HardenedBSD, SEGVGUARD and other friends

Hi folks,

Again about HardenedBSD, that starts small but smoothly, we got an article on Phoronix recently which is quite nice to be honest as this website is more for Linux topics. Also I got few but usually positive feedbacks when I talk about it ...

Also recently the SEGVGUARD branch was well updated (this feature is to avoid to get attacked via malicious segmentation faults usage).

In my part, after a long night to code MAC extended support for my PTRACE hardening branch (which allows to disable/enable hardening on a particular executable for example with the new ptracehdflags ...) + I applied also the DragonflyBSD's patch for taking care of SYSRET privilege escalation issue (Matt Dillon is really an hard worker ...), I am now responsible for the whole "ptrace" topic, I ll implement for next finer grained control over this.

All of these features provide this new sysctl tree :

security.pax.aslr.*
security.pax.segvguard.*
security.ptrace.hardening.*

But that a good chance it ll change soon in more consistent way ...

Small update :

Now the sysctl tree is under the root hardening oid just created by oliver :

hardening.pax.aslr.*
hardening.pax.segvguard.*
hardening.ptrace.*

Also just added some logging in case the ptrace call is not authorised.