[CFT] New Round of ASLR Patches Against 11-CURRENT

看板FB_hackers作者lattera.時間11年前 (2014/06/23 02:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

--5me2qT3T17SWzdxI Content-Type: multipart/mixed; boundary="+PbGPm1eXpwOoWkI" Content-Disposition: inline --+PbGPm1eXpwOoWkI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hey All, Attached is a new patch with the latest work regarding our ASLR implementation. Here's what has changed since the last patch distributed on 24 May 2014: Shawn Webb: Sat Jun 21 20:03:07 2014 -0400: PAX SEGVGUARD: Remove segvguard prior to putting in a separate feature branch Thu Jun 19 21:08:37 2014 -0400: PAX ASLR: More style(9) fixes Thu Jun 19 20:59:44 2014 -0400: PAX ASLR: Add PAX_SYSCTLS to sys/conf/NOTES Thu Jun 19 20:48:42 2014 -0400: PAX ASLR: Remove extra NO_PIE/MK_PIE entries that aren't now needed Wed Jun 11 22:07:51 2014 -0400: PAX ASLR: Rollback code cleanup that removed orig_addr from pax_aslr_mmap(). Wed Jun 11 17:54:12 2014 -0400: PAX ASLR: style(9) changes. Grammar fixes. Code cleanup. Fri May 30 18:36:49 2014 -0400: PAX ASLR: Pull in Oliver Pinter's change to add stack randomization Fri May 30 18:36:01 2014 -0400: Update copyright Oliver Pinter: Wed Jun 4 09:39:48 2014 +0200: PAX ASLR: added FEATURE(aslr, ...) to the kernel, and modify ugidfw to use them Wed May 28 00:27:06 2014 +0200: PAX: fix prison0 initialization after my jail modifications Sun May 25 21:20:23 2014 +0200: PAX: show pax settings in dmesg, and validate some value Sun May 25 19:48:44 2014 +0200: PAX ASLR: make security.pax.aslr sysctls optional Sun May 25 19:15:16 2014 +0200: PAX: check proc->p_ucred Sun May 25 19:11:50 2014 +0200: PAX: added PAX_SYSCTLS kernel option Sun May 25 19:10:16 2014 +0200: PAX ASLR: simplify jail handling Sun May 25 19:00:12 2014 +0200: PAX: hook in pax_init_prison at kern_jail_set Thanks, Shawn --+PbGPm1eXpwOoWkI Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="2014-06-21_aslr.patch" Content-Transfer-Encoding: quoted-printable diff --git a/lib/libugidfw/ugidfw.c b/lib/libugidfw/ugidfw.c index 0dc423d..a4a38bc 100644 --- a/lib/libugidfw/ugidfw.c +++ b/lib/libugidfw/ugidfw.c @@ -36,6 +36,9 @@ #include <sys/sysctl.h> #include <sys/ucred.h> #include <sys/mount.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/sysctl.h> =20 #include <security/mac_bsdextended/mac_bsdextended.h> =20 @@ -44,6 +47,8 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <fcntl.h> +#include <unistd.h> =20 #include "ugidfw.h" =20 @@ -329,14 +334,19 @@ bsde_rule_to_string(struct mac_bsdextended_rule *rule= , char *buf, size_t buflen) cur +=3D len; } if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) { - numfs =3D getmntinfo(&mntbuf, MNT_NOWAIT); - for (i =3D 0; i < numfs; i++) - if (memcmp(&(rule->mbr_object.mbo_fsid), - &(mntbuf[i].f_fsid), - sizeof(mntbuf[i].f_fsid)) =3D=3D 0) - break; - len =3D snprintf(cur, left, "filesys %s ", - i =3D=3D numfs ? "???" : mntbuf[i].f_mntonname); + if (rule->mbr_object.mbo_inode =3D=3D 0) { + numfs =3D getmntinfo(&mntbuf, MNT_NOWAIT); + for (i =3D 0; i < numfs; i++) + if (memcmp(&(rule->mbr_object.mbo_fsid), + &(mntbuf[i].f_fsid), + sizeof(mntbuf[i].f_fsid)) =3D=3D 0) + break; + len =3D snprintf(cur, left, "filesys %s ", + i =3D=3D numfs ? "???" : mntbuf[i].f_mntonname); + } else { + len =3D snprintf(cur, left, "filesys %s ", + rule->mbr_object.mbo_paxpath); + } if (len < 0 || len > left) goto truncated; left -=3D len; @@ -500,6 +510,33 @@ bsde_rule_to_string(struct mac_bsdextended_rule *rule,= char *buf, size_t buflen) cur +=3D len; } =20 + if (rule->mbr_pax) { + len =3D snprintf(cur, left, " paxflags "); + if (len < 0 || len > left) + goto truncated; + left -=3D len; + cur +=3D len; + + if (rule->mbr_pax & MBI_FORCE_ASLR_ENABLED) { + len =3D snprintf(cur, left, "A"); + if (len < 0 || len > left) + goto truncated; + + left -=3D len; + cur +=3D len; + } + + if (rule->mbr_pax & MBI_FORCE_ASLR_DISABLED) { + len =3D snprintf(cur, left, "a"); + if (len < 0 || len > left) + goto truncated; + + left -=3D len; + cur +=3D len; + } + + } + return (0); =20 truncated: @@ -507,8 +544,8 @@ truncated: } =20 int -bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max, - size_t buflen, char *errstr){ +bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max, size_t buflen, cha= r *errstr) +{ struct passwd *pwd; uid_t uid1, uid2; char *spec1, *spec2, *endp; @@ -556,8 +593,8 @@ bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max, } =20 int -bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max, - size_t buflen, char *errstr){ +bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max, size_t buflen, cha= r *errstr) +{ struct group *grp; gid_t gid1, gid2; char *spec1, *spec2, *endp; @@ -766,10 +803,15 @@ bsde_parse_type(char *spec, int *type, size_t buflen,= char *errstr) } =20 int -bsde_parse_fsid(char *spec, struct fsid *fsid, size_t buflen, char *errstr) +bsde_parse_fsid(char *spec, struct fsid *fsid, ino_t *inode, size_t buflen= , char *errstr) { size_t len; struct statfs buf; + struct stat sb; + int fd, paxstatus; + size_t bufsz; + + *inode =3D 0; =20 if (statfs(spec, &buf) < 0) { len =3D snprintf(errstr, buflen, "Unable to get id for %s: %s", @@ -779,6 +821,21 @@ bsde_parse_fsid(char *spec, struct fsid *fsid, size_t = buflen, char *errstr) =20 *fsid =3D buf.f_fsid; =20 + if (strcmp(buf.f_fstypename, "devfs") !=3D 0) { + bufsz =3D sizeof(int); + if (!sysctlbyname("kern.features.aslr", &paxstatus, &bufsz, + NULL, 0)) { + fd =3D open(spec, O_RDONLY); + if (fd !=3D -1) { + if (fstat(fd, &sb) =3D=3D 0) + if(S_ISDIR(sb.st_mode) =3D=3D 0) + *inode =3D sb.st_ino; + + close(fd); + } + } + } + return (0); } =20 @@ -852,13 +909,18 @@ bsde_parse_object(int argc, char *argv[], return (-1); } if (bsde_parse_fsid(argv[current+1], &fsid, - buflen, errstr) < 0) + &object->mbo_inode, buflen, errstr) < 0) return (-1); flags |=3D MBO_FSID_DEFINED; if (nextnot) { neg ^=3D MBO_FSID_DEFINED; nextnot =3D 0; } + if (object->mbo_inode) + snprintf(object->mbo_paxpath, MAXPATHLEN, "%s", + argv[current+1]); + else + memset(object->mbo_paxpath, 0x00, MAXPATHLEN); current +=3D 2; } else if (strcmp(argv[current], "suid") =3D=3D 0) { flags |=3D MBO_SUID; @@ -991,12 +1053,48 @@ bsde_parse_mode(int argc, char *argv[], mode_t *mode= , size_t buflen, } =20 int +bsde_parse_paxflags(int argc, char *argv[], uint32_t *pax, size_t buflen, = char *errstr) +{ + size_t len; + int i; + + if (argc =3D=3D 0) { + len =3D snprintf(errstr, buflen, "paxflags expects mode value"); + return (-1); + } + + if (argc !=3D 1) { + len =3D snprintf(errstr, buflen, "'%s' unexpected", argv[1]); + return (-1); + } + + *pax =3D 0; + for (i =3D 0; i < strlen(argv[0]); i++) { + switch (argv[0][i]) { + case 'A': + *pax |=3D MBI_FORCE_ASLR_ENABLED; + break; + case 'a': + *pax |=3D MBI_FORCE_ASLR_DISABLED; + break; + default: + len =3D snprintf(errstr, buflen, "Unknown mode letter: %c", + argv[0][i]); + return (-1); + }=20 + } + + return (0); +} + +int bsde_parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule, size_t buflen, char *errstr) { int subject, subject_elements, subject_elements_length; int object, object_elements, object_elements_length; int mode, mode_elements, mode_elements_length; + int paxflags, paxflags_elements, paxflags_elements_length=3D0; int error, i; size_t len; =20 @@ -1037,11 +1135,23 @@ bsde_parse_rule(int argc, char *argv[], struct mac_= bsdextended_rule *rule, return (-1); } =20 + /* Search forward for paxflags */ + paxflags =3D -1; + for (i =3D 1; i < argc; i++) + if (strcmp(argv[i], "paxflags") =3D=3D 0) + paxflags =3D i; + + if (paxflags >=3D 0) { + paxflags_elements =3D paxflags + 1; + paxflags_elements_length =3D argc - paxflags_elements; + } + subject_elements_length =3D object - subject - 1; object_elements =3D object + 1; object_elements_length =3D mode - object_elements; mode_elements =3D mode + 1; - mode_elements_length =3D argc - mode_elements; + mode_elements_length =3D argc - mode_elements - + (paxflags_elements_length ? paxflags_elements_length+1 : 0); =20 error =3D bsde_parse_subject(subject_elements_length, argv + subject_elements, &rule->mbr_subject, buflen, errstr); @@ -1058,6 +1168,13 @@ bsde_parse_rule(int argc, char *argv[], struct mac_b= sdextended_rule *rule, if (error) return (-1); =20 + if (paxflags >=3D 0) { + error =3D bsde_parse_paxflags(paxflags_elements_length, argv + paxflags_= elements, + &rule->mbr_pax, buflen, errstr); + if (error) + return (-1); + } + return (0); } =20 diff --git a/lib/libugidfw/ugidfw.h b/lib/libugidfw/ugidfw.h index 5b7fcf2..cef469c 100644 --- a/lib/libugidfw/ugidfw.h +++ b/lib/libugidfw/ugidfw.h @@ -39,6 +39,8 @@ int bsde_rule_to_string(struct mac_bsdextended_rule *rule= , char *buf, size_t buflen); int bsde_parse_mode(int argc, char *argv[], mode_t *mode, size_t buflen, char *errstr); +int bsde_parse_paxflags(int argc, char *argv[], uint32_t *pax, size_t bufl= en, + char *errstr); int bsde_parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule, size_t buflen, char *errstr); int bsde_parse_rule_string(const char *string, diff --git a/sys/amd64/amd64/elf_machdep.c b/sys/amd64/amd64/elf_machdep.c index fdc4d56..ffb5e31 100644 --- a/sys/amd64/amd64/elf_machdep.c +++ b/sys/amd64/amd64/elf_machdep.c @@ -26,12 +26,17 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> #include <sys/exec.h> #include <sys/imgact.h> #include <sys/linker.