Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1

as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
2016-05-25 20:07:54 +00:00 · 2016-05-25 20:07:54 +00:00 · 5763e378f2
parent f1700a0c7a
commit 5763e378f2
3 changed files with 26 additions and 8 deletions
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kern_exec.c,v 1.430 2016/05/22 14:26:09 christos Exp $	*/
+/*	$NetBSD: kern_exec.c,v 1.431 2016/05/25 20:07:54 christos Exp $	*/
 /*-
 * Copyright (c) 2008 The NetBSD Foundation, Inc.
@ -59,7 +59,7 @@
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.430 2016/05/22 14:26:09 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.431 2016/05/25 20:07:54 christos Exp $");
 #include "opt_exec.h"
 #include "opt_execfmt.h"
@ -1131,7 +1131,7 @@ execve_runproc(struct lwp *l, struct execve_data * restrict data,
 	timers_free(p, TIMERS_POSIX);
 	/* Set the PaX flags. */
-	p->p_pax = epp->ep_pax_flags;
+	pax_set_flags(epp, p);
 	/*
 	 * Do whatever is necessary to prepare the address space
--- a/sys/kern/kern_pax.c
+++ b/sys/kern/kern_pax.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kern_pax.c,v 1.52 2016/05/25 17:43:58 christos Exp $	*/
+/*	$NetBSD: kern_pax.c,v 1.53 2016/05/25 20:07:54 christos Exp $	*/
 /*
 * Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -57,7 +57,7 @@
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.52 2016/05/25 17:43:58 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.53 2016/05/25 20:07:54 christos Exp $");
 #include "opt_pax.h"
@ -117,7 +117,7 @@ static bool pax_aslr_elf_flags_active(uint32_t);
 #ifdef PAX_MPROTECT
 static int pax_mprotect_enabled = 1;
 static int pax_mprotect_global = PAX_MPROTECT;
-static int pax_mprotect_ptrace = 0;
+static int pax_mprotect_ptrace = 1;
 static bool pax_mprotect_elf_flags_active(uint32_t);
 #endif /* PAX_MPROTECT */
 #ifdef PAX_MPROTECT_DEBUG
@ -354,6 +354,21 @@ pax_init(void)
 #endif
 }
 void
 pax_set_flags(struct exec_package *epp, struct proc *p)
 {
 	p->p_pax = epp->ep_pax_flags;
 	if (pax_mprotect_ptrace == 0)
 		return;
 	/*
         * If we are running under the debugger, turn off MPROTECT so
 	 * the debugger can insert/delete breakpoints
 	 */
 	if (p->p_slflag & PSL_TRACED)
 		p->p_pax &= ~P_PAX_MPROTECT;
 }
 void
 pax_setup_elf_flags(struct exec_package *epp, uint32_t elf_flags)
 {
@ -454,7 +469,7 @@ pax_mprotect_prot(struct lwp *l)
 	flags = l->l_proc->p_pax;
 	if (!pax_flags_active(flags, P_PAX_MPROTECT))
 		return 0;
-	if (!pax_mprotect_ptrace)
+	if (pax_mprotect_ptrace < 2)
 		return 0;
 	return UVM_EXTRACT_PROT_ALL;
 }
--- a/sys/sys/pax.h
+++ b/sys/sys/pax.h
@ -1,4 +1,4 @@
-/* $NetBSD: pax.h,v 1.23 2016/05/25 17:43:58 christos Exp $ */
+/* $NetBSD: pax.h,v 1.24 2016/05/25 20:07:54 christos Exp $ */
 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
@ -37,6 +37,7 @@
 #define P_PAX_GUARD	0x04	/* Enable Segvguard */
 struct lwp;
 struct proc;
 struct exec_package;
 struct vmspace;
@ -54,9 +55,11 @@ extern int pax_aslr_debug;
 #if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR)
 void pax_init(void);
 void pax_set_flags(struct exec_package *, struct proc *);
 void pax_setup_elf_flags(struct exec_package *, uint32_t);
 #else
 # define pax_init()
 # define pax_set_flags(e, p)
 # define pax_setup_elf_flags(e, flags) __USE(flags)
 #endif