Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys Give 0, 1, 2 for security.pax.mprotect.ptrace and make it ...



details:   https://anonhg.NetBSD.org/src/rev/1649afac2941
branches:  trunk
changeset: 815559:1649afac2941
user:      christos <christos%NetBSD.org@localhost>
date:      Wed May 25 20:07:54 2016 +0000

description:
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
    the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

diffstat:

 sys/kern/kern_exec.c |   6 +++---
 sys/kern/kern_pax.c  |  23 +++++++++++++++++++----
 sys/sys/pax.h        |   5 ++++-
 3 files changed, 26 insertions(+), 8 deletions(-)

diffs (114 lines):

diff -r ae14750b2eeb -r 1649afac2941 sys/kern/kern_exec.c
--- a/sys/kern/kern_exec.c      Wed May 25 20:00:50 2016 +0000
+++ b/sys/kern/kern_exec.c      Wed May 25 20:07:54 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_exec.c,v 1.430 2016/05/22 14:26:09 christos Exp $ */
+/*     $NetBSD: kern_exec.c,v 1.431 2016/05/25 20:07:54 christos Exp $ */
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.430 2016/05/22 14:26:09 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.431 2016/05/25 20:07:54 christos Exp $");
 
 #include "opt_exec.h"
 #include "opt_execfmt.h"
@@ -1131,7 +1131,7 @@
        timers_free(p, TIMERS_POSIX);
 
        /* Set the PaX flags. */
-       p->p_pax = epp->ep_pax_flags;
+       pax_set_flags(epp, p);
 
        /*
         * Do whatever is necessary to prepare the address space
diff -r ae14750b2eeb -r 1649afac2941 sys/kern/kern_pax.c
--- a/sys/kern/kern_pax.c       Wed May 25 20:00:50 2016 +0000
+++ b/sys/kern/kern_pax.c       Wed May 25 20:07:54 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_pax.c,v 1.52 2016/05/25 17:43:58 christos Exp $   */
+/*     $NetBSD: kern_pax.c,v 1.53 2016/05/25 20:07:54 christos Exp $   */
 
 /*
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.52 2016/05/25 17:43:58 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.53 2016/05/25 20:07:54 christos Exp $");
 
 #include "opt_pax.h"
 
@@ -117,7 +117,7 @@
 #ifdef PAX_MPROTECT
 static int pax_mprotect_enabled = 1;
 static int pax_mprotect_global = PAX_MPROTECT;
-static int pax_mprotect_ptrace = 0;
+static int pax_mprotect_ptrace = 1;
 static bool pax_mprotect_elf_flags_active(uint32_t);
 #endif /* PAX_MPROTECT */
 #ifdef PAX_MPROTECT_DEBUG
@@ -355,6 +355,21 @@
 }
 
 void
+pax_set_flags(struct exec_package *epp, struct proc *p)
+{
+       p->p_pax = epp->ep_pax_flags;
+
+       if (pax_mprotect_ptrace == 0)
+               return;
+       /*
+         * If we are running under the debugger, turn off MPROTECT so
+        * the debugger can insert/delete breakpoints
+        */
+       if (p->p_slflag & PSL_TRACED)
+               p->p_pax &= ~P_PAX_MPROTECT;
+}
+
+void
 pax_setup_elf_flags(struct exec_package *epp, uint32_t elf_flags)
 {
        uint32_t flags = 0;
@@ -454,7 +469,7 @@
        flags = l->l_proc->p_pax;
        if (!pax_flags_active(flags, P_PAX_MPROTECT))
                return 0;
-       if (!pax_mprotect_ptrace)
+       if (pax_mprotect_ptrace < 2)
                return 0;
        return UVM_EXTRACT_PROT_ALL;
 }
diff -r ae14750b2eeb -r 1649afac2941 sys/sys/pax.h
--- a/sys/sys/pax.h     Wed May 25 20:00:50 2016 +0000
+++ b/sys/sys/pax.h     Wed May 25 20:07:54 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pax.h,v 1.23 2016/05/25 17:43:58 christos Exp $ */
+/* $NetBSD: pax.h,v 1.24 2016/05/25 20:07:54 christos Exp $ */
 
 /*-
  * Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
@@ -37,6 +37,7 @@
 #define P_PAX_GUARD    0x04    /* Enable Segvguard */
 
 struct lwp;
+struct proc;
 struct exec_package;
 struct vmspace;
 
@@ -54,9 +55,11 @@
 
 #if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR)
 void pax_init(void);
+void pax_set_flags(struct exec_package *, struct proc *);
 void pax_setup_elf_flags(struct exec_package *, uint32_t);
 #else
 # define pax_init()
+# define pax_set_flags(e, p)
 # define pax_setup_elf_flags(e, flags) __USE(flags)
 #endif
 



Home | Main Index | Thread Index | Old Index