Module Name: src
Committed By: christos
Date: Thu Apr 7 03:31:12 UTC 2016
Modified Files:
src/sys/kern: exec_subr.c kern_pax.c
src/sys/sys: pax.h
src/sys/uvm: uvm_mmap.c uvm_unix.c
Log Message:
Add PAX_MPROTECT_DEBUG
To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/sys/kern/exec_subr.c
cvs rdiff -u -r1.37 -r1.38 src/sys/kern/kern_pax.c
cvs rdiff -u -r1.18 -r1.19 src/sys/sys/pax.h
cvs rdiff -u -r1.154 -r1.155 src/sys/uvm/uvm_mmap.c
cvs rdiff -u -r1.45 -r1.46 src/sys/uvm/uvm_unix.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/exec_subr.c
diff -u src/sys/kern/exec_subr.c:1.72 src/sys/kern/exec_subr.c:1.73
--- src/sys/kern/exec_subr.c:1.72 Sat Sep 26 12:12:24 2015
+++ src/sys/kern/exec_subr.c Wed Apr 6 23:31:12 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: exec_subr.c,v 1.72 2015/09/26 16:12:24 maxv Exp $ */
+/* $NetBSD: exec_subr.c,v 1.73 2016/04/07 03:31:12 christos Exp $ */
/*
* Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.72 2015/09/26 16:12:24 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.73 2016/04/07 03:31:12 christos Exp $");
#include "opt_pax.h"
@@ -184,9 +184,7 @@ vmcmd_map_pagedvn(struct lwp *l, struct
prot = cmd->ev_prot;
maxprot = UVM_PROT_ALL;
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
/*
* check the file system's opinion about mmapping the file
@@ -266,9 +264,7 @@ vmcmd_readvn(struct lwp *l, struct exec_
prot = cmd->ev_prot;
maxprot = VM_PROT_ALL;
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
#ifdef PMAP_NEED_PROCWR
/*
@@ -326,9 +322,7 @@ vmcmd_map_zero(struct lwp *l, struct exe
prot = cmd->ev_prot;
maxprot = UVM_PROT_ALL;
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
error = uvm_map(&p->p_vmspace->vm_map, &cmd->ev_addr,
round_page(cmd->ev_len), NULL, UVM_UNKNOWN_OFFSET, 0,
Index: src/sys/kern/kern_pax.c
diff -u src/sys/kern/kern_pax.c:1.37 src/sys/kern/kern_pax.c:1.38
--- src/sys/kern/kern_pax.c:1.37 Mon Apr 4 12:47:39 2016
+++ src/sys/kern/kern_pax.c Wed Apr 6 23:31:12 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_pax.c,v 1.37 2016/04/04 16:47:39 christos Exp $ */
+/* $NetBSD: kern_pax.c,v 1.38 2016/04/07 03:31:12 christos Exp $ */
/*
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.37 2016/04/04 16:47:39 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.38 2016/04/07 03:31:12 christos Exp $");
#include "opt_pax.h"
@@ -114,6 +114,9 @@ static int pax_mprotect_enabled = 1;
static int pax_mprotect_global = PAX_MPROTECT;
static bool pax_mprotect_elf_flags_active(uint32_t);
#endif /* PAX_MPROTECT */
+#ifdef PAX_MPROTECT_DEBUG
+int pax_mprotect_debug;
+#endif
#ifdef PAX_SEGVGUARD
#ifndef PAX_SEGVGUARD_EXPIRY
@@ -189,6 +192,14 @@ SYSCTL_SETUP(sysctl_security_pax_setup,
"all processes."),
NULL, 0, &pax_mprotect_global, 0,
CTL_CREATE, CTL_EOL);
+#ifdef PAX_MPROTECT_DEBUG
+ sysctl_createv(clog, 0, &rnode, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "debug",
+ SYSCTL_DESCR("print mprotect changes."),
+ NULL, 0, &pax_mprotect_debug, 0,
+ CTL_CREATE, CTL_EOL);
+#endif
#endif /* PAX_MPROTECT */
#ifdef PAX_SEGVGUARD
@@ -354,7 +365,11 @@ pax_mprotect_elf_flags_active(uint32_t f
}
void
-pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot)
+pax_mprotect_adjust(
+#ifdef PAX_MPROTECT_DEBUG
+ const char *file, size_t line,
+#endif
+ struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot)
{
uint32_t flags;
@@ -363,18 +378,24 @@ pax_mprotect(struct lwp *l, vm_prot_t *p
return;
if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) {
-#ifdef DIAGNOSTIC
+#ifdef PAX_MPROTECT_DEBUG
struct proc *p = l->l_proc;
