HardenedBSD April 2022 Status Report

Skip to first unread message

Shawn Webb

May 1, 2022, 9:43:07 AMMay 1
to HardenedBSD Users
Hey all,

Let's get right into it.

In src:

1. Shawn introduced the notion of an "insecure/untrustworthy" kernel
module. Certain kernel modules, like this linux syscall translation
layer commonly called the "linuxulator", may create interesting
attack vectrors. Some modules are old and likely contain
vulnerabilities (old: smbfs, vulnerable: fusefs.) By default,
HardenedBSD prevents loading these kernel modules post-boot (eg,
via rc.conf(5)'s `kld_list`). The list of kernel modules currently
tagged as "insecure" is below at the end of this status report.
2. Loic hardened the default sshd_config. Please reference commit
b7961aade549f05f62d65b0906db495b9423c940 for more information. The
changes that might carry the most impact are:
* MaxSessions 5
* AllowTcpForwarding no
* AllowAgentForwarding no

In ports:

1. Shawn fixed the harfbuzz bug that plagued devel/doxygen (via
pango). Though the errant code was indeed in pango, the harfbuzz
project did not do a thorough job at ensuring the sanity of
arguments passed in to one of its provided APIs (a NULL dereference
bug in harfbuzz, manifest by errant code in pango.)
2. Loic fixed a compiler error in the wine ports.
3. Loic fixed the virtualbox-ose-* ports.

Other projects or items of note:

1. The HardenedBSD Foundation's Ben Welch has been working on a new
static site for us, migrating us away from Drupal. There's a few
things to wrap up, but I suspect on the inside of three months, the
HardenedBSD website will look quite a bit different from what it
looks like today.
2. I (Shawn) am quite far behind on the administrative side of the
HardenedBSD project. I need to do the financials and other
administrative things. I apologize for the delays on the various
administrative tasks.


Kernel modules currently marked as insecure:

1. smbfs
2. accf_http
3. accf_dns
4. linux_common
5. linux/linux64
6. lindebugfs (NOTE: this impacts drm-*-kmod KMS drivers)
7. fusefs

As of this writing, HardenedBSD 14-CURRENT (both amd64 and arm64)
users can overwrite these insecure markings by using hbsdcontrol:

# hbsdcontrol pax disable insecure_kmod /path/to/kernel/module

This is especially useful for drm-*-kmod users. I plan to MFC the
hbsdcontrol integration commit mid-to-late next week (so somewhere
between 05 May and 08 May 2022) after more thorough testing on my
HardenedBSD laptops.

Please note that April 2022 concludes official support for the
12-STABLE branch. Effective 01 May 2022, support for the 12-STABLE
branch must come from the wider HardenedBSD community. On 31 Dec 2022,
the package repo and all build artifacts pertaining to 12-STABLE will
be fully removed.


Shawn Webb
Cofounder / Security Engineer

Reply all
Reply to author
0 new messages