[MERGED INTO 16.7.7] Base PIE

[franco]

Hi all,

We have a new CFT ready for you now. We are looking for feedback for these three issues below:

(a) Shawn has added Position Independent Executable flags to the FreeBSD 10.3 base utilities, which means this patch will make good use of ASLR by randomising all the things (pardon the lack of expertise). The main thread for this change is below, having to do with a possible performance impact on i386 installations:

https://forum.opnsense.org/index.php?topic=3101.msg9695#msg9695

(b) We have a working patch for people having trouble with Mutli-WAN setups which ignore the Captive Portal.

(c) We also have a working patch for people having trouble with the transparent proxy which ignores the Captive Portal, too. It is closely related to (b), but a different code path.

The kernel patch for (b) and (c) can be found here:

https://github.com/opnsense/src/commit/83fd8a61b9

A new kernel patch is currently tested, approaching the problem from a different perspective. It should be available next week. Testing Base PIE is still possible and highly appreciated.

To upgrade your installation just run the following:

# opnsense-update -br 16.7.2-pie-route && /usr/local/etc/rc.reboot

and let us know what fix you were looking for and if that solved your issue and/or if new issues appeared.

The patches have gone through a few days of testing and tinkering and are likely targets for an upcoming 16.7.x update pending your approval.


Thanks,
Franco

[lattera]

I updated this morning without a single issue. Here's a screenshot of it working flawlessly for me: https://goo.gl/photos/MjUvMjc2t7D4bZZb7

[franco]

I also saw no problems so we're likely going ahead with this in the next base/kernel update.

Help testing/verifying still welcome!


Cheers,
Franco

[franco]

I'm closing this CFT.