kern_pax.c revision 1.11
1 /* $NetBSD: kern_pax.c,v 1.11 2006/12/26 19:31:33 elad Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Elad Efrat. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "opt_pax.h" 34 35 #include <sys/param.h> 36 #include <sys/proc.h> 37 #include <sys/exec_elf.h> 38 #include <sys/pax.h> 39 #include <sys/sysctl.h> 40 #include <sys/malloc.h> 41 #include <sys/fileassoc.h> 42 #include <sys/syslog.h> 43 #include <sys/vnode.h> 44 #include <sys/queue.h> 45 #include <sys/kauth.h> 46 47 #ifdef PAX_MPROTECT 48 static int pax_mprotect_enabled = 1; 49 static int pax_mprotect_global = PAX_MPROTECT; 50 51 specificdata_key_t pax_mprotect_key; 52 #endif 53 54 #ifdef PAX_SEGVGUARD 55 #ifndef PAX_SEGVGUARD_EXPIRY 56 #define PAX_SEGVGUARD_EXPIRY (2 * 60) 57 #endif 58 59 #ifndef PAX_SEGVGUARD_SUSPENSION 60 #define PAX_SEGVGUARD_SUSPENSION (10 * 60) 61 #endif 62 63 #ifndef PAX_SEGVGUARD_MAXCRASHES 64 #define PAX_SEGVGUARD_MAXCRASHES 5 65 #endif 66 67 static int pax_segvguard_enabled = 1; 68 static int pax_segvguard_global = PAX_SEGVGUARD; 69 static int pax_segvguard_expiry = PAX_SEGVGUARD_EXPIRY; 70 static int pax_segvguard_suspension = PAX_SEGVGUARD_SUSPENSION; 71 static int pax_segvguard_maxcrashes = PAX_SEGVGUARD_MAXCRASHES; 72 73 static fileassoc_t segvguard_id; 74 specificdata_key_t pax_segvguard_key; 75 76 struct pax_segvguard_uid_entry { 77 uid_t sue_uid; 78 size_t sue_ncrashes; 79 time_t sue_expiry; 80 time_t sue_suspended; 81 LIST_ENTRY(pax_segvguard_uid_entry) sue_list; 82 }; 83 84 struct pax_segvguard_entry { 85 LIST_HEAD(, pax_segvguard_uid_entry) segv_uids; 86 }; 87 88 static void pax_segvguard_cb(void *); 89 #endif /* PAX_SEGVGUARD */ 90 91 /* PaX internal setspecific flags */ 92 #define PAX_MPROTECT_EXPLICIT_ENABLE (void *)0x01 93 #define PAX_MPROTECT_EXPLICIT_DISABLE (void *)0x02 94 #define PAX_SEGVGUARD_EXPLICIT_ENABLE (void *)0x03 95 #define PAX_SEGVGUARD_EXPLICIT_DISABLE (void *)0x04 96 97 SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup") 98 { 99 const struct sysctlnode *rnode = NULL, *cnode; 100 101 sysctl_createv(clog, 0, NULL, &rnode, 102 CTLFLAG_PERMANENT, 103 CTLTYPE_NODE, "security", NULL, 104 NULL, 0, NULL, 0, 105 CTL_SECURITY, CTL_EOL); 106 107 sysctl_createv(clog, 0, &rnode, &rnode, 108 CTLFLAG_PERMANENT, 109 CTLTYPE_NODE, "pax", 110 SYSCTL_DESCR("PaX (exploit mitigation) features."), 111 NULL, 0, NULL, 0, 112 CTL_CREATE, CTL_EOL); 113 114 cnode = rnode; 115 116 #ifdef PAX_MPROTECT 117 sysctl_createv(clog, 0, &rnode, &rnode, 118 CTLFLAG_PERMANENT, 119 CTLTYPE_NODE, "mprotect", 120 SYSCTL_DESCR("mprotect(2) W^X restrictions."), 121 NULL, 0, NULL, 0, 122 CTL_CREATE, CTL_EOL); 123 sysctl_createv(clog, 0, &rnode, NULL, 124 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 125 CTLTYPE_INT, "enabled", 126 SYSCTL_DESCR("Restrictions enabled."), 127 NULL, 0, &pax_mprotect_enabled, 0, 128 CTL_CREATE, CTL_EOL); 129 sysctl_createv(clog, 0, &rnode, NULL, 130 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 131 CTLTYPE_INT, "global", 132 SYSCTL_DESCR("When enabled, unless explicitly " 133 "specified, apply restrictions to " 134 "all processes."), 135 NULL, 0, &pax_mprotect_global, 0, 136 CTL_CREATE, CTL_EOL); 137 #endif /* PAX_MPROTECT */ 138 139 rnode = cnode; 140 141 #ifdef PAX_SEGVGUARD 142 sysctl_createv(clog, 0, &rnode, &rnode, 143 CTLFLAG_PERMANENT, 144 CTLTYPE_NODE, "segvguard", 145 SYSCTL_DESCR("PaX segvguard."), 146 NULL, 0, NULL, 0, 147 CTL_CREATE, CTL_EOL); 148 sysctl_createv(clog, 0, &rnode, NULL, 