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/sysent.h> #include <sys/imgact_elf.h> @@ -81,6 +86,11 @@ struct sysentvec elf64_freebsd_sysvec =3D { .sv_shared_page_base =3D SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec); =20 diff --git a/sys/amd64/include/vmparam.h b/sys/amd64/include/vmparam.h index bda9722..5e83a8f 100644 --- a/sys/amd64/include/vmparam.h +++ b/sys/amd64/include/vmparam.h @@ -170,7 +170,7 @@ #define VM_MAXUSER_ADDRESS UVADDR(NUPML4E, 0, 0, 0) =20 #define SHAREDPAGE (VM_MAXUSER_ADDRESS - PAGE_SIZE) -#define USRSTACK SHAREDPAGE +#define USRSTACK (SHAREDPAGE - 4*PAGE_SIZE) =20 #define VM_MAX_ADDRESS UPT_MAX_ADDRESS #define VM_MIN_ADDRESS (0) diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32= _sysvec.c index c06ce11..f4f99f58 100644 --- a/sys/amd64/linux32/linux32_sysvec.c +++ b/sys/amd64/linux32/linux32_sysvec.c @@ -33,6 +33,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); #include "opt_compat.h" +#include "opt_pax.h" =20 #ifndef COMPAT_FREEBSD32 #error "Unable to compile Linux-emulator due to missing COMPAT_FREEBSD32 o= ption!" @@ -84,6 +85,10 @@ __FBSDID("$FreeBSD$"); #include <compat/linux/linux_signal.h> #include <compat/linux/linux_util.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + MODULE_VERSION(linux, 1); =20 MALLOC_DEFINE(M_LINUX, "linux", "Linux mode structures"); @@ -1037,6 +1042,11 @@ struct sysentvec elf_linux_sysvec =3D { .sv_shared_page_base =3D LINUX32_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec); =20 diff --git a/sys/arm/arm/elf_machdep.c b/sys/arm/arm/elf_machdep.c index 8ef9bd4..26e37e6 100644 --- a/sys/arm/arm/elf_machdep.c +++ b/sys/arm/arm/elf_machdep.c @@ -26,6 +26,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -46,6 +48,10 @@ __FBSDID("$FreeBSD$"); #include <machine/elf.h> #include <machine/md_var.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + struct sysentvec elf32_freebsd_sysvec =3D { .sv_size =3D SYS_MAXSYSCALL, .sv_table =3D sysent, @@ -79,6 +85,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static Elf32_Brandinfo freebsd_brand_info =3D { diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/f= reebsd32_misc.c index 68e761b..96a81d9 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -30,6 +30,7 @@ __FBSDID("$FreeBSD$"); #include "opt_compat.h" #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_pax.h" =20 #define __ELF_WORD_SIZE 32 =20 @@ -113,6 +114,10 @@ __FBSDID("$FreeBSD$"); =20 FEATURE(compat_freebsd_32bit, "Compatible with 32-bit FreeBSD"); =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + #ifndef __mips__ CTASSERT(sizeof(struct timeval32) =3D=3D 8); CTASSERT(sizeof(struct timespec32) =3D=3D 8); @@ -2886,6 +2891,10 @@ freebsd32_copyout_strings(struct image_params *imgp) szsigcode =3D 0; destp =3D (uintptr_t)arginfo; =20 +#ifdef PAX_ASLR + pax_aslr_stack(curthread, &destp); +#endif + /* * install sigcode */ diff --git a/sys/compat/ia32/ia32_sysvec.c b/sys/compat/ia32/ia32_sysvec.c index a8e52e8..ade8da5 100644 --- a/sys/compat/ia32/ia32_sysvec.c +++ b/sys/compat/ia32/ia32_sysvec.c @@ -29,6 +29,7 @@ __FBSDID("$FreeBSD$"); =20 #include "opt_compat.h" +#include "opt_pax.h" =20 #define __ELF_WORD_SIZE 32 =20 @@ -74,6 +75,10 @@ __FBSDID("$FreeBSD$"); #include <machine/pcb.h> #include <machine/cpufunc.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + CTASSERT(sizeof(struct ia32_mcontext) =3D=3D 640); CTASSERT(sizeof(struct ia32_ucontext) =3D=3D 704); CTASSERT(sizeof(struct ia32_sigframe) =3D=3D 800); @@ -139,6 +144,11 @@ struct sysentvec ia32_freebsd_sysvec =3D { .sv_shared_page_base =3D FREEBSD32_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf_ia32_sysvec, &ia32_freebsd_sysvec); =20 diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 4d27713..671ef83 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -2972,3 +2972,7 @@ options RANDOM_RWFILE # Read and write entropy cache =20 # Module to enable execution of application via emulators like QEMU options IMAGACT_BINMISC + +# Address Space Layout Randomization (ASLR) +options PAX_ASLR +options PAX_SYSCTLS diff --git a/sys/conf/files b/sys/conf/files index cc907c50..1e73c88 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -2907,6 +2907,9 @@ kern/kern_mtxpool.c standard kern/kern_mutex.c standard kern/kern_ntptime.c standard kern/kern_osd.c standard +kern/kern_pax.c optional pax_aslr +kern/kern_pax_aslr.c optional pax_aslr +kern/kern_pax_log.c optional pax_aslr kern/kern_physio.c standard kern/kern_pmc.c standard kern/kern_poll.c optional device_polling diff --git a/sys/conf/options b/sys/conf/options index 32fb4d4..6e81e4e 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -916,6 +916,12 @@ RACCT opt_global.h # Resource Limits RCTL opt_global.h =20 +# PaX - hardening options +PAX_ASLR opt_pax.h +PAX_ASLR_MAX_SEC opt_pax.h +PAX_MPROTECT opt_pax.h +PAX_SYSCTLS opt_pax.h + # Random number generator(s) RANDOM_YARROW opt_random.h RANDOM_FORTUNA opt_random.h diff --git a/sys/i386/i386/elf_machdep.c b/sys/i386/i386/elf_machdep.c index 034b4c4..9571252 100644 --- a/sys/i386/i386/elf_machdep.c +++ b/sys/i386/i386/elf_machdep.c @@ -26,6 +26,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -46,6 +48,10 @@ __FBSDID("$FreeBSD$"); #include <machine/elf.h> #include <machine/md_var.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + struct sysentvec elf32_freebsd_sysvec =3D { .sv_size =3D SYS_MAXSYSCALL, .sv_table =3D sysent, @@ -81,6 +87,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_shared_page_base =3D SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); =20 diff --git a/sys/i386/ibcs2/ibcs2_sysvec.c b/sys/i386/ibcs2/ibcs2_sysvec.c index 5d007c7..1bb9d89 100644 --- a/sys/i386/ibcs2/ibcs2_sysvec.c +++ b/sys/i386/ibcs2/ibcs2_sysvec.c @@ -31,6 +31,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -50,6 +52,10 @@ __FBSDID("$FreeBSD$"); #include <i386/ibcs2/ibcs2_syscall.h> #include <i386/ibcs2/ibcs2_signal.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + MODULE_VERSION(ibcs2, 1); =20 extern int bsd_to_ibcs2_errno[]; @@ -89,6 +95,11 @@ struct sysentvec ibcs2_svr3_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D NULL, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static int diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c index 0ad6791..403070c 100644 --- a/sys/i386/linux/linux_sysvec.c +++ b/sys/i386/linux/linux_sysvec.c @@ -29,6 +29,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/exec.h> @@ -72,6 +74,10 @@ __FBSDID("$FreeBSD$"); #include <compat/linux/linux_signal.h> #include <compat/linux/linux_util.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + MODULE_VERSION(linux, 1); =20 MALLOC_DEFINE(M_LINUX, "linux", "Linux mode structures"); @@ -974,6 +980,11 @@ struct sysentvec linux_sysvec =3D { .sv_shared_page_base =3D LINUX_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(aout_sysvec, &linux_sysvec); =20 @@ -1012,6 +1023,11 @@ struct sysentvec elf_linux_sysvec =3D { .sv_shared_page_base =3D LINUX_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec); =20 diff --git a/sys/ia64/ia64/elf_machdep.c b/sys/ia64/ia64/elf_machdep.c index 05cb641..e3d19c1 100644 --- a/sys/ia64/ia64/elf_machdep.c +++ b/sys/ia64/ia64/elf_machdep.c @@ -25,6 +25,8 @@ * $FreeBSD$ */ =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -49,6 +51,10 @@ #include <machine/md_var.h> #include <machine/unwind.