CVS commit: src/sys

Maxime Villard Fri, 29 Sep 2017 10:08:33 -0700

Module Name:    src
Committed By:   maxv
Date:           Fri Sep 29 17:08:00 UTC 2017


Modified Files:
        src/sys/compat/linux/common: linux_mod.c linux_sysctl.c linux_sysctl.h
        src/sys/kern: kern_exec.c

Log Message:
Remove compat_linux from the autoload list, and add a sysctl to enable or
disable it - which defaults to disabled. The following command is now
required to use linux binaries:

        sysctl -w emul.linux.enabled=1

After a discussion on tech-kern@. All the other ideas to reduce the attack
surface have drawbacks, and this sysctl seems to be the best option.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/compat/linux/common/linux_mod.c
cvs rdiff -u -r1.43 -r1.44 src/sys/compat/linux/common/linux_sysctl.c
cvs rdiff -u -r1.5 -r1.6 src/sys/compat/linux/common/linux_sysctl.h
cvs rdiff -u -r1.444 -r1.445 src/sys/kern/kern_exec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/common/linux_mod.c
diff -u src/sys/compat/linux/common/linux_mod.c:1.6 src/sys/compat/linux/common/linux_mod.c:1.7
--- src/sys/compat/linux/common/linux_mod.c:1.6	Thu Dec  3 02:51:01 2015
+++ src/sys/compat/linux/common/linux_mod.c	Fri Sep 29 17:08:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_mod.c,v 1.6 2015/12/03 02:51:01 pgoyette Exp $	*/
+/*	$NetBSD: linux_mod.c,v 1.7 2017/09/29 17:08:00 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_mod.c,v 1.6 2015/12/03 02:51:01 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_mod.c,v 1.7 2017/09/29 17:08:00 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_execfmt.h"
@@ -44,6 +44,7 @@ __KERNEL_RCSID(0, "$NetBSD: linux_mod.c,
 #include <sys/module.h>
 #include <sys/exec.h>
 #include <sys/signalvar.h>
+#include <sys/sysctl.h>
 
 #include <compat/linux/common/linux_sysctl.h>
 #include <compat/linux/common/linux_futex.h>
@@ -118,6 +119,38 @@ static struct execsw linux_execsw[] = {
 #endif
 };
 
+int linux_enabled = 0;
+
+int
+linux_sysctl_enable(SYSCTLFN_ARGS)
+{
+	struct sysctlnode node;
+	int error, val;
+
+	val = *(int *)rnode->sysctl_data;
+
+	node = *rnode;
+	node.sysctl_data = &val;
+
+	error = sysctl_lookup(SYSCTLFN_CALL(&node));
+	if (error != 0 || newp == NULL)
+		return error;
+
+	if (val == 1) {
+		error = exec_add(linux_execsw, __arraycount(linux_execsw));
+	} else if (val == 0) {
+		error = exec_remove(linux_execsw, __arraycount(linux_execsw));
+	} else {
+		error = EINVAL;
+	}
+	if (error)
+		return error;
+
+	*(int *)rnode->sysctl_data = val;
+
+	return 0;
+}
+
 static int
 compat_linux_modcmd(modcmd_t cmd, void *arg)
 {
@@ -125,22 +158,18 @@ compat_linux_modcmd(modcmd_t cmd, void *
 
 	switch (cmd) {
 	case MODULE_CMD_INIT:
+		linux_enabled = 0;
 		linux_futex_init();
 		linux_sysctl_init();
-		error = exec_add(linux_execsw,
-		    __arraycount(linux_execsw));
-		if (error != 0)
-			linux_sysctl_fini();
-		return error;
+		return 0;
 
 	case MODULE_CMD_FINI:
-		error = exec_remove(linux_execsw,
-		    __arraycount(linux_execsw));
-		if (error == 0) {
-			linux_sysctl_fini();
-			linux_futex_fini();
-		}
-		return error;
+		error = exec_remove(linux_execsw, __arraycount(linux_execsw));
+		if (error)
+			return error;
+		linux_sysctl_fini();
+		linux_futex_fini();
+		return 0;
 
 	default:
 		return ENOTTY;

