t_mprotect.c revision 1.4
1 1.4 christos /* $NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $ */ 2 1.1 jruoho 3 1.1 jruoho /*- 4 1.1 jruoho * Copyright (c) 2011 The NetBSD Foundation, Inc. 5 1.1 jruoho * All rights reserved. 6 1.1 jruoho * 7 1.1 jruoho * This code is derived from software contributed to The NetBSD Foundation 8 1.1 jruoho * by Jukka Ruohonen. 9 1.1 jruoho * 10 1.1 jruoho * Redistribution and use in source and binary forms, with or without 11 1.1 jruoho * modification, are permitted provided that the following conditions 12 1.1 jruoho * are met: 13 1.1 jruoho * 1. Redistributions of source code must retain the above copyright 14 1.1 jruoho * notice, this list of conditions and the following disclaimer. 15 1.1 jruoho * 2. Redistributions in binary form must reproduce the above copyright 16 1.1 jruoho * notice, this list of conditions and the following disclaimer in the 17 1.1 jruoho * documentation and/or other materials provided with the distribution. 18 1.1 jruoho * 19 1.1 jruoho * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 1.1 jruoho * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 1.1 jruoho * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 1.1 jruoho * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 1.1 jruoho * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 1.1 jruoho * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 1.1 jruoho * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 1.1 jruoho * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 1.1 jruoho * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 1.1 jruoho * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 1.1 jruoho * POSSIBILITY OF SUCH DAMAGE. 30 1.1 jruoho */ 31 1.1 jruoho #include <sys/cdefs.h> 32 1.4 christos __RCSID("$NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $"); 33 1.1 jruoho 34 1.1 jruoho #include <sys/param.h> 35 1.1 jruoho #include <sys/mman.h> 36 1.1 jruoho #include <sys/sysctl.h> 37 1.1 jruoho #include <sys/wait.h> 38 1.1 jruoho 39 1.1 jruoho #include <errno.h> 40 1.1 jruoho #include <fcntl.h> 41 1.1 jruoho #include <stdlib.h> 42 1.1 jruoho #include <string.h> 43 1.1 jruoho #include <unistd.h> 44 1.1 jruoho 45 1.1 jruoho #include <atf-c.h> 46 1.1 jruoho 47 1.2 jym #include "../common/exec_prot.h" 48 1.2 jym 49 1.1 jruoho static long page = 0; 50 1.1 jruoho static int pax_global = -1; 51 1.1 jruoho static int pax_enabled = -1; 52 1.1 jruoho static char path[] = "mmap"; 53 1.1 jruoho 54 1.1 jruoho static void sighandler(int); 55 1.1 jruoho static bool paxinit(void); 56 1.1 jruoho static bool paxset(int, int); 57 1.1 jruoho 58 1.1 jruoho static void 59 1.1 jruoho sighandler(int signo) 60 1.1 jruoho { 61 1.1 jruoho _exit(signo); 62 1.1 jruoho } 63 1.1 jruoho 64 1.1 jruoho static bool 65 1.1 jruoho paxinit(void) 66 1.1 jruoho { 67 1.1 jruoho size_t len = sizeof(int); 68 1.1 jruoho int rv; 69 1.1 jruoho 70 1.1 jruoho rv = sysctlbyname("security.pax.mprotect.global", 71 1.1 jruoho &pax_global, &len, NULL, 0); 72 1.1 jruoho 73 1.1 jruoho if (rv != 0) 74 1.1 jruoho return false; 75 1.1 jruoho 76 1.1 jruoho rv = sysctlbyname("security.pax.mprotect.enabled", 77 1.1 jruoho &pax_enabled, &len, NULL, 0); 78 1.1 jruoho 79 1.4 christos return rv == 0; 80 1.1 