- printf("%s: %d.%d (%s): clearing execute bit\n", __func__,
- p->p_pid, l->l_lid, p->p_comm);
+ if (pax_mprotect_debug) {
+ printf("%s: %s,%zu: %d.%d (%s): -x\n",
+ __func__, file, line,
+ p->p_pid, l->l_lid, p->p_comm);
+ }
#endif
*prot &= ~VM_PROT_EXECUTE;
*maxprot &= ~VM_PROT_EXECUTE;
} else {
-#ifdef DIAGNOSTIC
+#ifdef PAX_MPROTECT_DEBUG
struct proc *p = l->l_proc;
- printf("%s: %d.%d (%s): clearing write bit\n", __func__,
- p->p_pid, l->l_lid, p->p_comm);
+ if (pax_mprotect_debug) {
+ printf("%s: %s,%zu: %d.%d (%s): -w\n",
+ __func__, file, line,
+ p->p_pid, l->l_lid, p->p_comm);
+ }
#endif
*prot &= ~VM_PROT_WRITE;
*maxprot &= ~VM_PROT_WRITE;
Index: src/sys/sys/pax.h
diff -u src/sys/sys/pax.h:1.18 src/sys/sys/pax.h:1.19
--- src/sys/sys/pax.h:1.18 Sun Mar 20 10:58:11 2016
+++ src/sys/sys/pax.h Wed Apr 6 23:31:12 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: pax.h,v 1.18 2016/03/20 14:58:11 khorben Exp $ */
+/* $NetBSD: pax.h,v 1.19 2016/04/07 03:31:12 christos Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <[email protected]>
@@ -54,7 +54,22 @@ extern int pax_aslr_debug;
void pax_init(void);
void pax_setup_elf_flags(struct exec_package *, uint32_t);
-void pax_mprotect(struct lwp *, vm_prot_t *, vm_prot_t *);
+void pax_mprotect_adjust(
+#ifdef PAX_MPROTECT_DEBUG
+ const char *, size_t,
+#endif
+ struct lwp *, vm_prot_t *, vm_prot_t *);
+#ifndef PAX_MPROTECT
+# define PAX_MPROTECT_ADJUST(a, b, c)
+#else
+# ifdef PAX_MPROTECT_DEBUG
+# define PAX_MPROTECT_ADJUST(a, b, c) \
+ pax_mprotect_adjust(__FILE__, __LINE__, (a), (b), (c))
+# else
+# define PAX_MPROTECT_ADJUST(a, b, c) \
+ pax_mprotect_adjust((a), (b), (c))
+# endif
+#endif
int pax_segvguard(struct lwp *, struct vnode *, const char *, bool);
#define PAX_ASLR_DELTA(delta, lsb, len) \
Index: src/sys/uvm/uvm_mmap.c
diff -u src/sys/uvm/uvm_mmap.c:1.154 src/sys/uvm/uvm_mmap.c:1.155
--- src/sys/uvm/uvm_mmap.c:1.154 Thu Nov 26 08:15:34 2015
+++ src/sys/uvm/uvm_mmap.c Wed Apr 6 23:31:12 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_mmap.c,v 1.154 2015/11/26 13:15:34 martin Exp $ */
+/* $NetBSD: uvm_mmap.c,v 1.155 2016/04/07 03:31:12 christos Exp $ */
/*
* Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -46,7 +46,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_mmap.c,v 1.154 2015/11/26 13:15:34 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_mmap.c,v 1.155 2016/04/07 03:31:12 christos Exp $");
#include "opt_compat_netbsd.h"
#include "opt_pax.h"
@@ -418,9 +418,7 @@ sys_mmap(struct lwp *l, const struct sys
pos = 0;
}
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
#ifdef PAX_ASLR
pax_aslr_mmap(l, &addr, orig_addr, flags);
Index: src/sys/uvm/uvm_unix.c
diff -u src/sys/uvm/uvm_unix.c:1.45 src/sys/uvm/uvm_unix.c:1.46
--- src/sys/uvm/uvm_unix.c:1.45 Fri Sep 5 01:36:49 2014
+++ src/sys/uvm/uvm_unix.c Wed Apr 6 23:31:12 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_unix.c,v 1.45 2014/09/05 05:36:49 matt Exp $ */
+/* $NetBSD: uvm_unix.c,v 1.46 2016/04/07 03:31:12 christos Exp $ */
/*
* Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -45,7 +45,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_unix.c,v 1.45 2014/09/05 05:36:49 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_unix.c,v 1.46 2016/04/07 03:31:12 christos Exp $");
#include "opt_pax.h"
@@ -103,9 +103,7 @@ sys_obreak(struct lwp *l, const struct s
vm_prot_t prot = UVM_PROT_READ | UVM_PROT_WRITE;
vm_prot_t maxprot = UVM_PROT_ALL;
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
error = uvm_map(&vm->vm_map, &obreak, nbreak - obreak, NULL,
UVM_UNKNOWN_OFFSET, 0,
