Hey all,
In an attempt to reduce our diff against FreeBSD in `sys/vm`, I
introduced a slight regression in that our PaX NOEXEC-inspired strict
W^X implementation is a bit too strict. This mostly affects
applications that use a JIT compiler (Firefox, Chrome, NodeJS, etc.)
will need both PaX PAGEEXEC and PaX MPROTECT disabled for them.
I plan to carve off a good chunk of time this weekend to dive into the
issue and come up with a fix. I'd like to fix this before our next
automated build process starts.
But, hey, being too strict in applying security policy is better than
being too lax. :-)
I'll keep everyone updated. Thanks for the patience and understanding.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc