kern_pax.c revision 1.8.2.1
1 /* $NetBSD: kern_pax.c,v 1.8.2.1 2007/01/04 18:54:30 bouyer Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Elad Efrat. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "opt_pax.h" 34 35 #include <sys/param.h> 36 #include <sys/proc.h> 37 #include <sys/exec_elf.h> 38 #include <sys/pax.h> 39 #include <sys/sysctl.h> 40 #include <sys/malloc.h> 41 #include <sys/fileassoc.h> 42 #include <sys/syslog.h> 43 #include <sys/vnode.h> 44 #include <sys/queue.h> 45 #include <sys/kauth.h> 46 47 #ifdef PAX_MPROTECT 48 static int pax_mprotect_enabled = 1; 49 static int pax_mprotect_global = PAX_MPROTECT; 50 51 specificdata_key_t pax_mprotect_key; 52 #endif 53 54 #ifdef PAX_SEGVGUARD 55 #ifndef PAX_SEGVGUARD_EXPIRY 56 #define PAX_SEGVGUARD_EXPIRY (2 * 60) 57 #endif 58 59 #ifndef PAX_SEGVGUARD_SUSPENSION 60 #define PAX_SEGVGUARD_SUSPENSION (10 * 60) 61 #endif 62 63 #ifndef PAX_SEGVGUARD_MAXCRASHES 64 #define PAX_SEGVGUARD_MAXCRASHES 5 65 #endif 66 67 static int pax_segvguard_enabled = 1; 68 static int pax_segvguard_global = PAX_SEGVGUARD; 69 static int pax_segvguard_expiry = PAX_SEGVGUARD_EXPIRY; 70 static int pax_segvguard_suspension = PAX_SEGVGUARD_SUSPENSION; 71 static int pax_segvguard_maxcrashes = PAX_SEGVGUARD_MAXCRASHES; 72 73 static fileassoc_t segvguard_id; 74 specificdata_key_t pax_segvguard_key; 75 76 struct pax_segvguard_uid_entry { 77 uid_t sue_uid; 78 size_t sue_ncrashes; 79 time_t sue_expiry; 80 time_t sue_suspended; 81 LIST_ENTRY(pax_segvguard_uid_entry) sue_list; 82 }; 83 84 struct pax_segvguard_entry { 85 LIST_HEAD(, pax_segvguard_uid_entry) segv_uids; 86 }; 87 #endif /* PAX_SEGVGUARD */ 88 89 /* PaX internal setspecific flags */ 90 #define PAX_MPROTECT_EXPLICIT_ENABLE (void *)0x01 91 #define PAX_MPROTECT_EXPLICIT_DISABLE (void *)0x02 92 #define PAX_SEGVGUARD_EXPLICIT_ENABLE (void *)0x03 93 #define PAX_SEGVGUARD_EXPLICIT_DISABLE (void *)0x04 94 95 SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup") 96 { 97 const struct sysctlnode *rnode = NULL, *cnode; 98 99 sysctl_createv(clog, 0, NULL, &rnode, 100 CTLFLAG_PERMANENT, 101 CTLTYPE_NODE, "security", NULL, 102 NULL, 0, NULL, 0, 103 CTL_SECURITY, CTL_EOL); 104 105 sysctl_createv(clog, 0, &rnode, &rnode, 106 CTLFLAG_PERMANENT, 107 CTLTYPE_NODE, "pax", 108 SYSCTL_DESCR("PaX (exploit mitigation) features."), 109 NULL, 0, NULL, 0, 110 CTL_CREATE, CTL_EOL); 111 112 cnode = rnode; 113 114 #ifdef PAX_MPROTECT 115 sysctl_createv(clog, 0, &rnode, &rnode, 116 CTLFLAG_PERMANENT, 117 CTLTYPE_NODE, "mprotect", 118 SYSCTL_DESCR("mprotect(2) W^X restrictions."), 119 NULL, 0, NULL, 0, 120 CTL_CREATE, CTL_EOL); 121 sysctl_createv(clog, 0, &rnode, NULL, 122 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 123 CTLTYPE_INT, "enabled", 124 SYSCTL_DESCR("Restrictions enabled."), 125 NULL, 0, &pax_mprotect_enabled, 0, 126 CTL_CREATE, CTL_EOL); 127 sysctl_createv(clog, 0, &rnode, NULL, 128 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 129 CTLTYPE_INT, "global", 130 SYSCTL_DESCR("When enabled, unless explicitly " 131 "specified, apply restrictions to " 132 "all processes."), 133 NULL, 0, &pax_mprotect_global, 0, 134 CTL_CREATE, CTL_EOL); 135 #endif /* PAX_MPROTECT */ 136 137 rnode = cnode; 138 139 #ifdef PAX_SEGVGUARD 140 sysctl_createv(clog, 0, &rnode, &rnode, 141 CTLFLAG_PERMANENT, 142 CTLTYPE_NODE, "segvguard", 143 SYSCTL_DESCR("PaX segvguard."), 144 NULL, 0, NULL, 0, 145 CTL_CREATE, CTL_EOL); 146 sysctl_createv(clog, 0, &rnode, NULL, 