src VS bastille

The OpenBSD project released 7.4 of their OS on 16 Oct 2023 as their 55th release 💫

Well since https://www.openbsd.org/ still says

> Only two remote holes in the default install, in a heck of a long time!

I'm assuming not, but I could always be mistaken.

> building a cat from scratch

> That would be an interesting project.

Here is the source code of the OpenBSD implementation of cat:

> https://github.com/openbsd/src/blob/master/bin/cat/cat.c

and here of the GNU coreutils implementation:

> https://github.com/coreutils/coreutils/blob/master/src/cat.c

Thus: I don't think building a cat from scratch or creating a tutorial about that topic is particularly hard (even though the HN audience would likely be interested in it). :-)

> I don't know how they define `MAX`, but I'm guessing it's a typical "a>b?a:b"

Indeed: https://github.com/openbsd/src/blob/master/sys/sys/param.h#L...

> Then `SYS_kbind` seems to be a signed int.

It's an untyped #define: https://github.com/openbsd/src/blob/master/sys/sys/syscall.h...

I believe your whole analysis is correct, that running an elf file with an openbsd.syscalls entry with .sysno > INT_MAX will allow an out-of-bounds write.

I can reproduce it. And this is the commit that causes the issue: https://github.com/openbsd/src/commit/d21788ce70be80e9c4ed0c52c149e01147c4a823

This doesn’t really change your conclusion, but I think that’s the wrong file. This is the real doas afaict: https://github.com/openbsd/src/blob/master/usr.bin/doas/doas...

Still just a tidy 1072 lines in that folder though.

I spent 5 minutes staring at your file trying to understand how on earth it does the things in the man page, but of course it doesn’t.

OpenBSD developers are making serious effort to kill off indirect syscalls, the base system is completely clean, take a look at the work Andrew Fresh did to adapt Perl. He write a complete syscall "dispatcher" or emulator for the Perl syscall function so that it calls the libc stubs.

https://github.com/openbsd/src/commit/312e26c80be876012ae979...

The ports tree is also being cleansed of syscall(2) usage, until they're all gone.

msyscall, pinsyscall, recent mandatory IBT/BTI, xonly. OpenBSD is making waves, but people aren't really seeing them yet.

Actually, I got it wrong, too many vulnerabilities in flight. They did fix it: https://github.com/openbsd/src/commit/375ccafb2eb77de6cf240e...

> FreeBSD jails don't have a one-command way to install a preconfigured jail for a specific service

FreeBSD does have that tool, its BastilleBSD: https://bastillebsd.org/

For example, this is the Bastillefile for running consul: https://gitlab.com/bastillebsd-templates/consul/-/blob/maste...

A couple of tools which are both working on jail management & packaging

- bastille https://bastillebsd.org

https://github.com/BastilleBSD/bastille

Bastille also has a sister project 'rocinante' which allows you to use Bastille templates on

Not exactly what you’re looking for, but https://bastillebsd.org is maybe a step towards it?

Obviously, not as popular - but having used both - I much prefer jails myself. It seems that they can run on opnsense too: https://eerielinux.wordpress.com/2017/07/15/building-a-bsd-home-router-pt-8-zfs-and-jails/ - though instead of iocage referenced here - I'd suggest using: https://bastillebsd.org/

Want to get deeper into Jails using Bastille enhancement? You can follow this latest Udemy learning platform course: FreeBSD 13.x — Mastering JAILS. You are welcome to take this adventure.

Take a look at Bastille, it’s a nice way to package/deploy jails somewhat like docker and I’m migrating my older iocage jails to this setup