CVS log for src/sys/sys/pax.h

Up to [cvs.NetBSD.org] / src / sys / sys

Request diff between arbitrary revisions

Keyword substitution: kv
Default branch: MAIN

PAGE_SIZE will not evaluate to a vaddr_t expression on all architectures
(e.g. sparc), so cast it to that.

pax(9): Rework header file more coherently to nix some needless #ifs.

Cleans up some of the fallout from PR kern/57711 fixes.

Could do a little more to nix PAX_SEGVGUARD conditionals but maybe
not worth it.

Merge changes from current as of 20200406

Sync with head.

PAX_SEGVGUARD doesn't seem to work properly in testing for me, but at least
make it not cause problems:

- Cover it with exec_lock so the updates are not racy.
- Using fileassoc is silly.  Just hang a pointer off the vnode.

update from HEAD

Sync with HEAD

Sync with HEAD

Extend the mmap(2) interface to allow requesting protections for later
use with mprotect(2), but without enabling them immediately.

Extend the mremap(2) interface to allow duplicating mappings, i.e.
create a second range of virtual addresses references the same physical
pages. Duplicated mappings can have different effective protections.

Adjust PAX mprotect logic to disallow effective protections of W&X, but
allow one mapping W and another X protections. This obsoletes using
temporary files for purposes like JIT.

Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested
and not silently drop the X protection.

Improve test cases to ensure correct operation of the changed
interfaces.

Sync with HEAD

vsize_t is not always u_long :-)

Sync with HEAD

Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
    the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)

randomize the location of the rtld.

reduce #ifdef mess caused by PaX

Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.

Sync with HEAD

Add PAX_MPROTECT_DEBUG

Let PaX ASLR know about the current emulation

This effectively fixes PaX ASLR with 32-bits emulation on 64-bits
platforms. Without this knowledge, the offset applied for 32-bits
programs was really meant for a 64-bits address space - thus
shifting the address up to 12 bits, with a success rate of about
1/4096. This offset is calculated once in the lifetime of the
process, which therefore behaved normally when able to start.

Fixes kern/50469, probably also kern/50986

Tested on NetBSD/amd64 (emul_netbsd32)

Allow enabling and disabling PaX ASLR debug

Sync with HEAD (as of 26th Dec)

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.

Sync with HEAD

Remove pax_adjust() (does not exist).

Some changes, to reduce a bit my tech-kern@ patch:
 - move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
 - add a generic pax_flags_active() function
 - fix a comment in exec_elf.c; interp is not static
 - KNF for return
 - rename pax_aslr() to pax_aslr_mmap()
 - rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()

Small changes:
 - rename pax_aslr_init() to pax_aslr_init_vm()
 - remove the PAX_ flags (unused)
 - fix a comment in pax.h

Revamp PaX:
 - don't confuse between ELF flags and proc flags. Introduce the proc-
   specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
 - introduce pax_setup_elf_flags(), which takes as argument the PaX flag
   of the ELF PaX note section, and which sets the proc flag as
   appropriate. Also introduce a couple of other functions used for that
   purpose.
 - modify pax_aslr_active(), and all the other similar pieces of code, so
   that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
 - declare PAX_DPRINTF, makes it more readable
 - fix a typo in exec_elf.h

Sync with HEAD.

sync with head

sync with HEAD

Sync with HEAD

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
    1. The data segment
    2. The stack

For PIE executables(*) randomization is enabled for:
    1. The program itself
    2. All shared libraries
    3. The data segment
    4. The stack

(*) To generate a PIE executable:
    - compile everything with -fPIC
    - link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
    options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

sync with head.

Sync w/ NetBSD-4-RC_1

Sync with head.

Sync with head.

Pull up following revision(s) (requested by christos in ticket #755):
	sys/sys/pax.h: revision 1.9
	sys/sys/exec_elf.h: revision 1.90
	usr.sbin/paxctl/paxctl.c: revision 1.2
	sys/kern/kern_pax.c: revision 1.16
	sys/sys/exec.h: revision 1.117
	sys/kern/exec_elf32.c: revision 1.124
	libexec/ld.elf_so/sysident.h: revision 1.14
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

- sync with head.
- move sched_changepri back to kern_synch.c as it doesn't know PPQ anymore.

sync with head.

Replace the Mach-derived boolean_t type with the C99 bool type.  A
future commit will replace use of TRUE and FALSE with true and false.

Sync with head.

Remove advertising clause from all of my stuff.

sync with head.

- remove the fileassoc "tabledata" functionality.  use mountspecific instead.
- make pax_segvguard_cb static.

tested and ok'ed by elad.

sync with head.

Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

Sync with head.

sync with head

- include uvm_extern.h for vm_prot_t.
- add a forward decl of struct lwp.

sync with head

sync with head.

Sync with head.

Sync with head.

Merge 2006-05-24 NetBSD-current into the "peter-altq" branch.

sync with head.

file pax.h was added on branch rpaulo-netinet-merge-pcb on 2006-09-09 02:59:42 +0000

file pax.h was added on branch yamt-lazymbuf on 2006-06-21 15:12:03 +0000

file pax.h was added on branch simonb-timecounters on 2006-06-01 22:39:26 +0000

file pax.h was added on branch peter-altq on 2006-05-24 15:50:47 +0000

file pax.h was added on branch yamt-pdpolicy on 2006-05-24 10:59:21 +0000

Better implementation of PaX MPROTECT, after looking some more into the
code and not trying to use temporary solutions.

Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX
author for being quick to recognize that something fishy's going on. :)

Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().

Next time I suggest to commit a temporary solution just revoke my
commit bit.

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

	http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

	http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.