jruoho } 81 1.1 jruoho 82 1.1 jruoho static bool 83 1.1 jruoho paxset(int global, int enabled) 84 1.1 jruoho { 85 1.1 jruoho size_t len = sizeof(int); 86 1.1 jruoho int rv; 87 1.1 jruoho 88 1.1 jruoho rv = sysctlbyname("security.pax.mprotect.global", 89 1.1 jruoho NULL, NULL, &global, len); 90 1.1 jruoho 91 1.1 jruoho if (rv != 0) 92 1.1 jruoho return false; 93 1.1 jruoho 94 1.1 jruoho rv = sysctlbyname("security.pax.mprotect.enabled", 95 1.1 jruoho NULL, NULL, &enabled, len); 96 1.1 jruoho 97 1.1 jruoho if (rv != 0) 98 1.1 jruoho return false; 99 1.1 jruoho 100 1.1 jruoho return true; 101 1.1 jruoho } 102 1.1 jruoho 103 1.1 jruoho 104 1.1 jruoho ATF_TC_WITH_CLEANUP(mprotect_access); 105 1.1 jruoho ATF_TC_HEAD(mprotect_access, tc) 106 1.1 jruoho { 107 1.1 jruoho atf_tc_set_md_var(tc, "descr", "Test for EACCES from mprotect(2)"); 108 1.1 jruoho } 109 1.1 jruoho 110 1.1 jruoho ATF_TC_BODY(mprotect_access, tc) 111 1.1 jruoho { 112 1.1 jruoho int prot[2] = { PROT_NONE, PROT_READ }; 113 1.1 jruoho void *map; 114 1.1 jruoho size_t i; 115 1.1 jruoho int fd; 116 1.1 jruoho 117 1.1 jruoho fd = open(path, O_RDONLY | O_CREAT); 118 1.1 jruoho ATF_REQUIRE(fd >= 0); 119 1.1 jruoho 120 1.1 jruoho /* 121 1.1 jruoho * The call should fail with EACCES if we try to mark 122 1.1 jruoho * a PROT_NONE or PROT_READ file/section as PROT_WRITE. 123 1.1 jruoho */ 124 1.1 jruoho for (i = 0; i < __arraycount(prot); i++) { 125 1.1 jruoho 126 1.1 jruoho map = mmap(NULL, page, prot[i], MAP_SHARED, fd, 0); 127 1.1 jruoho 128 1.1 jruoho if (map == MAP_FAILED) 129 1.1 jruoho continue; 130 1.1 jruoho 131 1.1 jruoho errno = 0; 132 1.1 jruoho 133 1.1 jruoho ATF_REQUIRE(mprotect(map, page, PROT_WRITE) != 0); 134 1.1 jruoho ATF_REQUIRE(errno == EACCES); 135 1.1 jruoho ATF_REQUIRE(munmap(map, page) == 0); 136 1.1 jruoho } 137 1.1 jruoho 138 1.1 jruoho ATF_REQUIRE(close(fd) == 0); 139 1.1 jruoho } 140 1.1 jruoho 141 1.1 jruoho ATF_TC_CLEANUP(mprotect_access, tc) 142 1.1 jruoho { 143 1.1 jruoho (void)unlink(path); 144 1.1 jruoho } 145 1.1 jruoho 146 1.1 jruoho ATF_TC(mprotect_err); 147 1.1 jruoho ATF_TC_HEAD(mprotect_err, tc) 148 1.1 jruoho { 149 1.1 jruoho atf_tc_set_md_var(tc, "descr", "Test error conditions of mprotect(2)"); 150 1.1 jruoho } 151 1.1 jruoho 152 1.1 jruoho ATF_TC_BODY(mprotect_err, tc) 153 1.1 jruoho { 154 1.1 jruoho errno = 0; 155 1.1 jruoho 156 1.1 jruoho ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ) != 0); 157 1.1 jruoho ATF_REQUIRE(errno == EINVAL); 158 1.1 jruoho } 159 1.1 jruoho 160 1.2 jym ATF_TC(mprotect_exec); 161 1.2 jym ATF_TC_HEAD(mprotect_exec, tc) 162 1.2 jym { 163 1.2 jym atf_tc_set_md_var(tc, "descr", 164 1.2 jym "Test mprotect(2) executable space protections"); 165 1.2 jym } 166 1.2 jym 167 1.2 jym /* 168 1.2 jym * Trivial function -- should fit into a page 169 1.2 jym */ 170 1.2 jym ATF_TC_BODY(mprotect_exec, tc) 171 1.2 jym { 172 1.2 jym pid_t pid; 173 1.2 jym void *map; 174 1.2 jym int sta, xp_support; 175 1.2 jym 176 1.2 jym xp_support = exec_prot_support(); 177 1.2 jym 178 1.2 jym switch (xp_support) { 179 1.2 jym case NOTIMPL: 180 1.2 jym atf_tc_skip( 181 1.2 jym "Execute protection callback check not implemented"); 182 1.2 jym break; 183 1.2 jym case NO_XP: 184 1.2 jym atf_tc_skip( 185 1.2 jym "Host does not support executable space protection"); 186 1.2 jym break; 187 1.2 jym case PARTIAL_XP: case PERPAGE_XP: default: 188 1.2 jym break; 189 1.2 jym } 190 1.2 jym 191 1.4 christos if (!paxinit()) 192 1.4 christos return; 193 1.4 christos if (pax_enabled == 1 && pax_global == 1) 194 1.4 christos atf_tc_skip("PaX MPROTECT restrictions enabled"); 195 1.4 christos 196 1.4 christos 197 1.2 jym /* 198 1.2 jym * Map a page read/write and copy a trivial assembly function inside. 