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + Elf_Addr link_elf_get_gp(linker_file_t); =20 extern Elf_Addr fptr_storage[]; @@ -86,6 +92,12 @@ struct sysentvec elf64_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif + }; =20 static Elf64_Brandinfo freebsd_brand_info =3D { diff --git a/sys/kern/imgact_aout.c b/sys/kern/imgact_aout.c index 3ae78de..aac03f1 100644 --- a/sys/kern/imgact_aout.c +++ b/sys/kern/imgact_aout.c @@ -27,6 +27,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/exec.h> #include <sys/imgact.h> @@ -62,6 +64,10 @@ __FBSDID("$FreeBSD$"); #include <compat/ia32/ia32_signal.h> #endif =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + static int exec_aout_imgact(struct image_params *imgp); static int aout_fixup(register_t **stack_base, struct image_params *imgp); =20 @@ -99,6 +105,11 @@ struct sysentvec aout_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 #elif defined(__amd64__) @@ -143,6 +154,11 @@ struct sysentvec aout_sysvec =3D { .sv_set_syscall_retval =3D ia32_set_syscall_retval, .sv_fetch_syscall_args =3D ia32_fetch_syscall_args, .sv_syscallnames =3D freebsd32_syscallnames, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, /* XXXOP */ +#else + .sv_pax_aslr_init =3D NULL, +#endif }; #else #error "Port me" diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 591094e..d0e01d3 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$"); #include "opt_capsicum.h" #include "opt_compat.h" #include "opt_core.h" +#include "opt_pax.h" =20 #include <sys/param.h> #include <sys/capsicum.h> @@ -48,6 +49,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mman.h> #include <sys/namei.h> #include <sys/pioctl.h> +#include <sys/jail.h> #include <sys/proc.h> #include <sys/procfs.h> #include <sys/racct.h> @@ -81,6 +83,10 @@ __FBSDID("$FreeBSD$"); #include <machine/elf.h> #include <machine/md_var.h> =20 +#if defined(PAX_ASLR) +#include <sys/pax.h> +#endif + #define ELF_NOTE_ROUNDSIZE 4 #define OLD_EI_BRAND 8 =20 @@ -655,16 +661,16 @@ __elfN(load_file)(struct proc *p, const char *file, u= _long *addr, hdr =3D (const Elf_Ehdr *)imgp->image_header; if ((error =3D __elfN(check_header)(hdr)) !=3D 0) goto fail; - if (hdr->e_type =3D=3D ET_DYN) + if (hdr->e_type =3D=3D ET_DYN) { rbase =3D *addr; - else if (hdr->e_type =3D=3D ET_EXEC) + } else if (hdr->e_type =3D=3D ET_EXEC) { rbase =3D 0; - else { + } else { error =3D ENOEXEC; goto fail; } =20 - /* Only support headers that fit within first page for now */ + /* Only support headers that fit within first page for now */ if ((hdr->e_phoff > PAGE_SIZE) || (u_int)hdr->e_phentsize * hdr->e_phnum > PAGE_SIZE - hdr->e_phoff) { error =3D ENOEXEC; @@ -789,16 +795,7 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i= mgp) if (hdr->e_type =3D=3D ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) =3D=3D 0) return (ENOEXEC); - /* - * Honour the base load address from the dso if it is - * non-zero for some reason. - */ - if (baddr =3D=3D 0) - et_dyn_addr =3D ET_DYN_LOAD_ADDR; - else - et_dyn_addr =3D 0; - } else - et_dyn_addr =3D 0; + } sv =3D brand_info->sysvec; if (interp !=3D NULL && brand_info->interp_newpath !=3D NULL) newinterp =3D brand_info->interp_newpath; @@ -819,6 +816,25 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i= mgp) error =3D exec_new_vmspace(imgp, sv); imgp->proc->p_sysent =3D sv; =20 +#if defined(PAX_MPROTECT) || defined(PAX_ASLR) + pax_elf(imgp, 0); +#endif + + et_dyn_addr =3D 0; + if (hdr->e_type =3D=3D ET_DYN) { + /* + * Honour the base load address from the dso if it is + * non-zero for some reason. + */ + if (baddr =3D=3D 0) { + et_dyn_addr =3D ET_DYN_LOAD_ADDR; +#ifdef PAX_ASLR + if (pax_aslr_active(NULL, imgp->proc)) + et_dyn_addr +=3D imgp->proc->p_vmspace->vm_aslr_delta_exec; +#endif + } + } + vn_lock(imgp->vp, LK_EXCLUSIVE | LK_RETRY); if (error) return (error); diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index 141d438..9301b57 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -410,6 +410,7 @@ struct sysentvec null_sysvec =3D { .sv_fetch_syscall_args =3D null_fetch_syscall_args, .sv_syscallnames =3D NULL, .sv_schedtail =3D NULL, + .sv_pax_aslr_init =3D NULL, }; =20 /* diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 667715e..24caccc 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -30,6 +30,7 @@ __FBSDID("$FreeBSD$"); #include "opt_capsicum.h" #include "opt_hwpmc_hooks.h" #include "opt_ktrace.h" +#include "opt_pax.h" #include "opt_vm.h" =20 #include <sys/param.h> @@ -94,6 +95,10 @@ __FBSDID("$FreeBSD$"); dtrace_execexit_func_t dtrace_fasttrap_exec; #endif =20 +#if defined(PAX_ASLR) +#include <sys/pax.h> +#endif + SDT_PROVIDER_DECLARE(proc); SDT_PROBE_DEFINE1(proc, kernel, , exec, "char *"); SDT_PROBE_DEFINE1(proc, kernel, , exec__failure, "int"); @@ -404,6 +409,7 @@ do_execve(td, args, mac_p) imgp->pagesizes =3D 0; imgp->pagesizeslen =3D 0; imgp->stack_prot =3D 0; + imgp->pax_flags =3D 0; =20 #ifdef MAC error =3D mac_execve_enter(imgp, mac_p); @@ -1064,6 +1070,10 @@ exec_new_vmspace(imgp, sv) map =3D &vmspace->vm_map; } =20 +#ifdef PAX_ASLR + pax_aslr_init(curthread, imgp); +#endif + /* Map a shared page */ obj =3D sv->sv_shared_page_obj; if (obj !=3D NULL) { @@ -1107,6 +1117,9 @@ exec_new_vmspace(imgp, sv) */ vmspace->vm_ssize =3D sgrowsiz >> PAGE_SHIFT; vmspace->vm_maxsaddr =3D (char *)sv->sv_usrstack - ssiz; +#ifdef PAX_ASLR + vmspace->vm_maxsaddr -=3D vmspace->vm_aslr_delta_stack; +#endif =20 return (0); } @@ -1266,6 +1279,9 @@ exec_copyout_strings(imgp) szsigcode =3D *(p->p_sysent->sv_szsigcode); } destp =3D (uintptr_t)arginfo; +#ifdef PAX_ASLR + pax_aslr_stack(curthread, &destp); +#endif =20 /* * install sigcode diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index b3d9c24..3cd85d8 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -513,6 +513,11 @@ do_fork(struct thread *td, int flags, struct proc *p2,= struct thread *td2, } =20 /* + * XXXOP: this is the right place? + */ + p2->p_pax =3D p1->p_pax; + + /* * p_limit is copy-on-write. Bump its refcount. */ lim_fork(p1, p2); diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 47cd568..d9036bd 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$"); #include "opt_ddb.h" #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_pax.h" =20 #include <sys/param.h> #include <sys/types.h> @@ -74,6 +75,10 @@ __FBSDID("$FreeBSD$"); #endif /* INET6 */ #endif /* DDB */ =20 +#if defined(PAX_ASLR) +#include <sys/pax.h> +#endif + #include <security/mac/mac_framework.h> =20 #define DEFAULT_HOSTUUID "00000000-0000-0000-0000-000000000000" @@ -117,6 +122,10 @@ struct prison prison0 =3D { }; MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF); =20 +#if defined(PAX_ASLR) +SYSINIT(pax, SI_SUB_PAX, SI_ORDER_MIDDLE, pax_init_prison, (void *) &priso= n0); +#endif + /* allprison, allprison_racct and lastprid are protected by allprison_lock= =2E */ struct sx allprison_lock; SX_SYSINIT(allprison_lock, &allprison_lock, "allprison"); @@ -1307,6 +1316,10 @@ kern_jail_set(struct thread *td, struct uio *optuio,= int flags) goto done_releroot; } =20 +#if defined(PAX_ASLR) + pax_init_prison(pr); +#endif + mtx_lock(&pr->pr_mtx); /* * New prisons do not yet have a reference, because we do not diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c new file mode 100644 index 0000000..1bd5ad0 --- /dev/null +++ b/sys/kern/kern_pax.c @@ -0,0 +1,214 @@ +/*- + * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> + * Copyright (c) 2013-2014, by Oliver Pinter <oliver.pntr at gmail.com> + * Copyright (c) 2014, by Shawn Webb <lattera at gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTI= ES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF US= E, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_compat.h" +#include "opt_pax.h" + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/imgact.h> +#include <sys/imgact_elf.h> +#include <sys/lock.h> +#include <sys/mutex.h> +#include <sys/sysent.h> +#include <sys/stat.h> +#include <sys/proc.h> +#include <sys/elf_common.h> +#include <sys/mount.h> +#include <sys/sysctl.h> +#include <sys/vnode.h> +#include <sys/queue.h> +#include <sys/libkern.h> +#include <sys/jail.h> + +#include <sys/mman.h> +#include <sys/libkern.h> +#include <sys/exec.h> +#include <sys/kthread.h> + +#include <sys/syslimits.h> +#include <sys/param.h> + +#include <vm/pmap.h> +#include <vm/vm_map.h> +#include <vm/vm_extern.h> + +#include <machine/elf.h> + +#include <sys/pax.h> + +#include <security/mac_bsdextended/mac_bsdextended.h> + +SYSCTL_NODE(_security, OID_AUTO, pax, CTLFLAG_RD, 0, + "PaX (exploit mitigation) features."); + +struct prison * +pax_get_prison(struct thread *td, struct proc *proc) +{ + + if (td !