147 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 148 CTLTYPE_INT, "enabled", 149 SYSCTL_DESCR("segvguard enabled."), 150 NULL, 0, &pax_segvguard_enabled, 0, 151 CTL_CREATE, CTL_EOL); 152 sysctl_createv(clog, 0, &rnode, NULL, 153 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 154 CTLTYPE_INT, "global", 155 SYSCTL_DESCR("segvguard all programs."), 156 NULL, 0, &pax_segvguard_global, 0, 157 CTL_CREATE, CTL_EOL); 158 sysctl_createv(clog, 0, &rnode, NULL, 159 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 160 CTLTYPE_INT, "expiry_timeout", 161 SYSCTL_DESCR("Entry expiry timeout (in seconds)."), 162 NULL, 0, &pax_segvguard_expiry, 0, 163 CTL_CREATE, CTL_EOL); 164 sysctl_createv(clog, 0, &rnode, NULL, 165 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 166 CTLTYPE_INT, "suspend_timeout", 167 SYSCTL_DESCR("Entry suspension timeout (in seconds)."), 168 NULL, 0, &pax_segvguard_suspension, 0, 169 CTL_CREATE, CTL_EOL); 170 sysctl_createv(clog, 0, &rnode, NULL, 171 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 172 CTLTYPE_INT, "max_crashes", 173 SYSCTL_DESCR("Max number of crashes before expiry."), 174 NULL, 0, &pax_segvguard_maxcrashes, 0, 175 CTL_CREATE, CTL_EOL); 176 #endif /* PAX_SEGVGUARD */ 177 } 178 179 /* 180 * Initialize PaX. 181 */ 182 void 183 pax_init(void) 184 { 185 #ifdef PAX_MPROTECT 186 proc_specific_key_create(&pax_mprotect_key, NULL); 187 #endif /* PAX_MPROTECT */ 188 189 #ifdef PAX_SEGVGUARD 190 segvguard_id = fileassoc_register("segvguard", pax_segvguard_cb); 191 proc_specific_key_create(&pax_segvguard_key, NULL); 192 #endif /* PAX_SEGVGUARD */ 193 } 194 195 void 196 pax_adjust(struct lwp *l, int f) 197 { 198 #ifdef PAX_MPROTECT 199 if (pax_mprotect_enabled) { 200 if (f & PF_PAXMPROTECT) 201 proc_setspecific(l->l_proc, pax_mprotect_key, 202 PAX_MPROTECT_EXPLICIT_ENABLE); 203 if (f & PF_PAXNOMPROTECT) 204 proc_setspecific(l->l_proc, pax_mprotect_key, 205 PAX_MPROTECT_EXPLICIT_DISABLE); 206 } 207 #endif /* PAX_MPROTECT */ 208 209 #ifdef PAX_SEGVGUARD 210 if (pax_segvguard_enabled) { 211 if (f & PF_PAXGUARD) { 212 proc_setspecific(l->l_proc, pax_segvguard_key, 213 PAX_SEGVGUARD_EXPLICIT_ENABLE); 214 } 215 if (f & PF_PAXNOGUARD) 216 proc_setspecific(l->l_proc, pax_segvguard_key, 217 PAX_SEGVGUARD_EXPLICIT_DISABLE); 218 } 219 #endif /* PAX_SEGVGUARD */ 220 } 221 222 #ifdef PAX_MPROTECT 223 void 224 pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot) 225 { 226 void *t; 227 228 if (!pax_mprotect_enabled) 229 return; 230 231 t = proc_getspecific(l->l_proc, pax_mprotect_key); 232 if ((pax_mprotect_global && t == PAX_MPROTECT_EXPLICIT_DISABLE) || 233 (!pax_mprotect_global && t != PAX_MPROTECT_EXPLICIT_ENABLE)) 234 return; 235 236 if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) { 237 *prot &= ~VM_PROT_EXECUTE; 238 *maxprot &= ~VM_PROT_EXECUTE; 239 } else { 240 *prot &= ~VM_PROT_WRITE; 241 *maxprot &= ~VM_PROT_WRITE; 242 } 243 } 244 #endif /* PAX_MPROTECT */ 245 246 #ifdef PAX_SEGVGUARD 247 void 248 pax_segvguard_cb(void *v, int what) 249 { 250 struct pax_segvguard_entry *p; 251 struct pax_segvguard_uid_entry *up; 252 253 if (v == NULL) 254 return; 255 256 if (what == FILEASSOC_CLEANUP_FILE) { 257 p = v; 258 while ((up = LIST_FIRST(&p->segv_uids)) != NULL) { 259 LIST_REMOVE(up, sue_list); 260 free(up, M_TEMP); 261 } 262 } 263 264 free(v, M_TEMP); 265 } 266 267 /* 268 * Called when a process of image vp generated a segfault. 269 */ 270 int 271 pax_segvguard(struct lwp *l, struct vnode *vp, const char *name, 272 boolean_t crashed) 273 { 274 struct pax_segvguard_entry *p; 275 struct pax_segvguard_uid_entry *up; 276 struct timeval tv; 277 uid_t uid; 278 void *t; 279 boolean_t have_uid; 280 281 if (!pax_segvguard_enabled) 282 return (0); 283 284 t = proc_getspecific(l->l_proc, pax_segvguard_key); 285 if ((pax_segvguard_global && t == PAX_SEGVGUARD_EXPLICIT_DISABLE) || 286 (!pax_segvguard_global && t != PAX_SEGVGUARD_EXPLICIT_ENABLE)) 287 return (0); 288 289 if (segvguard_id == FILEASSOC_INVAL || vp == NULL) 290 return (EFAULT); 291 292 /* Check if we already monitor the file. */ 293 p = fileassoc_lookup(vp, segvguard_id); 294 295 /* Fast-path if starting a program we don't know. */ 296 if (p == NULL && !crashed) 297 return (0); 298 299 microtime(&tv); 300 301 /* 302 * If a program we don't know crashed, we need to create a new entry 303 * for it. 304 */ 305 if (p == NULL) { 306 p = malloc(sizeof(*p), M_TEMP, M_WAITOK); 307 if (fileassoc_add(vp, segvguard_id, p) != 0) { 308 fileassoc_table_add(vp->v_mount, 16); 309 fileassoc_add(vp, segvguard_id, p); 310 } 311 LIST_INIT(&p->segv_uids); 312 313 /* 314 * Initialize a new entry with "crashes so far" of 1. 315 * The expiry time is when we purge the entry if it didn't 316 * reach the limit. 317 */ 318 up = malloc(sizeof(*up), M_TEMP, M_WAITOK); 319 up->sue_uid = kauth_cred_getuid(l->l_cred); 320 up->sue_ncrashes = 1; 321 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 322 up->sue_suspended = 0; 323 324 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); 325 326 return (0); 327 } 328 329 /* 330 * A program we "know" either executed or crashed again. 331 * See if it's a culprit we're familiar with. 332 */ 333 uid = kauth_cred_getuid(l->l_cred); 334 have_uid = FALSE; 335 LIST_FOREACH(up, &p->segv_uids, sue_list) { 336 if (up->sue_uid == uid) { 337 have_uid = TRUE; 338 break; 339 } 340 } 341 342 /* 343 * It's someone else. Add an entry for him if we crashed. 344 */ 345 if (!have_uid) { 346 if (crashed) { 347 up = malloc(sizeof(*up), M_TEMP, M_WAITOK); 348 up->sue_uid = uid; 349 up->sue_ncrashes = 1; 350 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 351 up->sue_suspended = 0; 352 353 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); 354 } 355 356 return (0); 357 } 358 359 if (crashed) { 360 /* Check if timer on previous crashes expired first. */ 361 if (up->sue_expiry < tv.tv_sec) { 362 log(LOG_INFO, "PaX Segvguard: [%s] Suspension" 363 " expired.\n", name ? name : "unknown"); 364 365 up->sue_ncrashes = 1; 366 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 367 up->sue_suspended = 0; 368 369 return (0); 370 } 371 372 up->sue_ncrashes++; 373 374 if (up->sue_ncrashes >= pax_segvguard_maxcrashes) { 375 log(LOG_ALERT, "PaX Segvguard: [%s] Suspending " 376 "execution for %d seconds after %zu crashes.\n", 377 name ? name : "unknown", pax_segvguard_suspension, 378 up->sue_ncrashes); 379 380 /* Suspend this program for a while. */ 381 up->sue_suspended = tv.tv_sec + pax_segvguard_suspension; 382 up->sue_ncrashes = 0; 383 up->sue_expiry = 0; 384 } 385 } else { 386 /* Are we supposed to be suspended? */ 387 if (up->sue_suspended > tv.tv_sec) { 388 log(LOG_ALERT, "PaX Segvguard: [%s] Preventing " 389 "execution due to repeated segfaults.\n", name ? 390 name : "unknown"); 391 392 return (EPERM); 393 } 394 } 395 396 return (0); 397 } 398 #endif /* PAX_SEGVGUARD */ 399
Indexes created Tue Sep 30 11:09:46 GMT 2025