199 1.2 jym * We will then change the mapping rights: 200 1.2 jym * - first by setting the execution right, and check that we can 201 1.2 jym * call the code found in the allocated page. 202 1.2 jym * - second by removing the execution right. This should generate 203 1.2 jym * a SIGSEGV on architectures that can enforce --x permissions. 204 1.2 jym */ 205 1.2 jym 206 1.2 jym map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0); 207 1.2 jym ATF_REQUIRE(map != MAP_FAILED); 208 1.2 jym 209 1.2 jym memcpy(map, (void *)return_one, 210 1.2 jym (uintptr_t)return_one_end - (uintptr_t)return_one); 211 1.2 jym 212 1.2 jym /* give r-x rights then call code in page */ 213 1.2 jym ATF_REQUIRE(mprotect(map, page, PROT_EXEC|PROT_READ) == 0); 214 1.2 jym ATF_REQUIRE(((int (*)(void))map)() == 1); 215 1.2 jym 216 1.2 jym /* remove --x right */ 217 1.2 jym ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0); 218 1.2 jym 219 1.2 jym pid = fork(); 220 1.2 jym ATF_REQUIRE(pid >= 0); 221 1.2 jym 222 1.2 jym if (pid == 0) { 223 1.2 jym ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR); 224 1.2 jym ATF_CHECK(((int (*)(void))map)() == 1); 225 1.2 jym _exit(0); 226 1.2 jym } 227 1.2 jym 228 1.2 jym (void)wait(&sta); 229 1.2 jym 230 1.3 jym ATF_REQUIRE(munmap(map, page) == 0); 231 1.3 jym 232 1.2 jym ATF_REQUIRE(WIFEXITED(sta) != 0); 233 1.2 jym 234 1.2 jym switch (xp_support) { 235 1.2 jym case PARTIAL_XP: 236 1.3 jym /* Partial protection might fail; skip the test when it does */ 237 1.3 jym if (WEXITSTATUS(sta) != SIGSEGV) { 238 1.3 jym atf_tc_skip("Host only supports " 239 1.3 jym "partial executable space protection"); 240 1.3 jym } 241 1.2 jym break; 242 1.2 jym case PERPAGE_XP: default: 243 1.2 jym /* Per-page --x protection should not fail */ 244 1.2 jym ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 245 1.2 jym break; 246 1.2 jym } 247 1.2 jym } 248 1.2 jym 249 1.1 jruoho ATF_TC(mprotect_pax); 250 1.1 jruoho ATF_TC_HEAD(mprotect_pax, tc) 251 1.1 jruoho { 252 1.2 jym atf_tc_set_md_var(tc, "descr", "PaX restrictions and mprotect(2)"); 253 1.1 jruoho atf_tc_set_md_var(tc, "require.user", "root"); 254 1.1 jruoho } 255 1.1 jruoho 256 1.1 jruoho ATF_TC_BODY(mprotect_pax, tc) 257 1.1 jruoho { 258 1.1 jruoho const int prot[4] = { PROT_NONE, PROT_READ, PROT_WRITE }; 259 1.1 jruoho const char *str = NULL; 260 1.1 jruoho void *map; 261 1.1 jruoho size_t i; 262 1.1 jruoho int rv; 263 1.1 jruoho 264 1.4 christos if (!paxinit() || !paxset(1, 1)) 265 1.1 jruoho return; 266 1.1 jruoho 267 1.1 jruoho /* 268 1.1 jruoho * As noted in the original PaX documentation [1], 269 1.1 jruoho * the following restrictions should apply: 270 1.1 jruoho * 271 1.1 jruoho * (1) creating executable anonymous mappings 272 1.1 jruoho * 273 1.1 jruoho * (2) creating executable/writable file mappings 274 1.1 jruoho * 275 1.1 jruoho * (3) making a non-executable mapping executable 276 1.1 jruoho * 277 1.1 jruoho * (4) making an executable/read-only file mapping 278 1.1 jruoho * writable except for performing relocations 279 1.1 jruoho * on an ET_DYN ELF file (non-PIC shared library) 280 1.1 jruoho * 281 1.1 jruoho * The following will test only the case (3). 