=3D NULL) { + if ((td->td_proc !=3D NULL) && (td->td_proc->p_ucred !=3D NULL)) + return (td->td_proc->p_ucred->cr_prison); + + return (NULL); + } + if ((proc =3D=3D NULL) || (proc->p_ucred =3D=3D NULL)) + return (NULL); + + return (proc->p_ucred->cr_prison); +} + +void +pax_elf(struct image_params *imgp, uint32_t mode) +{ + u_int flags =3D 0; + + if ((mode & MBI_ALLPAX) =3D=3D MBI_ALLPAX) + goto end; + + if (mode & MBI_FORCE_ASLR_ENABLED) + flags |=3D PAX_NOTE_ASLR; + else if (mode & MBI_FORCE_ASLR_DISABLED) + flags |=3D PAX_NOTE_NOASLR; + +end: + if (imgp !=3D NULL) { + imgp->pax_flags =3D flags; + if (imgp->proc !=3D NULL) { + PROC_LOCK(imgp->proc); + imgp->proc->p_pax =3D flags; + PROC_UNLOCK(imgp->proc); + } + } +} + + +/* + * print out PaX settings on boot time, and validate some of them + */ +void +pax_init(void) +{ +#if defined(PAX_ASLR) + const char *status_str[] =3D { + [0] =3D "disabled", + [1] =3D "opt-in", + [2] =3D "opt-out", + [3] =3D "force enabled", + [4] =3D "UNKNOWN -> changed to \"force enabled\"" + }; +#endif + +#ifdef PAX_ASLR + switch (pax_aslr_status) { + case 0: + case 1: + case 2: + case 3: + break; + default: + printf("[PAX ASLR] WARNING, invalid PAX settings in loader.conf!" + " (pax_aslr_status =3D %d)\n", pax_aslr_status); + pax_aslr_status =3D 3; + break; + } + printf("[PAX ASLR] status: %s\n", status_str[pax_aslr_status]); + printf("[PAX ASLR] mmap: %d bit\n", pax_aslr_mmap_len); + printf("[PAX ASLR] exec base: %d bit\n", pax_aslr_exec_len); + printf("[PAX ASLR] stack: %d bit\n", pax_aslr_stack_len); + +#ifdef COMPAT_FREEBSD32 + switch (pax_aslr_compat_status) { + case 0: + case 1: + case 2: + case 3: + break; + default: + printf("[PAX ASLR (compat)] WARNING, invalid PAX settings in loader.conf= ! " + "(pax_aslr_compat_status =3D %d)\n", pax_aslr_compat_status); + pax_aslr_compat_status =3D 3; + break; + } + printf("[PAX ASLR (compat)] status: %s\n", status_str[pax_aslr_compat_sta= tus]); + printf("[PAX ASLR (compat)] mmap: %d bit\n", pax_aslr_compat_mmap_len); + printf("[PAX ASLR (compat)] exec base: %d bit\n", pax_aslr_compat_exec_le= n); + printf("[PAX ASLR (compat)] stack: %d bit\n", pax_aslr_compat_stack_len); +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_ASLR */ + + printf("[PAX LOG] logging to system: %d\n", pax_log_log); + printf("[PAX LOG] logging to user: %d\n", pax_log_ulog); +} +SYSINIT(pax, SI_SUB_PAX, SI_ORDER_FIRST, pax_init, NULL); + +void +pax_init_prison(struct prison *pr) +{ + + if (pr =3D=3D NULL) + return; + + if (pr->pr_pax_set) + return; + + mtx_lock(&(pr->pr_mtx)); + + if (pax_aslr_debug) + uprintf("[PaX ASLR] %s: Setting prison %s ASLR variables\n", + __func__, pr->pr_name); + +#ifdef PAX_ASLR + pr->pr_pax_aslr_status =3D pax_aslr_status; + pr->pr_pax_aslr_debug =3D pax_aslr_debug; + pr->pr_pax_aslr_mmap_len =3D pax_aslr_mmap_len; + pr->pr_pax_aslr_stack_len =3D pax_aslr_stack_len; + pr->pr_pax_aslr_exec_len =3D pax_aslr_exec_len; + +#ifdef COMPAT_FREEBSD32 + pr->pr_pax_aslr_compat_status =3D pax_aslr_compat_status; + pr->pr_pax_aslr_compat_mmap_len =3D pax_aslr_compat_mmap_len; + pr->pr_pax_aslr_compat_stack_len =3D pax_aslr_compat_stack_len; + pr->pr_pax_aslr_compat_exec_len =3D pax_aslr_compat_exec_len; +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_ASLR */ + + pr->pr_pax_log_log =3D pax_log_log; + pr->pr_pax_log_ulog =3D pax_log_ulog; + + pr->pr_pax_set =3D 1; + + mtx_unlock(&(pr->pr_mtx)); +} diff --git a/sys/kern/kern_pax_aslr.c b/sys/kern/kern_pax_aslr.c new file mode 100644 index 0000000..4b5e8dd --- /dev/null +++ b/sys/kern/kern_pax_aslr.c @@ -0,0 +1,685 @@ +/*- + * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> + * Copyright (c) 2013-2014, by Oliver Pinter <oliver.pntr at gmail.com> + * Copyright (c) 2014, by Shawn Webb <lattera at gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTI= ES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF US= E, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_compat.h" +#include "opt_pax.h" + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/imgact.h> +#include <sys/imgact_elf.h> +#include <sys/sysent.h> +#include <sys/stat.h> +#include <sys/proc.h> +#include <sys/elf_common.h> +#include <sys/mount.h> +#include <sys/sysctl.h> +#include <sys/vnode.h> +#include <sys/queue.h> +#include <sys/libkern.h> +#include <sys/jail.h> + +#include <sys/mman.h> +#include <sys/libkern.h> +#include <sys/exec.h> +#include <sys/kthread.h> + +#include <vm/pmap.h> +#include <vm/vm_map.h> +#include <vm/vm_extern.h> + +#include <machine/elf.h> + +#include <sys/pax.h> + +FEATURE(aslr, "Address Space Layout Randomization."); + +int pax_aslr_status =3D PAX_ASLR_OPTOUT; +int pax_aslr_debug =3D 0; + +#ifdef PAX_ASLR_MAX_SEC +int pax_aslr_mmap_len =3D PAX_ASLR_DELTA_MMAP_MAX_LEN; +int pax_aslr_stack_len =3D PAX_ASLR_DELTA_STACK_MAX_LEN; +int pax_aslr_exec_len =3D PAX_ASLR_DELTA_EXEC_MAX_LEN; +#else +int pax_aslr_mmap_len =3D PAX_ASLR_DELTA_MMAP_DEF_LEN; +int pax_aslr_stack_len =3D PAX_ASLR_DELTA_STACK_DEF_LEN; +int pax_aslr_exec_len =3D PAX_ASLR_DELTA_EXEC_DEF_LEN; +#endif /* PAX_ASLR_MAX_SEC */ + +#ifdef COMPAT_FREEBSD32 +int pax_aslr_compat_status =3D PAX_ASLR_OPTOUT; +#ifdef PAX_ASLR_MAX_SEC +int pax_aslr_compat_mmap_len =3D PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN; +int pax_aslr_compat_stack_len =3D PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN; +int pax_aslr_compat_exec_len =3D PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN; +#else +int pax_aslr_compat_mmap_len =3D PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN; +int pax_aslr_compat_stack_len =3D PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN; +int pax_aslr_compat_exec_len =3D PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN; +#endif /* PAX_ASLR_MAX_SEC */ +#endif /* COMPAT_FREEBSD32 */ + +TUNABLE_INT("security.pax.aslr.status", &pax_aslr_status); +TUNABLE_INT("security.pax.aslr.mmap_len", &pax_aslr_mmap_len); +TUNABLE_INT("security.pax.aslr.debug", &pax_aslr_debug); +TUNABLE_INT("security.pax.aslr.stack_len", &pax_aslr_stack_len); +TUNABLE_INT("security.pax.aslr.exec_len", &pax_aslr_exec_len); +#ifdef COMPAT_FREEBSD32 +TUNABLE_INT("security.pax.aslr.compat.status", &pax_aslr_compat_status); +TUNABLE_INT("security.pax.aslr.compat.mmap", &pax_aslr_compat_mmap_len); +TUNABLE_INT("security.pax.aslr.compat.stack", &pax_aslr_compat_stack_len); +TUNABLE_INT("security.pax.aslr.compat.stack", &pax_aslr_compat_exec_len); +#endif + + +#ifdef PAX_SYSCTLS +/* + * sysctls and tunables + */ +static int sysctl_pax_aslr_debug(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_mmap(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_stack(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_exec(SYSCTL_HANDLER_ARGS); + +SYSCTL_DECL(_security_pax); + +SYSCTL_NODE(_security_pax, OID_AUTO, aslr, CTLFLAG_RD, 0, + "Address Space Layout Randomization."); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, status, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_status, "I", + "Restrictions status. " + "0 - disabled, " + "1 - opt-in, " + "2 - opt-out, " + "3 - force enabled"); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, debug, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_debug, "I", + "ASLR debug mode"); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, mmap_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_mmap, "I", + "Number of bits randomized for mmap(2) calls. " + "32 bit: [8,16] 64 bit: [16,32]"); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, stack_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_stack, "I", + "Number of bits randomized for the stack. " + "32 bit: [6,12] 64 bit: [12,21]"); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, exec_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_exec, "I", + "Number of bits randomized for the PIE exec base. " + "32 bit: [6,12] 64 bit: [12,21]"); + +static int +sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_status : pax_aslr_status; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || (req->newptr =3D=3D NULL)) + return (err); + + switch (val) { + case PAX_ASLR_DISABLED: + case PAX_ASLR_OPTIN: + case PAX_ASLR_OPTOUT: + case PAX_ASLR_FORCE_ENABLED: + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_status =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_status =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + break; + default: + return (EINVAL); + } + + return (0); +} + +static int +sysctl_pax_aslr_debug(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr=3DNULL; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_debug : pax_aslr_debug; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + switch (val) { + case 0: + case 1: + break; + default: + return (EINVAL); + + } + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_debug =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_debug =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_mmap(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr=3DNULL; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_mmap_len : pax_aslr_mmap_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_DELTA_MMAP_MIN_LEN || + val > PAX_ASLR_DELTA_MMAP_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_mmap_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_mmap_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_stack(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr=3DNULL; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_stack_len : pax_aslr_stack_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_DELTA_STACK_MIN_LEN || + val > PAX_ASLR_DELTA_STACK_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_stack_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_stack_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_exec(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr=3DNULL; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_exec_len : pax_aslr_exec_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || (req->newptr =3D=3D NULL)) + return (err); + + if (val < PAX_ASLR_DELTA_EXEC_MIN_LEN || + val > PAX_ASLR_DELTA_EXEC_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_exec_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_exec_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +/* + * COMPAT_FREEBSD32 and linuxulator.. + */ +#ifdef COMPAT_FREEBSD32 +static int sysctl_pax_aslr_compat_status(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_mmap(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_stack(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_exec(SYSCTL_HANDLER_ARGS); + +SYSCTL_NODE(_security_pax_aslr, OID_AUTO, compat, CTLFLAG_RD, 0, + "Setting for COMPAT_FREEBSD32 and linuxulator."); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, status, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_status, "I", + "Restrictions status. " + "0 - disabled, " + "1 - enabled, " + "2 - global enabled, " + "3 - force global enabled"); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, mmap_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_mmap, "I", + "Number of bits randomized for mmap(2) calls. " + "32 bit: [8,16]"); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, stack_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_stack, "I", + "Number of bits randomized for the stack. " + "32 bit: [6,12]"); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, exec_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_exec, "I", + "Number of bits randomized for the PIE exec base. " + "32 bit: [6,12]"); + +static int +sysctl_pax_aslr_compat_status(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + val =3D (pr !=3D NULL) ?pr->pr_pax_aslr_compat_status : pax_aslr_compat_s= tatus; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || (req->newptr =3D=3D NULL)) + return (err); + + switch (val) { + case PAX_ASLR_DISABLED: + case PAX_ASLR_OPTIN: + case PAX_ASLR_OPTOUT: + case PAX_ASLR_FORCE_ENABLED: + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_compat_status =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_compat_status =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + break; + default: + return (EINVAL); + } + + return (0); +} + +static int +sysctl_pax_aslr_compat_mmap(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_compat_mmap_len : pax_aslr_compa= t_mmap_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN || + val > PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_compat_mmap_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_compat_mmap_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_compat_stack(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_compat_stack_len : pax_aslr_comp= at_stack_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN || + val > PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_compat_stack_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_compat_stack_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_compat_exec(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if (pr !=3D NULL) + val =3D pr->pr_pax_aslr_compat_exec_len; + else + val =3D pax_aslr_compat_exec_len; + + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN || + val > PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_compat_exec_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_compat_exec_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_SYSCTLS */ + + +/* + * ASLR functions + */ +bool +pax_aslr_active(struct thread *td, struct proc *proc) +{ + int status; + struct prison *pr; + uint32_t flags; + + if ((td =3D=3D NULL) && (proc =3D=3D NULL)) + return (true); + + pr =3D pax_get_prison(td, proc); + + flags =3D (td !=3D NULL) ? td->td_proc->p_pax : proc->p_pax; + if (((flags & 0xaaaaaaaa) & ((flags & 0x55555555) << 1)) !=3D 0) { + pax_log_aslr(pr, __func__, "inconsistent paxflags: %x\n", flags); + pax_ulog_aslr(pr, NULL, "inconsistent paxflags: %x\n", flags); + return (true); + } + + if (pr !=3D NULL) + status =3D pr->pr_pax_aslr_status; + else + status =3D pax_aslr_status; + + switch (status) { + case PAX_ASLR_DISABLED: + return (false); + case PAX_ASLR_FORCE_ENABLED: + return (true); + case PAX_ASLR_OPTIN: + if ((flags & PAX_NOTE_ASLR) =3D=3D 0) { + pax_log_aslr(pr, __func__, + "ASLR is opt-in, and executable does not have ASLR enabled\n"); + pax_ulog_aslr(pr, NULL, + "ASLR is opt-in, and executable does not have ASLR enabled\n"); + return (false); + } + break; + case PAX_ASLR_OPTOUT: + if ((flags & PAX_NOTE_NOASLR) !=3D 0) { + pax_log_aslr(pr, __func__, + "ASLR is opt-out, and executable explicitly disabled ASLR\n"); + pax_ulog_aslr(pr, NULL, + "ASLR is opt-out, and executable explicitly disabled ASLR\n"); + return (false); + } + break; + default: + return (true); + } + + return (true); +} + +void +_pax_aslr_init(struct vmspace *vm, struct prison *pr) +{ + if (vm =3D=3D NULL) + panic("[PaX ASLR] %s: vm =3D=3D NULL", __func__); + + vm->vm_aslr_delta_mmap =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_MMAP_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_mmap_len : + pax_aslr_mmap_len); + vm->vm_aslr_delta_stack =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_STACK_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_stack_len : + pax_aslr_stack_len); + vm->vm_aslr_delta_stack =3D ALIGN(vm->vm_aslr_delta_stack); + vm->vm_aslr_delta_exec =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_EXEC_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_exec_len : + pax_aslr_exec_len); + + if ((pr !=3D NULL) && pr->pr_pax_aslr_debug) { + pax_log_aslr(pr, __func__, "vm_aslr_delta_mmap=3D%p\n", + (void *) vm->vm_aslr_delta_mmap); + pax_log_aslr(pr, __func__, "vm_aslr_delta_stack=3D%p\n", + (void *) vm->vm_aslr_delta_stack); + pax_log_aslr(pr, __func__, "vm_aslr_delta_exec=3D%p\n", + (void *) vm->vm_aslr_delta_exec); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_mmap=3D%p\n", + (void *) vm->vm_aslr_delta_mmap); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_stack=3D%p\n", + (void *) vm->vm_aslr_delta_stack); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_exec=3D%p\n", + (void *) vm->vm_aslr_delta_exec); + } +} + +#ifdef COMPAT_FREEBSD32 +void +_pax_aslr_init32(struct vmspace *vm, struct prison *pr) +{ + if (vm =3D=3D NULL) + panic("[PaX ASLR] %s: vm =3D=3D NULL", __func__); + + vm->vm_aslr_delta_mmap =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_COMPAT_DELTA_MMAP_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_compat_mmap_len : + pax_aslr_compat_mmap_len); + vm->vm_aslr_delta_stack =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_COMPAT_DELTA_STACK_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_compat_stack_len : + pax_aslr_compat_stack_len); + vm->vm_aslr_delta_stack =3D ALIGN(vm->vm_aslr_delta_stack); + vm->vm_aslr_delta_exec =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_EXEC_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_compat_exec_len : + pax_aslr_compat_exec_len); + + if ((pr !=3D NULL) && pr->pr_pax_aslr_debug) { + pax_log_aslr(pr, __func__, "vm_aslr_delta_mmap=3D%p\n", + (void *) vm->vm_aslr_delta_mmap); + pax_log_aslr(pr, __func__, "vm_aslr_delta_stack=3D%p\n", + (void *) vm->vm_aslr_delta_stack); + pax_log_aslr(pr, __func__, "vm_aslr_delta_exec=3D%p\n", + (void *) vm->vm_aslr_delta_exec); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_mmap=3D%p\n", + (void *) vm->vm_aslr_delta_mmap); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_stack=3D%p\n", + (void *) vm->vm_aslr_delta_stack); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_exec=3D%p\n", + (void *) vm->vm_aslr_delta_exec); + } +} +#endif + +void +pax_aslr_init(struct thread *td, struct image_params *imgp) +{ + struct prison *pr; + struct vmspace *vm; + + pr =3D pax_get_prison(td, NULL); + + if (imgp =3D=3D NULL) + panic("[PaX ASLR] %s: imgp =3D=3D NULL", __func__); + + if (!pax_aslr_active(td, NULL)) + return; + + vm =3D imgp->proc->p_vmspace; + + if (imgp->sysent->sv_pax_aslr_init !=3D NULL) + imgp->sysent->sv_pax_aslr_init(vm, pr); +} + +void +pax_aslr_mmap(struct thread *td, vm_offset_t *addr, vm_offset_t orig_addr,= int flags) +{ + struct prison *pr; + + if (!pax_aslr_active(td, NULL)) + return; + + orig_addr =3D *addr; + + pr =3D pax_get_prison(td, NULL); + + if (!(flags & MAP_FIXED) && ((orig_addr =3D=3D 0) || !(flags & MAP_ANON))= ) { + pax_log_aslr(pr, __func__, "applying to %p orig_addr=3D%p flags=3D%x\n", + (void *)*addr, (void *)orig_addr, flags); + + if (!(td->td_proc->p_vmspace->vm_map.flags & MAP_ENTRY_GROWS_DOWN)) + *addr +=3D td->td_proc->p_vmspace->vm_aslr_delta_mmap; + else + *addr -=3D td->td_proc->p_vmspace->vm_aslr_delta_mmap; + pax_log_aslr(pr, __func__, "result %p\n", (void *)*addr); + } else { + pax_log_aslr(pr, __func__, "not applying to %p orig_addr=3D%p flags=3D%x= \n", + (void *)*addr, (void *)orig_addr, flags); + } +} + +void +pax_aslr_stack(struct thread *td, uintptr_t *addr) +{ + struct prison *pr; + uintptr_t orig_addr; + + if (!pax_aslr_active(td, NULL)) + return; + + pr =3D pax_get_prison(td, NULL); + + orig_addr =3D *addr; + *addr -=3D td->td_proc->p_vmspace->vm_aslr_delta_stack; + pax_log_aslr(pr, __func__, "orig_addr=3D%p, new_addr=3D%p\n", + (void *)orig_addr, (void *)*addr); + pax_ulog_aslr(pr, NULL, "orig_addr=3D%p, new_addr=3D%p\n", + (void *)orig_addr, (void *)*addr); +} diff --git a/sys/kern/kern_pax_log.c b/sys/kern/kern_pax_log.c new file mode 100644 index 0000000..943ac81 --- /dev/null +++ b/sys/kern/kern_pax_log.c @@ -0,0 +1,188 @@ +/*- + * Copyright (c) 2014, by Oliver Pinter <oliver.pntr at gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURP= OSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENT= IAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STR= ICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY W= AY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/cdefs.h> + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/types.h> +#include <sys/kernel.h> +#include <sys/pax.h> +#include <sys/sbuf.h> +#include <sys/jail.h> +#include <machine/stdarg.h> + +#define __PAX_LOG_TEMPLATE(SUBJECT, name) \ +void \ +pax_log_##name(struct prison *pr, const char *caller_name, const char* fmt= , ...)\ +{ \ + struct sbuf *sb; \ + va_list args; \ + \ + if ((pr !=3D NULL) && (pr->pr_pax_log_log =3D=3D 0)) \ + return; \ + \ + sb =3D sbuf_new_auto(); \ + if (sb =3D=3D NULL) \ + panic("%s: Could not allocate memory", __func__); \ + sbuf_printf(sb, "[PAX "#SUBJECT"] "); \ + if (caller_name !=3D NULL) \ + sbuf_printf(sb, "%s: ", caller_name); \ + va_start(args, fmt); \ + sbuf_vprintf(sb, fmt, args); \ + va_end(args); \ + if (sbuf_finish(sb) !=3D 0) \ + panic("%s: Could not generate message", __func__); \ + \ + printf("%s", sbuf_data(sb)); \ + sbuf_delete(sb); \ +} \ + \ +void \ +pax_ulog_##name(struct prison *pr, const char *caller_name, const char* fm= t, ...)\ +{ \ + struct sbuf *sb; \ + va_list args; \ + \ + if ((pr !=3D NULL) && (pr->pr_pax_log_ulog =3D=3D 0)) \ + return; \ + \ + sb =3D sbuf_new_auto(); \ + if (sb =3D=3D NULL) \ + panic("%s: Could not allocate memory", __func__); \ + sbuf_printf(sb, "[PAX "#SUBJECT"] "); \ + if (caller_name !=3D NULL) \ + sbuf_printf(sb, "%s: ", caller_name); \ + va_start(args, fmt); \ + sbuf_vprintf(sb, fmt, args); \ + va_end(args); \ + if (sbuf_finish(sb) !=3D 0) \ + panic("%s: Could not generate message", __func__); \ + \ + uprintf("%s", sbuf_data(sb)); \ + sbuf_delete(sb); \ +} + + +static int sysctl_pax_log_log(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_log_ulog(SYSCTL_HANDLER_ARGS); + +int pax_log_log =3D PAX_LOG_LOG; +int pax_log_ulog =3D PAX_LOG_ULOG; + +SYSCTL_DECL(_security_pax); + +SYSCTL_NODE(_security_pax, OID_AUTO, log, CTLFLAG_RD, 0, + "PAX related logging facility."); + +SYSCTL_PROC(_security_pax_log, OID_AUTO, log, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_log_log, "I", + "log to syslog " + "0 - disabled, " + "1 - enabled "); +TUNABLE_INT("security.pax.log.log", &pax_log_log); + +SYSCTL_PROC(_security_pax_log, OID_AUTO, ulog, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_log_ulog, "I", + "log to user terminal" + "0 - disabled, " + "1 - enabled "); +TUNABLE_INT("security.pax.log.ulog", &pax_log_ulog); + +static int +sysctl_pax_log_log(SYSCTL_HANDLER_ARGS) +{ + int err; + int val; + struct prison *pr=3DNULL; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_log_log : pax_log_log; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + switch (val) { + case 0: + case 1: + break; + default: + return (EINVAL); + + } + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_log_log =3D val; + if (pr !=3D NULL) + pr->pr_pax_log_log =3D val; + + return (0); +} + +static int +sysctl_pax_log_ulog(SYSCTL_HANDLER_ARGS) +{ + int err; + int val; + struct prison *pr=3DNULL; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_log_ulog : pax_log_ulog; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + switch (val) { + case 0: + case 1: + break; + default: + return (EINVAL); + + } + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_log_ulog =3D val; + if (pr !=3D NULL) + pr->pr_pax_log_ulog =3D val; + + return (0); +} + + +__PAX_LOG_TEMPLATE(ASLR, aslr) diff --git a/sys/mips/mips/elf_machdep.c b/sys/mips/mips/elf_machdep.c index d374713..f95ba35 100644 --- a/sys/mips/mips/elf_machdep.c +++ b/sys/mips/mips/elf_machdep.c @@ -28,6 +28,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -49,6 +51,10 @@ __FBSDID("$FreeBSD$"); #include <machine/md_var.h> #include <machine/cache.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + #ifdef __mips_n64 struct sysentvec elf64_freebsd_sysvec =3D { .sv_size =3D SYS_MAXSYSCALL, @@ -83,6 +89,11 @@ struct sysentvec elf64_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static Elf64_Brandinfo freebsd_brand_info =3D { @@ -139,6 +150,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static Elf32_Brandinfo freebsd_brand_info =3D { diff --git a/sys/mips/mips/freebsd32_machdep.c b/sys/mips/mips/freebsd32_ma= chdep.c index dfdf70f..103ad84 100644 --- a/sys/mips/mips/freebsd32_machdep.c +++ b/sys/mips/mips/freebsd32_machdep.c @@ -31,6 +31,7 @@ */ =20 #include "opt_compat.h" +#include "opt_pax.h" =20 #define __ELF_WORD_SIZE 32 =20 @@ -66,6 +67,10 @@ #include <compat/freebsd32/freebsd32_util.h> #include <compat/freebsd32/freebsd32_proto.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + static void freebsd32_exec_setregs(struct thread *, struct image_params *,= u_long); static int get_mcontext32(struct thread *, mcontext32_t *, int); static int set_mcontext32(struct thread *, const mcontext32_t *); @@ -106,6 +111,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D freebsd32_syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); =20 diff --git a/sys/powerpc/powerpc/elf32_machdep.c b/sys/powerpc/powerpc/elf3= 2_machdep.c index dbe58df..229fe97 100644 --- a/sys/powerpc/powerpc/elf32_machdep.c +++ b/sys/powerpc/powerpc/elf32_machdep.c @@ -25,6 +25,8 @@ * $FreeBSD$ */ =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -52,6 +54,10 @@ #include <machine/reg.h> #include <machine/md_var.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + #ifdef __powerpc64__ #include <compat/freebsd32/freebsd32_proto.h> #include <compat/freebsd32/freebsd32_util.h> @@ -107,6 +113,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_shared_page_base =3D FREEBSD32_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); =20 diff --git a/sys/powerpc/powerpc/elf64_machdep.c b/sys/powerpc/powerpc/elf6= 4_machdep.c index 0c41a8d..095f37b0 100644 --- a/sys/powerpc/powerpc/elf64_machdep.c +++ b/sys/powerpc/powerpc/elf64_machdep.c @@ -25,6 +25,8 @@ * $FreeBSD$ */ =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -48,6 +50,10 @@ #include <machine/elf.h> #include <machine/md_var.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + struct sysentvec elf64_freebsd_sysvec =3D { .sv_size =3D SYS_MAXSYSCALL, .sv_table =3D sysent, @@ -83,6 +89,11 @@ struct sysentvec elf64_freebsd_sysvec =3D { .sv_shared_page_base =3D SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec); =20 diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/= mac_bsdextended/mac_bsdextended.c index ccbc525..520168d 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -47,6 +47,8 @@ * firewall-like rules regarding users and file system objects. */ =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/acl.h> #include <sys/kernel.h> @@ -56,14 +58,20 @@ #include <sys/module.h> #include <sys/mount.h> #include <sys/mutex.h> +#include <sys/param.h> #include <sys/priv.h> #include <sys/proc.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/sysctl.h> #include <sys/syslog.h> +#include <sys/syslimits.h> #include <sys/stat.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + #include <security/mac/mac_policy.h> #include <security/mac_bsdextended/mac_bsdextended.h> #include <security/mac_bsdextended/ugidfw_internal.h> @@ -117,7 +125,6 @@ SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstma= tch_enabled, static int ugidfw_rule_valid(struct mac_bsdextended_rule *rule) { - if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) !=3D MBS_ALL_FLAGS) return (EINVAL); if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) !=3D MBS_ALL_FLAGS) @@ -129,8 +136,13 @@ ugidfw_rule_valid(struct mac_bsdextended_rule *rule) if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) && (rule->mbr_object.mbo_type | MBO_ALL_TYPE) !=3D MBO_ALL_TYPE) return (EINVAL); +#ifdef PAX_ASLR + if ((rule->mbr_pax | MBI_ALLPAX) !=3D MBI_ALLPAX) + return (EINVAL); +#endif if ((rule->mbr_mode | MBI_ALLPERM) !=3D MBI_ALLPERM) return (EINVAL); + return (0); } =20 @@ -227,7 +239,7 @@ ugidfw_destroy(struct mac_policy_conf *mpc) =20 static int ugidfw_rulecheck(struct mac_bsdextended_rule *rule, - struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode) + struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode,= struct image_params *imgp) { int mac_granted, match, priv_granted; int i; @@ -305,6 +317,10 @@ ugidfw_rulecheck(struct mac_bsdextended_rule *rule, match =3D (bcmp(&(vp->v_mount->mnt_stat.f_fsid), &(rule->mbr_object.mbo_fsid), sizeof(rule->mbr_object.mbo_fsid)) =3D=3D 0); +#if defined(PAX_ASLR) + if (match && rule->mbr_object.mbo_inode) + match =3D (vap->va_fileid =3D=3D rule->mbr_object.mbo_inode); +#endif if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED) match =3D !match; if (!match) @@ -413,6 +429,11 @@ ugidfw_rulecheck(struct mac_bsdextended_rule *rule, return (EACCES); } =20 +#ifdef PAX_ASLR + if (imgp !=3D NULL) + pax_elf(imgp, rule->mbr_pax); +#endif + /* * If the rule matched, permits access, and first match is enabled, * return success. @@ -425,7 +446,7 @@ ugidfw_rulecheck(struct mac_bsdextended_rule *rule, =20 int ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, - int acc_mode) + int acc_mode, struct image_params *imgp) { int error, i; =20 @@ -441,7 +462,7 @@ ugidfw_check(struct ucred *cred, struct vnode *vp, stru= ct vattr *vap, if (rules[i] =3D=3D NULL) continue; error =3D ugidfw_rulecheck(rules[i], cred, - vp, vap, acc_mode); + vp, vap, acc_mode, imgp); if (error =3D=3D EJUSTRETURN) break; if (error) { @@ -454,7 +475,7 @@ ugidfw_check(struct ucred *cred, struct vnode *vp, stru= ct vattr *vap, } =20 int -ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) +ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode, struct= image_params *imgp) { int error; struct vattr vap; @@ -464,7 +485,7 @@ ugidfw_check_vp(struct ucred *cred, struct vnode *vp, i= nt acc_mode) error =3D VOP_GETATTR(vp, &vap, cred); if (error) return (error); - return (ugidfw_check(cred, vp, &vap, acc_mode)); + return (ugidfw_check(cred, vp, &vap, acc_mode, imgp)); } =20 int diff --git a/sys/security/mac_bsdextended/mac_bsdextended.h b/sys/security/= mac_bsdextended/mac_bsdextended.h index c09abc0..c3cbf28 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.h +++ b/sys/security/mac_bsdextended/mac_bsdextended.h @@ -51,6 +51,9 @@ #define MBI_ADMIN 010000 #define MBI_STAT 020000 #define MBI_APPEND 040000 +#define MBI_FORCE_ASLR_ENABLED 0x01 +#define MBI_FORCE_ASLR_DISABLED 0x02 +#define MBI_ALLPAX (MBI_FORCE_ASLR_ENABLED | MBI_FORCE_ASLR_DISABLED) #define MBI_ALLPERM (MBI_EXEC | MBI_WRITE | MBI_READ | MBI_ADMIN | \ MBI_STAT | MBI_APPEND) =20 @@ -78,6 +81,7 @@ struct mac_bsdextended_subject { #define MBO_UID_SUBJECT 0x00000020 /* uid must match subject */ #define MBO_GID_SUBJECT 0x00000040 /* gid must match subject */ #define MBO_TYPE_DEFINED 0x00000080 /* object type should be matched */ +#define MBO_PAXPATH_DEFINED 0x00000100 /* TODO: paxpath should be matched = */ =20 #define MBO_ALL_FLAGS (MBO_UID_DEFINED | MBO_GID_DEFINED | MBO_FSID_DEFINE= D | \ MBO_SUID | MBO_SGID | MBO_UID_SUBJECT | MBO_GID_SUBJECT | \ @@ -103,12 +107,15 @@ struct mac_bsdextended_object { gid_t mbo_gid_max; struct fsid mbo_fsid; int mbo_type; + ino_t mbo_inode; + char mbo_paxpath[MAXPATHLEN]; }; =20 struct mac_bsdextended_rule { struct mac_bsdextended_subject mbr_subject; struct mac_bsdextended_object mbr_object; mode_t mbr_mode; /* maximum access */ + uint32_t mbr_pax; }; =20 #endif /* _SYS_SECURITY_MAC_BSDEXTENDED_H */ diff --git a/sys/security/mac_bsdextended/ugidfw_internal.h b/sys/security/= mac_bsdextended/ugidfw_internal.h index 5597fd1..18c74dc 100644 --- a/sys/security/mac_bsdextended/ugidfw_internal.h +++ b/sys/security/mac_bsdextended/ugidfw_internal.h @@ -36,8 +36,9 @@ */ int ugidfw_accmode2mbi(accmode_t accmode); int ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, - int acc_mode); -int ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode); + int acc_mode, struct image_params *imgp); +int ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode, + struct image_params *imgp); =20 /* * System access control checks. diff --git a/sys/security/mac_bsdextended/ugidfw_system.c b/sys/security/ma= c_bsdextended/ugidfw_system.c index 49e4f1d..2829a00 100644 --- a/sys/security/mac_bsdextended/ugidfw_system.c +++ b/sys/security/mac_bsdextended/ugidfw_system.c @@ -66,7 +66,7 @@ ugidfw_system_check_acct(struct ucred *cred, struct vnode= *vp, { =20 if (vp !=3D NULL) - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); else return (0); } @@ -77,7 +77,7 @@ ugidfw_system_check_auditctl(struct ucred *cred, struct v= node *vp, { =20 if (vp !