Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
This commit is contained in:
parent
f1700a0c7a
commit
5763e378f2
|
@ -1,4 +1,4 @@
|
||||||
/* $NetBSD: kern_exec.c,v 1.430 2016/05/22 14:26:09 christos Exp $ */
|
/* $NetBSD: kern_exec.c,v 1.431 2016/05/25 20:07:54 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2008 The NetBSD Foundation, Inc.
|
* Copyright (c) 2008 The NetBSD Foundation, Inc.
|
||||||
|
@ -59,7 +59,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.430 2016/05/22 14:26:09 christos Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.431 2016/05/25 20:07:54 christos Exp $");
|
||||||
|
|
||||||
#include "opt_exec.h"
|
#include "opt_exec.h"
|
||||||
#include "opt_execfmt.h"
|
#include "opt_execfmt.h"
|
||||||
|
@ -1131,7 +1131,7 @@ execve_runproc(struct lwp *l, struct execve_data * restrict data,
|
||||||
timers_free(p, TIMERS_POSIX);
|
timers_free(p, TIMERS_POSIX);
|
||||||
|
|
||||||
/* Set the PaX flags. */
|
/* Set the PaX flags. */
|
||||||
p->p_pax = epp->ep_pax_flags;
|
pax_set_flags(epp, p);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Do whatever is necessary to prepare the address space
|
* Do whatever is necessary to prepare the address space
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $NetBSD: kern_pax.c,v 1.52 2016/05/25 17:43:58 christos Exp $ */
|
/* $NetBSD: kern_pax.c,v 1.53 2016/05/25 20:07:54 christos Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
|
@ -57,7 +57,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.52 2016/05/25 17:43:58 christos Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.53 2016/05/25 20:07:54 christos Exp $");
|
||||||
|
|
||||||
#include "opt_pax.h"
|
#include "opt_pax.h"
|
||||||
|
|
||||||
|
@ -117,7 +117,7 @@ static bool pax_aslr_elf_flags_active(uint32_t);
|
||||||
#ifdef PAX_MPROTECT
|
#ifdef PAX_MPROTECT
|
||||||
static int pax_mprotect_enabled = 1;
|
static int pax_mprotect_enabled = 1;
|
||||||
static int pax_mprotect_global = PAX_MPROTECT;
|
static int pax_mprotect_global = PAX_MPROTECT;
|
||||||
static int pax_mprotect_ptrace = 0;
|
static int pax_mprotect_ptrace = 1;
|
||||||
static bool pax_mprotect_elf_flags_active(uint32_t);
|
static bool pax_mprotect_elf_flags_active(uint32_t);
|
||||||
#endif /* PAX_MPROTECT */
|
#endif /* PAX_MPROTECT */
|
||||||
#ifdef PAX_MPROTECT_DEBUG
|
#ifdef PAX_MPROTECT_DEBUG
|
||||||
|
@ -354,6 +354,21 @@ pax_init(void)
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
pax_set_flags(struct exec_package *epp, struct proc *p)
|
||||||
|
{
|
||||||
|
p->p_pax = epp->ep_pax_flags;
|
||||||
|
|
||||||
|
if (pax_mprotect_ptrace == 0)
|
||||||
|
return;
|
||||||
|
/*
|
||||||
|
* If we are running under the debugger, turn off MPROTECT so
|
||||||
|
* the debugger can insert/delete breakpoints
|
||||||
|
*/
|
||||||
|
if (p->p_slflag & PSL_TRACED)
|
||||||
|
p->p_pax &= ~P_PAX_MPROTECT;
|
||||||
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
pax_setup_elf_flags(struct exec_package *epp, uint32_t elf_flags)
|
pax_setup_elf_flags(struct exec_package *epp, uint32_t elf_flags)
|
||||||
{
|
{
|
||||||
|
@ -454,7 +469,7 @@ pax_mprotect_prot(struct lwp *l)
|
||||||
flags = l->l_proc->p_pax;
|
flags = l->l_proc->p_pax;
|
||||||
if (!pax_flags_active(flags, P_PAX_MPROTECT))
|
if (!pax_flags_active(flags, P_PAX_MPROTECT))
|
||||||
return 0;
|
return 0;
|
||||||
if (!pax_mprotect_ptrace)
|
if (pax_mprotect_ptrace < 2)
|
||||||
return 0;
|
return 0;
|
||||||
return UVM_EXTRACT_PROT_ALL;
|
return UVM_EXTRACT_PROT_ALL;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $NetBSD: pax.h,v 1.23 2016/05/25 17:43:58 christos Exp $ */
|
/* $NetBSD: pax.h,v 1.24 2016/05/25 20:07:54 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||||
|
@ -37,6 +37,7 @@
|
||||||
#define P_PAX_GUARD 0x04 /* Enable Segvguard */
|
#define P_PAX_GUARD 0x04 /* Enable Segvguard */
|
||||||
|
|
||||||
struct lwp;
|
struct lwp;
|
||||||
|
struct proc;
|
||||||
struct exec_package;
|
struct exec_package;
|
||||||
struct vmspace;
|
struct vmspace;
|
||||||
|
|
||||||
|
@ -54,9 +55,11 @@ extern int pax_aslr_debug;
|
||||||
|
|
||||||
#if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR)
|
#if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR)
|
||||||
void pax_init(void);
|
void pax_init(void);
|
||||||
|
void pax_set_flags(struct exec_package *, struct proc *);
|
||||||
void pax_setup_elf_flags(struct exec_package *, uint32_t);
|
void pax_setup_elf_flags(struct exec_package *, uint32_t);
|
||||||
#else
|
#else
|
||||||
# define pax_init()
|
# define pax_init()
|
||||||
|
# define pax_set_flags(e, p)
|
||||||
# define pax_setup_elf_flags(e, flags) __USE(flags)
|
# define pax_setup_elf_flags(e, flags) __USE(flags)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue