Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.
This commit is contained in:
elad
parent
cbe2288b0c
commit
156f4ce7bb
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: exec_elf32.c,v 1.117 2006/11/01 10:17:58 yamt Exp $ */
|
||||
/* $NetBSD: exec_elf32.c,v 1.118 2006/11/22 00:41:38 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc.
|
||||
@ -64,7 +64,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(1, "$NetBSD: exec_elf32.c,v 1.117 2006/11/01 10:17:58 yamt Exp $");
|
||||
__KERNEL_RCSID(1, "$NetBSD: exec_elf32.c,v 1.118 2006/11/22 00:41:38 elad Exp $");
|
||||
|
||||
/* If not included by exec_elf64.c, ELFSIZE won't be defined. */
|
||||
#ifndef ELFSIZE
|
||||
@ -91,7 +91,7 @@ __KERNEL_RCSID(1, "$NetBSD: exec_elf32.c,v 1.117 2006/11/01 10:17:58 yamt Exp $"
|
||||
#include <machine/cpu.h>
|
||||
#include <machine/reg.h>
|
||||
|
||||
#ifdef PAX_MPROTECT
|
||||
#if defined(PAX_MPROTECT)
|
||||
#include <sys/pax.h>
|
||||
#endif /* PAX_MPROTECT */
|
||||
|
||||
@ -532,10 +532,7 @@ elf_load_file(struct lwp *l, struct exec_package *epp, char *path,
|
||||
break;
|
||||
|
||||
case PT_NOTE:
|
||||
#ifdef PAX_MPROTECT
|
||||
pax_mprotect_adjust(l, ph[i].p_flags);
|
||||
break;
|
||||
#endif /* PAX_MPROTECT */
|
||||
|
||||
default:
|
||||
break;
|
||||
@ -693,7 +690,11 @@ exec_elf_makecmds(struct lwp *l, struct exec_package *epp)
|
||||
case PT_INTERP:
|
||||
/* Already did this one. */
|
||||
case PT_DYNAMIC:
|
||||
break;
|
||||
case PT_NOTE:
|
||||
#if defined(PAX_MPROTECT)
|
||||
pax_adjust(l, ph[i].p_flags);
|
||||
#endif /* PAX_MPROTECT */
|
||||
break;
|
||||
|
||||
case PT_PHDR:
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: init_main.c,v 1.280 2006/11/11 02:12:53 christos Exp $ */
|
||||
/* $NetBSD: init_main.c,v 1.281 2006/11/22 00:41:38 elad Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1982, 1986, 1989, 1991, 1992, 1993
|
||||
@ -71,7 +71,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.280 2006/11/11 02:12:53 christos Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.281 2006/11/22 00:41:38 elad Exp $");
|
||||
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_kcont.h"
|
||||
@ -82,6 +82,7 @@ __KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.280 2006/11/11 02:12:53 christos Exp
|
||||
#include "opt_syscall_debug.h"
|
||||
#include "opt_sysv.h"
|
||||
#include "opt_fileassoc.h"
|
||||
#include "opt_pax.h"
|
||||
|
||||
#include "rnd.h"
|
||||
#include "veriexec.h"
|
||||
@ -155,6 +156,10 @@ __KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.280 2006/11/11 02:12:53 christos Exp
|
||||
#include <sys/fileassoc.h>
|
||||
#endif /* FILEASSOC */
|
||||
|
||||
#if defined(PAX_MPROTECT)
|
||||
#include <sys/pax.h>
|
||||
#endif /* PAX_MPROTECT */
|
||||
|
||||
#include <ufs/ufs/quota.h>
|
||||
|
||||
#include <miscfs/genfs/genfs.h>
|
||||
@ -385,6 +390,10 @@ main(void)
|
||||
veriexec_init_fp_ops();
|
||||
#endif /* NVERIEXEC > 0 */
|
||||
|
||||
#if defined(PAX_MPROTECT)
|
||||
pax_init();
|
||||
#endif /* PAX_MPROTECT */
|
||||
|
||||
/* Attach pseudo-devices. */
|
||||
for (pdev = pdevinit; pdev->pdev_attach != NULL; pdev++)
|
||||
(*pdev->pdev_attach)(pdev->pdev_count);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: kern_pax.c,v 1.6 2006/11/01 09:36:28 yamt Exp $ */
|
||||
/* $NetBSD: kern_pax.c,v 1.7 2006/11/22 00:41:38 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||
@ -38,9 +38,17 @@
|
||||
#include <sys/pax.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#ifdef PAX_MPROTECT
|
||||
static int pax_mprotect_enabled = 1;
|
||||
static int pax_mprotect_global = PAX_MPROTECT;
|
||||
|
||||
specificdata_key_t pax_mprotect_key;
|
||||
#endif /* PAX_MPROTECT */
|
||||
|
||||
/* PaX internal setspecific flags */
|
||||
#define PAX_MPROTECT_EXPLICIT_ENABLE (void *)0x01
|
||||
#define PAX_MPROTECT_EXPLICIT_DISABLE (void *)0x02
|
||||
|
||||
SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup")
|
||||
{
|
||||
const struct sysctlnode *rnode = NULL;
|
||||
@ -58,6 +66,7 @@ SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup")
|
||||
NULL, 0, NULL, 0,
|
||||
CTL_CREATE, CTL_EOL);
|
||||
|
||||
#ifdef PAX_MPROTECT
|
||||
sysctl_createv(clog, 0, &rnode, &rnode,
|
||||
CTLFLAG_PERMANENT,
|
||||
CTLTYPE_NODE, "mprotect",
|
||||
@ -78,26 +87,47 @@ SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup")
|
||||
"all processes."),
|
||||
NULL, 0, &pax_mprotect_global, 0,
|
||||
CTL_CREATE, CTL_EOL);
|
||||
#endif /* PAX_MPROTECT */
|
||||
}
|
||||
|
||||
/*
|
||||
* Initialize PaX.
