Module Name: src Committed By: pgoyette Date: Fri Mar 24 21:43:21 UTC 2017
Modified Files: src/sys/kern: kern_resource.c src/sys/sys: sysctl.h Log Message: Add new sysctl variable proc.curproc.paxflags so a process can determine which flags were set for it. Define some values for the variable: CTL_PROC_PAXFLAGS_{ASLR,MPROTECT,GUARD} To generate a diff of this commit: cvs rdiff -u -r1.175 -r1.176 src/sys/kern/kern_resource.c cvs rdiff -u -r1.221 -r1.222 src/sys/sys/sysctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/kern_resource.c diff -u src/sys/kern/kern_resource.c:1.175 src/sys/kern/kern_resource.c:1.176 --- src/sys/kern/kern_resource.c:1.175 Wed Jul 13 09:52:00 2016 +++ src/sys/kern/kern_resource.c Fri Mar 24 21:43:20 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_resource.c,v 1.175 2016/07/13 09:52:00 njoly Exp $ */ +/* $NetBSD: kern_resource.c,v 1.176 2017/03/24 21:43:20 pgoyette Exp $ */ /*- * Copyright (c) 1982, 1986, 1991, 1993 @@ -37,7 +37,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: kern_resource.c,v 1.175 2016/07/13 09:52:00 njoly Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_resource.c,v 1.176 2017/03/24 21:43:20 pgoyette Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -813,6 +813,49 @@ sysctl_proc_findproc(lwp_t *l, pid_t pid } /* + * sysctl_proc_paxflags: helper routine to get process's paxctl flags + */ +static int +sysctl_proc_paxflags(SYSCTLFN_ARGS) +{ + struct proc *p; + struct sysctlnode node; + int paxflags; + int error; + + /* First, validate the request. */ + if (namelen != 0 || name[-1] != PROC_PID_PAXFLAGS) + return EINVAL; + + /* Find the process. Hold a reference (p_reflock), if found. */ + error = sysctl_proc_findproc(l, (pid_t)name[-2], &p); + if (error) + return error; + + /* XXX-elad */ + error = kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANSEE, p, + KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_ENTRY), NULL, NULL); + if (error) { + rw_exit(&p->p_reflock); + return error; + } + + /* Retrieve the limits. */ + node = *rnode; + paxflags = p->p_pax; + node.sysctl_data = &paxflags; + + error = sysctl_lookup(SYSCTLFN_CALL(&node)); + + /* If attempting to write new value, it's an error */ + if (error == 0 && newp != NULL) + error = EACCES; + + rw_exit(&p->p_reflock); + return error; +} + +/* * sysctl_proc_corename: helper routine to get or set the core file name * for a process specified by PID. */ @@ -1048,6 +1091,13 @@ sysctl_proc_setup(void) CTL_PROC, PROC_CURPROC, CTL_EOL); sysctl_createv(&proc_sysctllog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READONLY, + CTLTYPE_INT, "paxflags", + SYSCTL_DESCR("Process PAX control flags"), + sysctl_proc_paxflags, 0, NULL, 0, + CTL_PROC, PROC_CURPROC, PROC_PID_PAXFLAGS, CTL_EOL); + + sysctl_createv(&proc_sysctllog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE|CTLFLAG_ANYWRITE, CTLTYPE_STRING, "corename", SYSCTL_DESCR("Core file name"), Index: src/sys/sys/sysctl.h diff -u src/sys/sys/sysctl.h:1.221 src/sys/sys/sysctl.h:1.222 --- src/sys/sys/sysctl.h:1.221 Mon Apr 4 23:31:46 2016 +++ src/sys/sys/sysctl.h Fri Mar 24 21:43:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: sysctl.h,v 1.221 2016/04/04 23:31:46 christos Exp $ */ +/* $NetBSD: sysctl.h,v 1.222 2017/03/24 21:43:21 pgoyette Exp $ */ /* * Copyright (c) 1989, 1993 @@ -1026,7 +1026,8 @@ struct kinfo_vmentry { #define PROC_PID_STOPFORK 3 #define PROC_PID_STOPEXEC 4 #define PROC_PID_STOPEXIT 5 -#define PROC_PID_MAXID 6 +#define PROC_PID_PAXFLAGS 6 +#define PROC_PID_MAXID 7 #define PROC_PID_NAMES { \ { 0, 0 }, \ @@ -1035,6 +1036,7 @@ struct kinfo_vmentry { { "stopfork", CTLTYPE_INT }, \ { "stopexec", CTLTYPE_INT }, \ { "stopexit", CTLTYPE_INT }, \ + { "paxflags", CTLTYPE_INT }, \ } /* Limit types from <sys/resources.h> */ @@ -1079,6 +1081,16 @@ struct kinfo_vmentry { } /* + * Export PAX flag definitions to userland. + * + * XXX These are duplicated from sys/pax.h but that header is not + * XXX installed. + */ +#define CTL_PROC_PAXFLAGS_ASLR 0x01 +#define CTL_PROC_PAXFLAGS_MPROTECT 0x02 +#define CTL_PROC_PAXFLAGS_GUARD 0x04 + +/* * CTL_EMUL definitions * * Second level identifier specifies which emulation variable.