped to 1.4.0.
2. net-p2p/heartwood-httpd was bumped to 0.20.0.
3. ports-mgmt/poudriere-hbsd was bumped to to 3.4.2_2.
4. We now apply the same hardening flags to www/forgejo and www/forgejo7 as we
do www/gitea.
5. _FORTIFY_SOURCE was disabled for audio/cdparanoia.
6. PIE was disabled for autio/stk.
7. The dependency of lang/gcc11 on lang/gcc12 was removed.
8. LINUX was disabled for x11/nvidia-kmod.
I gave a presentation[1] at BSides Colorado Springs[2] about recent enhancements
to libhijack[3].
I have also started working on better error handling in {,lib}hbsdcontrol. I
plan to work on that and the censorship- and surveillance-resistant mesh network
idea. I would like to have Reticulum deployed in a lab environment.
[1]: https://git.hardenedbsd.org/shawn.webb/presentations/-/blob/master/BSidesCOS/2025/Weird%20Code%20Injection%20Techniques%20on%20FreeBSD%20With%20libhijack.pdf
[2]: https://www.bsidescos.org/
[3]: https://git.hardenedbsd.org/SoldierX/libhijack/
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages