version 1.75, 2019/04/13 03:15:36 |
version 1.76, 2019/04/13 03:20:06 |
|
|
|
|
<li>Security improvements: |
<li>Security improvements: |
<ul> |
<ul> |
<li> |
<li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> has been |
<a href="https://man.openbsd.org/unveil.2">unveil(2)</a> has been |
improved to understand and find covering unveil matches above the |
improved to understand and find covering unveil matches above the |
working directory of the running process for relative path accesses. |
working directory of the running process for relative path accesses. |
As a result many programs now can use unveil in broad ways such as |
As a result many programs now can use unveil in broad ways such as |
unveil("/", "r"); |
unveil("/", "r"); |
<li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> no longer |
<li> |
silently allows |
<a href="https://man.openbsd.org/unveil.2">unveil(2)</a> no longer |
<a href="https://man.openbsd.org/stat.2">stat(2)</a> and |
silently allows |
<a href="https://man.openbsd.org/access.2">access(2)</a> to work on any |
<a href="https://man.openbsd.org/stat.2">stat(2)</a> and |
unveiled path component. |
<a href="https://man.openbsd.org/access.2">access(2)</a> to work on any |
<li>Now using <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in |
unveiled path component. |
<a href="https://man.openbsd.org/ospfd">ospfd(8)</a>, |
<li>Now using <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in |
<a href="https://man.openbsd.org/ospf6d">ospf6d(8)</a>, |
<a href="https://man.openbsd.org/ospfd">ospfd(8)</a>, |
<a href="https://man.openbsd.org/rebound">rebound(8)</a>, |
<a href="https://man.openbsd.org/ospf6d">ospf6d(8)</a>, |
<a href="https://man.openbsd.org/getconf">getconf(1)</a>, |
<a href="https://man.openbsd.org/rebound">rebound(8)</a>, |
<a href="https://man.openbsd.org/kvm_mkdb">kvm_mkdb(8)</a>, |
<a href="https://man.openbsd.org/getconf">getconf(1)</a>, |
<a href="https://man.openbsd.org/bdftopcf">bdftopcf(1)</a>, |
<a href="https://man.openbsd.org/kvm_mkdb">kvm_mkdb(8)</a>, |
<a href="https://man.openbsd.org/Xserver">Xserver(1)</a>, |
<a href="https://man.openbsd.org/bdftopcf">bdftopcf(1)</a>, |
<a href="https://man.openbsd.org/passwd">passwd(1)</a>, |
<a href="https://man.openbsd.org/Xserver">Xserver(1)</a>, |
<a href="https://man.openbsd.org/spamlogd">spamlogd(8)</a>, |
<a href="https://man.openbsd.org/passwd">passwd(1)</a>, |
<a href="https://man.openbsd.org/spamd">spamd(8)</a>, |
<a href="https://man.openbsd.org/spamlogd">spamlogd(8)</a>, |
<a href="https://man.openbsd.org/sensorsd">sensorsd(8)</a>, |
<a href="https://man.openbsd.org/spamd">spamd(8)</a>, |
<a href="https://man.openbsd.org/snmpd">snmpd(8)</a>, |
<a href="https://man.openbsd.org/sensorsd">sensorsd(8)</a>, |
<a href="https://man.openbsd.org/htpasswd">htpasswd(1)</a>, |
<a href="https://man.openbsd.org/snmpd">snmpd(8)</a>, |
<a href="https://man.openbsd.org/ifstated">ifstated(8)</a>. |
<a href="https://man.openbsd.org/htpasswd">htpasswd(1)</a>, |
Some <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> |
<a href="https://man.openbsd.org/ifstated">ifstated(8)</a>. |
changes were required to accommodate unveil. |
Some <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> |
<li>ROP mitigations in <a href="https://man.openbsd.org/clang-local.1">clang(1)</a> |
changes were required to accommodate unveil. |
have been improved, resulting in a significant decrease in the number |
<li>ROP mitigations in <a href="https://man.openbsd.org/clang-local.1">clang(1)</a> |
of polymorphic ROP gadgets in binaries on i386/amd64. |
have been improved, resulting in a significant decrease in the number |
<li>RETGUARD performance and security has been improved in |
of polymorphic ROP gadgets in binaries on i386/amd64. |
<a href="https://man.openbsd.org/clang-local.1">clang(1)</a> |
<li>RETGUARD performance and security has been improved in |
by keeping data on registers instead of on the stack when possible, |
<a href="https://man.openbsd.org/clang-local.1">clang(1)</a> |
and lengthing the epilogue trapsled on amd64 to consume the rest |
by keeping data on registers instead of on the stack when possible, |
of the cache line before the return. |
and lengthing the epilogue trapsled on amd64 to consume the rest |
<li>RETGUARD replaces the stack protector on amd64 and arm64, |
of the cache line before the return. |
since RETGUARD instruments every function that returns and provides |
<li>RETGUARD replaces the stack protector on amd64 and arm64, |
better security properties than the traditional stack protector. |
since RETGUARD instruments every function that returns and provides |
|
better security properties than the traditional stack protector. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|