149 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 150 CTLTYPE_INT, "enabled", 151 SYSCTL_DESCR("segvguard enabled."), 152 NULL, 0, &pax_segvguard_enabled, 0, 153 CTL_CREATE, CTL_EOL); 154 sysctl_createv(clog, 0, &rnode, NULL, 155 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 156 CTLTYPE_INT, "global", 157 SYSCTL_DESCR("segvguard all programs."), 158 NULL, 0, &pax_segvguard_global, 0, 159 CTL_CREATE, CTL_EOL); 160 sysctl_createv(clog, 0, &rnode, NULL, 161 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 162 CTLTYPE_INT, "expiry_timeout", 163 SYSCTL_DESCR("Entry expiry timeout (in seconds)."), 164 NULL, 0, &pax_segvguard_expiry, 0, 165 CTL_CREATE, CTL_EOL); 166 sysctl_createv(clog, 0, &rnode, NULL, 167 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 168 CTLTYPE_INT, "suspend_timeout", 169 SYSCTL_DESCR("Entry suspension timeout (in seconds)."), 170 NULL, 0, &pax_segvguard_suspension, 0, 171 CTL_CREATE, CTL_EOL); 172 sysctl_createv(clog, 0, &rnode, NULL, 173 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 174 CTLTYPE_INT, "max_crashes", 175 SYSCTL_DESCR("Max number of crashes before expiry."), 176 NULL, 0, &pax_segvguard_maxcrashes, 0, 177 CTL_CREATE, CTL_EOL); 178 #endif /* PAX_SEGVGUARD */ 179 } 180 181 /* 182 * Initialize PaX. 183 */ 184 void 185 pax_init(void) 186 { 187 #ifdef PAX_SEGVGUARD 188 int error; 189 #endif /* PAX_SEGVGUARD */ 190 191 #ifdef PAX_MPROTECT 192 proc_specific_key_create(&pax_mprotect_key, NULL); 193 #endif /* PAX_MPROTECT */ 194 195 #ifdef PAX_SEGVGUARD 196 error = fileassoc_register("segvguard", pax_segvguard_cb, 197 &segvguard_id); 198 if (error) { 199 panic("pax_init: segvguard_id: error=%d\n", error); 200 } 201 proc_specific_key_create(&pax_segvguard_key, NULL); 202 #endif /* PAX_SEGVGUARD */ 203 } 204 205 void 206 pax_adjust(struct lwp *l, int f) 207 { 208 #ifdef PAX_MPROTECT 209 if (pax_mprotect_enabled) { 210 if (f & PF_PAXMPROTECT) 211 proc_setspecific(l->l_proc, pax_mprotect_key, 212 PAX_MPROTECT_EXPLICIT_ENABLE); 213 if (f & PF_PAXNOMPROTECT) 214 proc_setspecific(l->l_proc, pax_mprotect_key, 215 PAX_MPROTECT_EXPLICIT_DISABLE); 216 } 217 #endif /* PAX_MPROTECT */ 218 219 #ifdef PAX_SEGVGUARD 220 if (pax_segvguard_enabled) { 221 if (f & PF_PAXGUARD) { 222 proc_setspecific(l->l_proc, pax_segvguard_key, 223 PAX_SEGVGUARD_EXPLICIT_ENABLE); 224 } 225 if (f & PF_PAXNOGUARD) 226 proc_setspecific(l->l_proc, pax_segvguard_key, 227 PAX_SEGVGUARD_EXPLICIT_DISABLE); 228 } 229 #endif /* PAX_SEGVGUARD */ 230 } 231 232 #ifdef PAX_MPROTECT 233 void 234 pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot) 235 { 236 void *t; 237 238 if (!pax_mprotect_enabled) 239 return; 240 241 t = proc_getspecific(l->l_proc, pax_mprotect_key); 242 if ((pax_mprotect_global && t == PAX_MPROTECT_EXPLICIT_DISABLE) || 243 (!pax_mprotect_global && t != PAX_MPROTECT_EXPLICIT_ENABLE)) 244 return; 245 246 if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) { 247 *prot &= ~VM_PROT_EXECUTE; 248 *maxprot &= ~VM_PROT_EXECUTE; 249 } else { 250 *prot &= ~VM_PROT_WRITE; 251 *maxprot &= ~VM_PROT_WRITE; 252 } 253 } 254 #endif /* PAX_MPROTECT */ 255 256 #ifdef PAX_SEGVGUARD 257 static void 258 pax_segvguard_cb(void *v) 259 { 260 struct pax_segvguard_entry *p; 261 struct pax_segvguard_uid_entry *up; 262 263 if (v == NULL) 264 return; 265 266 p = v; 267 while ((up = LIST_FIRST(&p->segv_uids)) != NULL) { 268 LIST_REMOVE(up, sue_list); 269 free(up, M_TEMP); 270 } 271 272 free(v, M_TEMP); 273 } 274 275 /* 276 * Called when a process of image vp generated a segfault. 