Module Name:    src
Committed By:   pgoyette
Date:           Fri Mar 24 21:43:21 UTC 2017

Modified Files:
        src/sys/kern: kern_resource.c
        src/sys/sys: sysctl.h

Log Message:
Add new sysctl variable proc.curproc.paxflags so a process can determine
which flags were set for it.  Define some values for the variable:

        CTL_PROC_PAXFLAGS_{ASLR,MPROTECT,GUARD}


To generate a diff of this commit:
cvs rdiff -u -r1.175 -r1.176 src/sys/kern/kern_resource.c
cvs rdiff -u -r1.221 -r1.222 src/sys/sys/sysctl.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_resource.c
diff -u src/sys/kern/kern_resource.c:1.175 src/sys/kern/kern_resource.c:1.176
--- src/sys/kern/kern_resource.c:1.175	Wed Jul 13 09:52:00 2016
+++ src/sys/kern/kern_resource.c	Fri Mar 24 21:43:20 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_resource.c,v 1.175 2016/07/13 09:52:00 njoly Exp $	*/
+/*	$NetBSD: kern_resource.c,v 1.176 2017/03/24 21:43:20 pgoyette Exp $	*/
 
 /*-
  * Copyright (c) 1982, 1986, 1991, 1993
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_resource.c,v 1.175 2016/07/13 09:52:00 njoly Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_resource.c,v 1.176 2017/03/24 21:43:20 pgoyette Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -813,6 +813,49 @@ sysctl_proc_findproc(lwp_t *l, pid_t pid
 }
 
 /*
+ * sysctl_proc_paxflags: helper routine to get process's paxctl flags
+ */
+static int
+sysctl_proc_paxflags(SYSCTLFN_ARGS)
+{
+	struct proc *p;
+	struct sysctlnode node;
+	int paxflags;
+	int error;
+
+	/* First, validate the request. */
+	if (namelen != 0 || name[-1] != PROC_PID_PAXFLAGS)
+		return EINVAL;
+
+	/* Find the process.  Hold a reference (p_reflock), if found. */
+	error = sysctl_proc_findproc(l, (pid_t)name[-2], &p);
+	if (error)
+		return error;
+
+	/* XXX-elad */
+	error = kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANSEE, p,
+	    KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_ENTRY), NULL, NULL);
+	if (error) {
+		rw_exit(&p->p_reflock);
+		return error;
+	}
+
+	/* Retrieve the limits. */
+	node = *rnode;
+	paxflags = p->p_pax;
+	node.sysctl_data = &paxflags;
+
+	error = sysctl_lookup(SYSCTLFN_CALL(&node));
+
+	/* If attempting to write new value, it's an error */
+	if (error == 0 && newp != NULL)
+		error = EACCES;
+
+	rw_exit(&p->p_reflock);
+	return error;
+}
+
+/*
  * sysctl_proc_corename: helper routine to get or set the core file name
  * for a process specified by PID.
  */
@@ -1048,6 +1091,13 @@ sysctl_proc_setup(void)
 		       CTL_PROC, PROC_CURPROC, CTL_EOL);
 
 	sysctl_createv(&proc_sysctllog, 0, NULL, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READONLY,
+		       CTLTYPE_INT, "paxflags",
+		       SYSCTL_DESCR("Process PAX control flags"),
+		       sysctl_proc_paxflags, 0, NULL, 0,
+		       CTL_PROC, PROC_CURPROC, PROC_PID_PAXFLAGS, CTL_EOL);
+
+	sysctl_createv(&proc_sysctllog, 0, NULL, NULL,
 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE|CTLFLAG_ANYWRITE,
 		       CTLTYPE_STRING, "corename",
 		       SYSCTL_DESCR("Core file name"),

Index: src/sys/sys/sysctl.h
diff -u src/sys/sys/sysctl.h:1.221 src/sys/sys/sysctl.h:1.222
--- src/sys/sys/sysctl.h:1.221	Mon Apr  4 23:31:46 2016
+++ src/sys/sys/sysctl.h	Fri Mar 24 21:43:21 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: sysctl.h,v 1.221 2016/04/04 23:31:46 christos Exp $	*/
+/*	$NetBSD: sysctl.h,v 1.222 2017/03/24 21:43:21 pgoyette Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -1026,7 +1026,8 @@ struct kinfo_vmentry {
 #define	PROC_PID_STOPFORK	3
 #define	PROC_PID_STOPEXEC	4
 #define	PROC_PID_STOPEXIT	5
-#define	PROC_PID_MAXID		6
+#define	PROC_PID_PAXFLAGS	6
+#define	PROC_PID_MAXID		7
 
 #define	PROC_PID_NAMES { \
 	{ 0, 0 }, \
@@ -1035,6 +1036,7 @@ struct kinfo_vmentry {
 	{ "stopfork", CTLTYPE_INT }, \
 	{ "stopexec", CTLTYPE_INT }, \
 	{ "stopexit", CTLTYPE_INT }, \
+	{ "paxflags", CTLTYPE_INT }, \
 }
 
 /* Limit types from <sys/resources.h> */
@@ -1079,6 +1081,16 @@ struct kinfo_vmentry {
 }
 
 /*
+ * Export PAX flag definitions to userland.
+ *
+ * XXX These are duplicated from sys/pax.h but that header is not
+ * XXX installed.
+ */
+#define	CTL_PROC_PAXFLAGS_ASLR		0x01
+#define	CTL_PROC_PAXFLAGS_MPROTECT	0x02
+#define	CTL_PROC_PAXFLAGS_GUARD		0x04
+
+/*
  * CTL_EMUL definitions
  *
  * Second level identifier specifies which emulation variable.

Reply via email to