Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Remove compat_linux from the autoload list, and add a sy...
details: https://anonhg.NetBSD.org/src/rev/abd5dbadb15e
branches: trunk
changeset: 356490:abd5dbadb15e
user: maxv <maxv%NetBSD.org@localhost>
date: Fri Sep 29 17:08:00 2017 +0000
description:
Remove compat_linux from the autoload list, and add a sysctl to enable or
disable it - which defaults to disabled. The following command is now
required to use linux binaries:
sysctl -w emul.linux.enabled=1
After a discussion on tech-kern@. All the other ideas to reduce the attack
surface have drawbacks, and this sysctl seems to be the best option.
diffstat:
sys/compat/linux/common/linux_mod.c | 57 +++++++++++++++++++++++++--------
sys/compat/linux/common/linux_sysctl.c | 13 ++++++-
sys/compat/linux/common/linux_sysctl.h | 4 +-
sys/kern/kern_exec.c | 5 +-
4 files changed, 59 insertions(+), 20 deletions(-)
diffs (186 lines):
diff -r 346c7f35e6b1 -r abd5dbadb15e sys/compat/linux/common/linux_mod.c
--- a/sys/compat/linux/common/linux_mod.c Fri Sep 29 14:59:43 2017 +0000
+++ b/sys/compat/linux/common/linux_mod.c Fri Sep 29 17:08:00 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_mod.c,v 1.6 2015/12/03 02:51:01 pgoyette Exp $ */
+/* $NetBSD: linux_mod.c,v 1.7 2017/09/29 17:08:00 maxv Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_mod.c,v 1.6 2015/12/03 02:51:01 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_mod.c,v 1.7 2017/09/29 17:08:00 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_execfmt.h"
@@ -44,6 +44,7 @@
#include <sys/module.h>
#include <sys/exec.h>
#include <sys/signalvar.h>
+#include <sys/sysctl.h>
#include <compat/linux/common/linux_sysctl.h>
#include <compat/linux/common/linux_futex.h>
@@ -118,6 +119,38 @@
#endif
};
+int linux_enabled = 0;
+
+int
+linux_sysctl_enable(SYSCTLFN_ARGS)
+{
+ struct sysctlnode node;
+ int error, val;
+
+ val = *(int *)rnode->sysctl_data;
+
+ node = *rnode;
+ node.sysctl_data = &val;
+
+ error = sysctl_lookup(SYSCTLFN_CALL(&node));
+ if (error != 0 || newp == NULL)
+ return error;
+
+ if (val == 1) {
+ error = exec_add(linux_execsw, __arraycount(linux_execsw));
+ } else if (val == 0) {
+ error = exec_remove(linux_execsw, __arraycount(linux_execsw));
+ } else {
+ error = EINVAL;
+ }
+ if (error)
+ return error;
+
+ *(int *)rnode->sysctl_data = val;
+
+ return 0;
+}
+
static int
compat_linux_modcmd(modcmd_t cmd, void *arg)
{
@@ -125,22 +158,18 @@
switch (cmd) {
case MODULE_CMD_INIT:
+ linux_enabled = 0;
linux_futex_init();
linux_sysctl_init();
- error = exec_add(linux_execsw,
- __arraycount(linux_execsw));
- if (error != 0)
- linux_sysctl_fini();
- return error;
+ return 0;
case MODULE_CMD_FINI:
- error = exec_remove(linux_execsw,
- __arraycount(linux_execsw));
- if (error == 0) {
- linux_sysctl_fini();
- linux_futex_fini();
- }
- return error;
+ error = exec_remove(linux_execsw, __arraycount(linux_execsw));
+ if (error)
+ return error;
+ linux_sysctl_fini();
+ linux_futex_fini();
+ return 0;
default:
return ENOTTY;
diff -r 346c7f35e6b1 -r abd5dbadb15e sys/compat/linux/common/linux_sysctl.c
--- a/sys/compat/linux/common/linux_sysctl.c Fri Sep 29 14:59:43 2017 +0000
+++ b/sys/compat/linux/common/linux_sysctl.c Fri Sep 29 17:08:00 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_sysctl.c,v 1.43 2014/05/16 12:22:32 martin Exp $ */
+/* $NetBSD: linux_sysctl.c,v 1.44 2017/09/29 17:08:00 maxv Exp $ */
/*-
* Copyright (c) 2003, 2008 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_sysctl.c,v 1.43 2014/05/16 12:22:32 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_sysctl.c,v 1.44 2017/09/29 17:08:00 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -70,6 +70,7 @@
static struct sysctllog *linux_clog1;
static struct sysctllog *linux_clog2;
+extern int linux_enabled;
void
linux_sysctl_fini(void)
@@ -112,6 +113,7 @@
SYSCTL_DESCR("Linux emulation settings"),
NULL, 0, NULL, 0,
CTL_EMUL, EMUL_LINUX, CTL_EOL);
+
sysctl_createv(&linux_clog2, 0, NULL, NULL,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "kern",
@@ -140,6 +142,13 @@
CTL_EMUL, EMUL_LINUX, EMUL_LINUX_KERN,
EMUL_LINUX_KERN_VERSION, CTL_EOL);
+ sysctl_createv(&linux_clog2, 0, NULL, NULL,
+ CTLFLAG_READWRITE,
+ CTLTYPE_INT, "enabled",
+ SYSCTL_DESCR("Linux compat enabled."),
+ linux_sysctl_enable, 0, &linux_enabled, 0,
+ CTL_EMUL, EMUL_LINUX, CTL_CREATE, CTL_EOL);
+
linux_sysctl_root.sysctl_flags &= ~CTLFLAG_READWRITE;
}
diff -r 346c7f35e6b1 -r abd5dbadb15e sys/compat/linux/common/linux_sysctl.h
--- a/sys/compat/linux/common/linux_sysctl.h Fri Sep 29 14:59:43 2017 +0000
+++ b/sys/compat/linux/common/linux_sysctl.h Fri Sep 29 17:08:00 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_sysctl.h,v 1.5 2008/11/19 18:36:04 ad Exp $ */
+/* $NetBSD: linux_sysctl.h,v 1.6 2017/09/29 17:08:00 maxv Exp $ */
/*-
* Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -469,4 +469,6 @@
void linux_sysctl_init(void);
void linux_sysctl_fini(void);
+int linux_sysctl_enable(SYSCTLFN_PROTO);
+
#endif /* !_LINUX_SYSCTL_H */
diff -r 346c7f35e6b1 -r abd5dbadb15e sys/kern/kern_exec.c
--- a/sys/kern/kern_exec.c Fri Sep 29 14:59:43 2017 +0000
+++ b/sys/kern/kern_exec.c Fri Sep 29 17:08:00 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.444 2017/08/08 16:57:32 maxv Exp $ */
+/* $NetBSD: kern_exec.c,v 1.445 2017/09/29 17:08:00 maxv Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.444 2017/08/08 16:57:32 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.445 2017/09/29 17:08:00 maxv Exp $");
#include "opt_exec.h"
#include "opt_execfmt.h"
@@ -578,7 +578,6 @@
"exec_coff",
"exec_ecoff",
"compat_aoutm68k",
- "compat_linux",
"compat_linux32",
"compat_netbsd32",
"compat_sunos",
Home |
Main Index |
Thread Index |
Old Index