kern_pax.c revision 1.3.14.1
1 /* $NetBSD: kern_pax.c,v 1.3.14.1 2006/11/18 21:39:22 ad Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Elad Efrat. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "opt_pax.h" 34 35 #include <sys/param.h> 36 #include <sys/proc.h> 37 #include <sys/exec_elf.h> 38 #include <sys/pax.h> 39 #include <sys/sysctl.h> 40 41 static int pax_mprotect_enabled = 1; 42 static int pax_mprotect_global = PAX_MPROTECT; 43 44 SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup") 45 { 46 const struct sysctlnode *rnode = NULL; 47 48 sysctl_createv(clog, 0, NULL, &rnode, 49 CTLFLAG_PERMANENT, 50 CTLTYPE_NODE, "security", NULL, 51 NULL, 0, NULL, 0, 52 CTL_CREATE, CTL_EOL); 53 54 sysctl_createv(clog, 0, &rnode, &rnode, 55 CTLFLAG_PERMANENT, 56 CTLTYPE_NODE, "pax", 57 SYSCTL_DESCR("PaX (exploit mitigation) features."), 58 NULL, 0, NULL, 0, 59 CTL_CREATE, CTL_EOL); 60 61 sysctl_createv(clog, 0, &rnode, &rnode, 62 CTLFLAG_PERMANENT, 63 CTLTYPE_NODE, "mprotect", 64 SYSCTL_DESCR("mprotect(2) W^X restrictions."), 65 NULL, 0, NULL, 0, 66 CTL_CREATE, CTL_EOL); 67 sysctl_createv(clog, 0, &rnode, NULL, 68 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 69 CTLTYPE_INT, "enabled", 70 SYSCTL_DESCR("Restrictions enabled."), 71 NULL, 0, &pax_mprotect_enabled, 0, 72 CTL_CREATE, CTL_EOL); 73 sysctl_createv(clog, 0, &rnode, NULL, 74 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 75 CTLTYPE_INT, "global", 76 SYSCTL_DESCR("When enabled, unless explicitly " 77 "specified, apply restrictions to " 78 "all processes."), 79 NULL, 0, &pax_mprotect_global, 0, 80 CTL_CREATE, CTL_EOL); 81 } 82 83 void 84 pax_mprotect_adjust(struct lwp *l, int f) 85 { 86 if (!pax_mprotect_enabled) 87 return; 88 89 if (f & PF_PAXMPROTECT) 90 l->l_proc->p_flag |= P_PAXMPROTECT; 91 if (f & PF_PAXNOMPROTECT) 92 l->l_proc->p_flag |= P_PAXNOMPROTECT; 93 } 94 95 void 96 pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot) 97 { 98 if (!pax_mprotect_enabled || 99 (pax_mprotect_global && (l->l_proc->p_flag & P_PAXNOMPROTECT)) || 100 (!pax_mprotect_global && !(l->l_proc->p_flag & P_PAXMPROTECT))) 101 return; 102 103 if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) { 104 *prot &= ~VM_PROT_EXECUTE; 105 *maxprot &= ~VM_PROT_EXECUTE; 106 } else { 107 *prot &= ~VM_PROT_WRITE; 108 *maxprot &= ~VM_PROT_WRITE; 109 } 110 } 111
Indexes created Tue Sep 30 11:09:46 GMT 2025