|
||||
*/
|
||||
void
|
||||
pax_init(void)
|
||||
{
|
||||
#ifdef PAX_MPROTECT
|
||||
proc_specific_key_create(&pax_mprotect_key, NULL);
|
||||
#endif /* PAX_MPROTECT */
|
||||
}
|
||||
|
||||
void
|
||||
pax_mprotect_adjust(struct lwp *l, int f)
|
||||
pax_adjust(struct lwp *l, int f)
|
||||
{
|
||||
if (!pax_mprotect_enabled)
|
||||
return;
|
||||
|
||||
if (f & PF_PAXMPROTECT)
|
||||
l->l_proc->p_flag |= P_PAXMPROTECT;
|
||||
if (f & PF_PAXNOMPROTECT)
|
||||
l->l_proc->p_flag |= P_PAXNOMPROTECT;
|
||||
#ifdef PAX_MPROTECT
|
||||
if (pax_mprotect_enabled) {
|
||||
if (f & PF_PAXMPROTECT)
|
||||
proc_setspecific(l->l_proc, pax_mprotect_key,
|
||||
PAX_MPROTECT_EXPLICIT_ENABLE);
|
||||
if (f & PF_PAXNOMPROTECT)
|
||||
proc_setspecific(l->l_proc, pax_mprotect_key,
|
||||
PAX_MPROTECT_EXPLICIT_DISABLE);
|
||||
}
|
||||
#endif /* PAX_MPROTECT */
|
||||
}
|
||||
|
||||
#ifdef PAX_MPROTECT
|
||||
void
|
||||
pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot)
|
||||
{
|
||||
if (!pax_mprotect_enabled ||
|
||||
(pax_mprotect_global && (l->l_proc->p_flag & P_PAXNOMPROTECT)) ||
|
||||
(!pax_mprotect_global && !(l->l_proc->p_flag & P_PAXMPROTECT)))
|
||||
void *t;
|
||||
|
||||
if (!pax_mprotect_enabled)
|
||||
return;
|
||||
|
||||
t = proc_getspecific(l->l_proc, pax_mprotect_key);
|
||||
if ((pax_mprotect_global && t == PAX_MPROTECT_EXPLICIT_DISABLE) ||
|
||||
(!pax_mprotect_global && t != PAX_MPROTECT_EXPLICIT_ENABLE))
|
||||
return;
|
||||
|
||||
if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) {
|
||||
@ -108,3 +138,4 @@ pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot)
|
||||
*maxprot &= ~VM_PROT_WRITE;
|
||||
}
|
||||
}
|
||||
#endif /* PAX_MPROTECT */
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: pax.h,v 1.3 2006/10/12 09:28:05 yamt Exp $ */
|
||||
/* $NetBSD: pax.h,v 1.4 2006/11/22 00:41:38 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||
@ -37,8 +37,10 @@
|
||||
|
||||
struct lwp;
|
||||
|
||||
void pax_init(void);
|
||||
void pax_adjust(struct lwp *, int);
|
||||
|
||||
void pax_mprotect(struct lwp *, vm_prot_t *, vm_prot_t *);
|
||||
void pax_mprotect_adjust(struct lwp *, int);
|
||||
|
||||
#endif /* !__SYS_PAX_H__ */
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: proc.h,v 1.231 2006/10/23 21:39:18 skrll Exp $ */
|
||||
/* $NetBSD: proc.h,v 1.232 2006/11/22 00:41:38 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1986, 1989, 1991, 1993
|
||||
@ -325,8 +325,8 @@ struct proc {
|
||||
#define P_STOPEXEC 0x01000000 /* Will be stopped on exec(2) */
|
||||
#define P_STOPEXIT 0x02000000 /* Will be stopped at process exit */
|
||||
#define P_SYSCALL 0x04000000 /* process has PT_SYSCALL enabled */
|
||||
#define P_PAXMPROTECT 0x08000000 /* Explicitly enable PaX MPROTECT */
|
||||
#define P_PAXNOMPROTECT 0x10000000 /* Explicitly disable PaX MPROTECT */
|
||||
#define P_UNUSED3 0x08000000
|
||||
#define P_UNUSED2 0x10000000
|
||||
#define P_CRLOCK 0x20000000 /* p_cred write lock */
|
||||
#define P_UNUSED1 0x40000000
|
||||
#define P_MARKER 0x80000000 /* Is a dummy marker process */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user