Module Name: src
Committed By: christos
Date: Wed May 25 20:07:54 UTC 2016
Modified Files:
src/sys/kern: kern_exec.c kern_pax.c
src/sys/sys: pax.h
Log Message:
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes
To generate a diff of this commit:
cvs rdiff -u -r1.430 -r1.431 src/sys/kern/kern_exec.c
cvs rdiff -u -r1.52 -r1.53 src/sys/kern/kern_pax.c
cvs rdiff -u -r1.23 -r1.24 src/sys/sys/pax.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.430 src/sys/kern/kern_exec.c:1.431
--- src/sys/kern/kern_exec.c:1.430 Sun May 22 10:26:09 2016
+++ src/sys/kern/kern_exec.c Wed May 25 16:07:54 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.430 2016/05/22 14:26:09 christos Exp $ */
+/* $NetBSD: kern_exec.c,v 1.431 2016/05/25 20:07:54 christos Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.430 2016/05/22 14:26:09 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.431 2016/05/25 20:07:54 christos Exp $");
#include "opt_exec.h"
#include "opt_execfmt.h"
@@ -1131,7 +1131,7 @@ execve_runproc(struct lwp *l, struct exe
timers_free(p, TIMERS_POSIX);
/* Set the PaX flags. */
- p->p_pax = epp->ep_pax_flags;
+ pax_set_flags(epp, p);
/*
* Do whatever is necessary to prepare the address space
Index: src/sys/kern/kern_pax.c
diff -u src/sys/kern/kern_pax.c:1.52 src/sys/kern/kern_pax.c:1.53
--- src/sys/kern/kern_pax.c:1.52 Wed May 25 13:43:58 2016
+++ src/sys/kern/kern_pax.c Wed May 25 16:07:54 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_pax.c,v 1.52 2016/05/25 17:43:58 christos Exp $ */
+/* $NetBSD: kern_pax.c,v 1.53 2016/05/25 20:07:54 christos Exp $ */
/*
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.52 2016/05/25 17:43:58 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.53 2016/05/25 20:07:54 christos Exp $");
#include "opt_pax.h"
@@ -117,7 +117,7 @@ static bool pax_aslr_elf_flags_active(ui
#ifdef PAX_MPROTECT
static int pax_mprotect_enabled = 1;
static int pax_mprotect_global = PAX_MPROTECT;
-static int pax_mprotect_ptrace = 0;
+static int pax_mprotect_ptrace = 1;
static bool pax_mprotect_elf_flags_active(uint32_t);
#endif /* PAX_MPROTECT */
#ifdef PAX_MPROTECT_DEBUG
@@ -355,6 +355,21 @@ pax_init(void)
}
void
+pax_set_flags(struct exec_package *epp, struct proc *p)
+{
+ p->p_pax = epp->ep_pax_flags;
+
+ if (pax_mprotect_ptrace == 0)
+ return;
+ /*
+ * If we are running under the debugger, turn off MPROTECT so
+ * the debugger can insert/delete breakpoints
+ */
+ if (p->p_slflag & PSL_TRACED)
+ p->p_pax &= ~P_PAX_MPROTECT;
+}
+
+void
pax_setup_elf_flags(struct exec_package *epp, uint32_t elf_flags)
{
uint32_t flags = 0;
@@ -454,7 +469,7 @@ pax_mprotect_prot(struct lwp *l)
flags = l->l_proc->p_pax;
if (!pax_flags_active(flags, P_PAX_MPROTECT))
return 0;
- if (!pax_mprotect_ptrace)
+ if (pax_mprotect_ptrace < 2)
return 0;
return UVM_EXTRACT_PROT_ALL;
}
Index: src/sys/sys/pax.h
diff -u src/sys/sys/pax.h:1.23 src/sys/sys/pax.h:1.24
--- src/sys/sys/pax.h:1.23 Wed May 25 13:43:58 2016
+++ src/sys/sys/pax.h Wed May 25 16:07:54 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: pax.h,v 1.23 2016/05/25 17:43:58 christos Exp $ */
+/* $NetBSD: pax.h,v 1.24 2016/05/25 20:07:54 christos Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
@@ -37,6 +37,7 @@
#define P_PAX_GUARD 0x04 /* Enable Segvguard */
struct lwp;
+struct proc;
struct exec_package;
struct vmspace;
@@ -54,9 +55,11 @@ extern int pax_aslr_debug;
#if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR)
void pax_init(void);
+void pax_set_flags(struct exec_package *, struct proc *);
void pax_setup_elf_flags(struct exec_package *, uint32_t);
#else
# define pax_init()
+# define pax_set_flags(e, p)
# define pax_setup_elf_flags(e, flags) __USE(flags)
#endif