Index: src/sys/compat/linux/common/linux_sysctl.c
diff -u src/sys/compat/linux/common/linux_sysctl.c:1.43 src/sys/compat/linux/common/linux_sysctl.c:1.44
--- src/sys/compat/linux/common/linux_sysctl.c:1.43	Fri May 16 12:22:32 2014
+++ src/sys/compat/linux/common/linux_sysctl.c	Fri Sep 29 17:08:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_sysctl.c,v 1.43 2014/05/16 12:22:32 martin Exp $	*/
+/*	$NetBSD: linux_sysctl.c,v 1.44 2017/09/29 17:08:00 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2003, 2008 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_sysctl.c,v 1.43 2014/05/16 12:22:32 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_sysctl.c,v 1.44 2017/09/29 17:08:00 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -70,6 +70,7 @@ struct sysctlnode linux_sysctl_root = {
 
 static struct sysctllog *linux_clog1;
 static struct sysctllog *linux_clog2;
+extern int linux_enabled;
 
 void
 linux_sysctl_fini(void)
@@ -112,6 +113,7 @@ linux_sysctl_init(void)
 		       SYSCTL_DESCR("Linux emulation settings"),
 		       NULL, 0, NULL, 0,
 		       CTL_EMUL, EMUL_LINUX, CTL_EOL);
+
 	sysctl_createv(&linux_clog2, 0, NULL, NULL,
 		       CTLFLAG_PERMANENT,
 		       CTLTYPE_NODE, "kern",
@@ -140,6 +142,13 @@ linux_sysctl_init(void)
 		       CTL_EMUL, EMUL_LINUX, EMUL_LINUX_KERN,
 		       EMUL_LINUX_KERN_VERSION, CTL_EOL);
 
+	sysctl_createv(&linux_clog2, 0, NULL, NULL,
+		       CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "enabled",
+		       SYSCTL_DESCR("Linux compat enabled."),
+		       linux_sysctl_enable, 0, &linux_enabled, 0,
+		       CTL_EMUL, EMUL_LINUX, CTL_CREATE, CTL_EOL);
+
 	linux_sysctl_root.sysctl_flags &= ~CTLFLAG_READWRITE;
 }
 

Index: src/sys/compat/linux/common/linux_sysctl.h
diff -u src/sys/compat/linux/common/linux_sysctl.h:1.5 src/sys/compat/linux/common/linux_sysctl.h:1.6
--- src/sys/compat/linux/common/linux_sysctl.h:1.5	Wed Nov 19 18:36:04 2008
+++ src/sys/compat/linux/common/linux_sysctl.h	Fri Sep 29 17:08:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_sysctl.h,v 1.5 2008/11/19 18:36:04 ad Exp $	*/
+/*	$NetBSD: linux_sysctl.h,v 1.6 2017/09/29 17:08:00 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -469,4 +469,6 @@
 void	linux_sysctl_init(void);
 void	linux_sysctl_fini(void);
 
+int	linux_sysctl_enable(SYSCTLFN_PROTO);
+
 #endif /* !_LINUX_SYSCTL_H */

Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.444 src/sys/kern/kern_exec.c:1.445
--- src/sys/kern/kern_exec.c:1.444	Tue Aug  8 16:57:32 2017
+++ src/sys/kern/kern_exec.c	Fri Sep 29 17:08:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_exec.c,v 1.444 2017/08/08 16:57:32 maxv Exp $	*/
+/*	$NetBSD: kern_exec.c,v 1.445 2017/09/29 17:08:00 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.444 2017/08/08 16:57:32 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.445 2017/09/29 17:08:00 maxv Exp $");
 
 #include "opt_exec.h"
 #include "opt_execfmt.h"
@@ -578,7 +578,6 @@ exec_autoload(void)
 		"exec_coff",
 		"exec_ecoff",
 		"compat_aoutm68k",
-		"compat_linux",
 		"compat_linux32",
 		"compat_netbsd32",
 		"compat_sunos",

CVS commit: src/sys

Reply via email to