282 1.1 jruoho * 283 1.1 jruoho * [1] http://pax.grsecurity.net/docs/mprotect.txt 284 1.1 jruoho * 285 1.1 jruoho * (Sun Apr 3 11:06:53 EEST 2011.) 286 1.1 jruoho */ 287 1.1 jruoho for (i = 0; i < __arraycount(prot); i++) { 288 1.1 jruoho 289 1.1 jruoho map = mmap(NULL, page, prot[i], MAP_ANON, -1, 0); 290 1.1 jruoho 291 1.1 jruoho if (map == MAP_FAILED) 292 1.1 jruoho continue; 293 1.1 jruoho 294 1.1 jruoho rv = mprotect(map, 1, prot[i] | PROT_EXEC); 295 1.1 jruoho 296 1.1 jruoho (void)munmap(map, page); 297 1.1 jruoho 298 1.1 jruoho if (rv == 0) { 299 1.1 jruoho str = "non-executable mapping made executable"; 300 1.1 jruoho goto out; 301 1.1 jruoho } 302 1.1 jruoho } 303 1.1 jruoho 304 1.1 jruoho out: 305 1.1 jruoho if (pax_global != -1 && pax_enabled != -1) 306 1.1 jruoho (void)paxset(pax_global, pax_enabled); 307 1.1 jruoho 308 1.1 jruoho if (str != NULL) 309 1.1 jruoho atf_tc_fail("%s", str); 310 1.1 jruoho } 311 1.1 jruoho 312 1.1 jruoho ATF_TC(mprotect_write); 313 1.1 jruoho ATF_TC_HEAD(mprotect_write, tc) 314 1.1 jruoho { 315 1.2 jym atf_tc_set_md_var(tc, "descr", "Test mprotect(2) write protections"); 316 1.1 jruoho } 317 1.1 jruoho 318 1.1 jruoho ATF_TC_BODY(mprotect_write, tc) 319 1.1 jruoho { 320 1.1 jruoho pid_t pid; 321 1.1 jruoho void *map; 322 1.1 jruoho int sta; 323 1.1 jruoho 324 1.1 jruoho /* 325 1.1 jruoho * Map a page read/write, change the protection 326 1.1 jruoho * to read-only with mprotect(2), and try to write 327 1.1 jruoho * to the page. This should generate a SIGSEGV. 328 1.1 jruoho */ 329 1.1 jruoho map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0); 330 1.1 jruoho ATF_REQUIRE(map != MAP_FAILED); 331 1.1 jruoho 332 1.1 jruoho ATF_REQUIRE(strlcpy(map, "XXX", 3) == 3); 333 1.1 jruoho ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0); 334 1.1 jruoho 335 1.1 jruoho pid = fork(); 336 1.1 jruoho ATF_REQUIRE(pid >= 0); 337 1.1 jruoho 338 1.1 jruoho if (pid == 0) { 339 1.1 jruoho ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR); 340 1.1 jruoho ATF_REQUIRE(strlcpy(map, "XXX", 3) == 0); 341 1.1 jruoho } 342 1.1 jruoho 343 1.1 jruoho (void)wait(&sta); 344 1.1 jruoho 345 1.1 jruoho ATF_REQUIRE(WIFEXITED(sta) != 0); 346 1.1 jruoho ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 347 1.1 jruoho ATF_REQUIRE(munmap(map, page) == 0); 348 1.1 jruoho } 349 1.1 jruoho 350 1.1 jruoho ATF_TP_ADD_TCS(tp) 351 1.1 jruoho { 352 1.1 jruoho page = sysconf(_SC_PAGESIZE); 353 1.1 jruoho ATF_REQUIRE(page >= 0); 354 1.1 jruoho 355 1.1 jruoho ATF_TP_ADD_TC(tp, mprotect_access); 356 1.1 jruoho ATF_TP_ADD_TC(tp, mprotect_err); 357 1.2 jym ATF_TP_ADD_TC(tp, mprotect_exec); 358 1.1 jruoho ATF_TP_ADD_TC(tp, mprotect_pax); 359 1.1 jruoho ATF_TP_ADD_TC(tp, mprotect_write); 360 1.1 jruoho 361 1.1 jruoho return atf_no_error(); 362 1.1 jruoho } 363
Indexes created Mon Sep 22 21:09:42 GMT 2025