Question on current status of performance & security tuning

Alain De Vos

Alain De Vos

Performance:
I disabled gold in the compiler & lto.
When i enable lto &gold, will this significantly improve speed of loading of libraries?, can i expect issues ? Or do i just leave gold & lto disabled ?

Security:
I have set in sysctl.conf:
Code: 
#aslr
kern.elf64.aslr.enable=1
kern.elf32.aslr.enable=1
#aslrpie
kern.elf64.aslr.pie_enable=1
kern.elf32.aslr.pie_enable=1
#non-executable-stack
kern.elf64.nxstack=1
kern.elf32.nxstack=1
#Stackgap
kern.elf64.aslr.stack_gap=0 #Needed for firefox
kern.elf32.aslr.stack_gap=100
#WX
kern.elf64.allow_wx=0
kern.elf32.allow_wx=0
Can i expect issues ?
 
Alain De Vos said:
kern.elf64.allow_wx=0
kern.elf32.allow_wx=0
Click to expand...
Because I'm not sure about those two, I'll ask a follow-up question -- the documentation is rather vague:

Enabling W^X for a process implies that whenever a process uses mmap(2) and mprotect(2), to write and execute on a page, it should get killed. On the other hand, as so far, there's no wxallowed option in the FreeBSD mount(8). The question is whether or not the FreeBSD enforce the W^X accross all mounted filesystems strictly? If so, how do you exempt a filesystem from a mandatory W^X, in order to let an incompatible process pass through, i.e. a process that needs both write and execute access on a page? Because there's no *wxallowed* option, I guess it is not the case, it is not an issue. But I'm not sure. I hope somebody knows how it works and help me on this. Thanks.
 
I had to enable "kern.elf64.allow_wx=1" otherwise the ocaml compiler spits out errors.
It would be interesting to have a list of packages which require it and which don't.
 
Alain De Vos said:
It would be interesting to have a list of packages which require it and which don't.
Click to expand...
W^X is around since who knows, two decades? It prevents mapping of writeable and executable -- in some(?) area of the memory, at the same time. It is not clear to me which part of FreeBSD mapping is W^X enabled, but if enabling W^X causes a program to crash, or system goes to panic -- depend on how the kernel handles the situation, it means the program is violating W^X somewhere, e.g. stack, heap, rodata, bss, or even in ELF header. It's a problem and should reported back to the upstream to fix that. It is not up to the port maintainer to fix it.
 
I think It's the linker problem. You can use the -z execstack option -- which belongs to the ld(1), to link that single program. But it makes the main stack executable, which defeats the whole purpose.
 
You must log in or register to reply here.
Back
Top