277 */ 278 int 279 pax_segvguard(struct lwp *l, struct vnode *vp, const char *name, 280 boolean_t crashed) 281 { 282 struct pax_segvguard_entry *p; 283 struct pax_segvguard_uid_entry *up; 284 struct timeval tv; 285 uid_t uid; 286 void *t; 287 boolean_t have_uid; 288 289 if (!pax_segvguard_enabled) 290 return (0); 291 292 t = proc_getspecific(l->l_proc, pax_segvguard_key); 293 if ((pax_segvguard_global && t == PAX_SEGVGUARD_EXPLICIT_DISABLE) || 294 (!pax_segvguard_global && t != PAX_SEGVGUARD_EXPLICIT_ENABLE)) 295 return (0); 296 297 if (vp == NULL) 298 return (EFAULT); 299 300 /* Check if we already monitor the file. */ 301 p = fileassoc_lookup(vp, segvguard_id); 302 303 /* Fast-path if starting a program we don't know. */ 304 if (p == NULL && !crashed) 305 return (0); 306 307 microtime(&tv); 308 309 /* 310 * If a program we don't know crashed, we need to create a new entry 311 * for it. 312 */ 313 if (p == NULL) { 314 p = malloc(sizeof(*p), M_TEMP, M_WAITOK); 315 if (fileassoc_add(vp, segvguard_id, p) != 0) { 316 fileassoc_table_add(vp->v_mount, 16); 317 fileassoc_add(vp, segvguard_id, p); 318 } 319 LIST_INIT(&p->segv_uids); 320 321 /* 322 * Initialize a new entry with "crashes so far" of 1. 323 * The expiry time is when we purge the entry if it didn't 324 * reach the limit. 325 */ 326 up = malloc(sizeof(*up), M_TEMP, M_WAITOK); 327 up->sue_uid = kauth_cred_getuid(l->l_cred); 328 up->sue_ncrashes = 1; 329 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 330 up->sue_suspended = 0; 331 332 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); 333 334 return (0); 335 } 336 337 /* 338 * A program we "know" either executed or crashed again. 339 * See if it's a culprit we're familiar with. 340 */ 341 uid = kauth_cred_getuid(l->l_cred); 342 have_uid = FALSE; 343 LIST_FOREACH(up, &p->segv_uids, sue_list) { 344 if (up->sue_uid == uid) { 345 have_uid = TRUE; 346 break; 347 } 348 } 349 350 /* 351 * It's someone else. Add an entry for him if we crashed. 352 */ 353 if (!have_uid) { 354 if (crashed) { 355 up = malloc(sizeof(*up), M_TEMP, M_WAITOK); 356 up->sue_uid = uid; 357 up->sue_ncrashes = 1; 358 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 359 up->sue_suspended = 0; 360 361 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); 362 } 363 364 return (0); 365 } 366 367 if (crashed) { 368 /* Check if timer on previous crashes expired first. */ 369 if (up->sue_expiry < tv.tv_sec) { 370 log(LOG_INFO, "PaX Segvguard: [%s] Suspension" 371 " expired.\n", name ? name : "unknown"); 372 373 up->sue_ncrashes = 1; 374 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 375 up->sue_suspended = 0; 376 377 return (0); 378 } 379 380 up->sue_ncrashes++; 381 382 if (up->sue_ncrashes >= pax_segvguard_maxcrashes) { 383 log(LOG_ALERT, "PaX Segvguard: [%s] Suspending " 384 "execution for %d seconds after %zu crashes.\n", 385 name ? name : "unknown", pax_segvguard_suspension, 386 up->sue_ncrashes); 387 388 /* Suspend this program for a while. */ 389 up->sue_suspended = tv.tv_sec + pax_segvguard_suspension; 390 up->sue_ncrashes = 0; 391 up->sue_expiry = 0; 392 } 393 } else { 394 /* Are we supposed to be suspended? */ 395 if (up->sue_suspended > tv.tv_sec) { 396 log(LOG_ALERT, "PaX Segvguard: [%s] Preventing " 397 "execution due to repeated segfaults.\n", name ? 398 name : "unknown"); 399 400 return (EPERM); 401 } 402 } 403 404 return (0); 405 } 406 #endif /* PAX_SEGVGUARD */ 407
Indexes created Sun Sep 21 18:09:52 GMT 2025