=3D NULL) - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); else return (0); } @@ -87,5 +87,5 @@ ugidfw_system_check_swapon(struct ucred *cred, struct vno= de *vp, struct label *vplabel) { =20 - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } diff --git a/sys/security/mac_bsdextended/ugidfw_vnode.c b/sys/security/mac= _bsdextended/ugidfw_vnode.c index 8ec2d48..2065e6e 100644 --- a/sys/security/mac_bsdextended/ugidfw_vnode.c +++ b/sys/security/mac_bsdextended/ugidfw_vnode.c @@ -65,7 +65,7 @@ ugidfw_vnode_check_access(struct ucred *cred, struct vnod= e *vp, struct label *vplabel, accmode_t accmode) { =20 - return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode))); + return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode), NULL)); } =20 int @@ -73,7 +73,7 @@ ugidfw_vnode_check_chdir(struct ucred *cred, struct vnode= *dvp, struct label *dvplabel) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); + return (ugidfw_check_vp(cred, dvp, MBI_EXEC, NULL)); } =20 int @@ -81,7 +81,7 @@ ugidfw_vnode_check_chroot(struct ucred *cred, struct vnod= e *dvp, struct label *dvplabel) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); + return (ugidfw_check_vp(cred, dvp, MBI_EXEC, NULL)); } =20 int @@ -89,7 +89,7 @@ ugidfw_check_create_vnode(struct ucred *cred, struct vnod= e *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_WRITE)); + return (ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL)); } =20 int @@ -97,7 +97,7 @@ ugidfw_vnode_check_deleteacl(struct ucred *cred, struct v= node *vp, struct label *vplabel, acl_type_t type) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -105,7 +105,7 @@ ugidfw_vnode_check_deleteextattr(struct ucred *cred, st= ruct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { =20 - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } =20 int @@ -114,7 +114,7 @@ ugidfw_vnode_check_exec(struct ucred *cred, struct vnod= e *vp, struct label *execlabel) { =20 - return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC)); + return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC, imgp)); } =20 int @@ -122,7 +122,7 @@ ugidfw_vnode_check_getacl(struct ucred *cred, struct vn= ode *vp, struct label *vplabel, acl_type_t type) { =20 - return (ugidfw_check_vp(cred, vp, MBI_STAT)); + return (ugidfw_check_vp(cred, vp, MBI_STAT, NULL)); } =20 int @@ -130,7 +130,7 @@ ugidfw_vnode_check_getextattr(struct ucred *cred, struc= t vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { =20 - return (ugidfw_check_vp(cred, vp, MBI_READ)); + return (ugidfw_check_vp(cred, vp, MBI_READ, NULL)); } =20 int @@ -140,10 +140,10 @@ ugidfw_vnode_check_link(struct ucred *cred, struct vn= ode *dvp, { int error; =20 - error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL); if (error) return (error); - error =3D ugidfw_check_vp(cred, vp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, vp, MBI_WRITE, NULL); if (error) return (error); return (0); @@ -154,7 +154,7 @@ ugidfw_vnode_check_listextattr(struct ucred *cred, stru= ct vnode *vp, struct label *vplabel, int attrnamespace) { =20 - return (ugidfw_check_vp(cred, vp, MBI_READ)); + return (ugidfw_check_vp(cred, vp, MBI_READ, NULL)); } =20 int @@ -162,7 +162,7 @@ ugidfw_vnode_check_lookup(struct ucred *cred, struct vn= ode *dvp, struct label *dvplabel, struct componentname *cnp) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); + return (ugidfw_check_vp(cred, dvp, MBI_EXEC, NULL)); } =20 int @@ -170,7 +170,7 @@ ugidfw_vnode_check_open(struct ucred *cred, struct vnod= e *vp, struct label *vplabel, accmode_t accmode) { =20 - return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode))); + return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode), NULL)); } =20 int @@ -178,7 +178,7 @@ ugidfw_vnode_check_readdir(struct ucred *cred, struct v= node *dvp, struct label *dvplabel) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_READ)); + return (ugidfw_check_vp(cred, dvp, MBI_READ, NULL)); } =20 int @@ -186,7 +186,7 @@ ugidfw_vnode_check_readdlink(struct ucred *cred, struct= vnode *vp, struct label *vplabel) { =20 - return (ugidfw_check_vp(cred, vp, MBI_READ)); + return (ugidfw_check_vp(cred, vp, MBI_READ, NULL)); } =20 int @@ -196,10 +196,10 @@ ugidfw_vnode_check_rename_from(struct ucred *cred, st= ruct vnode *dvp, { int error; =20 - error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL); if (error) return (error); - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } =20 int @@ -209,11 +209,11 @@ ugidfw_vnode_check_rename_to(struct ucred *cred, stru= ct vnode *dvp, { int error; =20 - error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL); if (error) return (error); if (vp !=3D NULL) - error =3D ugidfw_check_vp(cred, vp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, vp, MBI_WRITE, NULL); return (error); } =20 @@ -222,7 +222,7 @@ ugidfw_vnode_check_revoke(struct ucred *cred, struct vn= ode *vp, struct label *vplabel) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -230,7 +230,7 @@ ugidfw_check_setacl_vnode(struct ucred *cred, struct vn= ode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -238,7 +238,7 @@ ugidfw_vnode_check_setextattr(struct ucred *cred, struc= t vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { =20 - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } =20 int @@ -246,7 +246,7 @@ ugidfw_vnode_check_setflags(struct ucred *cred, struct = vnode *vp, struct label *vplabel, u_long flags) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -254,7 +254,7 @@ ugidfw_vnode_check_setmode(struct ucred *cred, struct v= node *vp, struct label *vplabel, mode_t mode) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -262,7 +262,7 @@ ugidfw_vnode_check_setowner(struct ucred *cred, struct = vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -270,7 +270,7 @@ ugidfw_vnode_check_setutimes(struct ucred *cred, struct= vnode *vp, struct label *vplabel, struct timespec atime, struct timespec utime) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -278,7 +278,7 @@ ugidfw_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { =20 - return (ugidfw_check_vp(active_cred, vp, MBI_STAT)); + return (ugidfw_check_vp(active_cred, vp, MBI_STAT, NULL)); } =20 int @@ -288,8 +288,8 @@ ugidfw_vnode_check_unlink(struct ucred *cred, struct vn= ode *dvp, { int error; =20 - error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL); if (error) return (error); - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } diff --git a/sys/sparc64/sparc64/elf_machdep.c b/sys/sparc64/sparc64/elf_ma= chdep.c index 4d55717..e0eba33 100644 --- a/sys/sparc64/sparc64/elf_machdep.c +++ b/sys/sparc64/sparc64/elf_machdep.c @@ -34,6 +34,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -52,6 +54,10 @@ __FBSDID("$FreeBSD$"); =20 #include <machine/elf.h> =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + #include "linker_if.h" =20 static struct sysentvec elf64_freebsd_sysvec =3D { @@ -87,6 +93,11 @@ static struct sysentvec elf64_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static Elf64_Brandinfo freebsd_brand_info =3D { diff --git a/sys/sys/imgact.h b/sys/sys/imgact.h index 17cfcc2..15c2c4f 100644 --- a/sys/sys/imgact.h +++ b/sys/sys/imgact.h @@ -78,6 +78,7 @@ struct image_params { unsigned long pagesizes; int pagesizeslen; vm_prot_t stack_prot; + int pax_flags; }; =20 #ifdef _KERNEL diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 59d791c..699b21c 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -184,6 +184,19 @@ struct prison { char pr_hostname[MAXHOSTNAMELEN]; /* (p) jail hostname */ char pr_domainname[MAXHOSTNAMELEN]; /* (p) jail domainname */ char pr_hostuuid[HOSTUUIDLEN]; /* (p) jail hostuuid */ + /* Lock only needed for pax_* if pr_pax_set =3D=3D 0 */ + int pr_pax_set; /* (p) PaX settings initialized */ + int pr_pax_aslr_status; /* (p) PaX ASLR enabled */ + int pr_pax_aslr_debug; /* (p) PaX ASLR debug */ + int pr_pax_aslr_mmap_len; /* (p) Number of bits randomized with mmap */ + int pr_pax_aslr_stack_len; /* (p) Number of bits randomized with stack= */ + int pr_pax_aslr_exec_len; /* (p) Number of bits randomized with the ex= ecbase */ + int pr_pax_aslr_compat_status; /* (p) PaX ASLR enabled (compat32) */ + int pr_pax_aslr_compat_mmap_len; /* (p) Number of bits randomized with = mmap (compat32) */ + int pr_pax_aslr_compat_stack_len; /* (p) Number of bits randomized with= stack (compat32) */ + int pr_pax_aslr_compat_exec_len; /* (p) Number of bits randomized with = the execbase (compat32) */ + int pr_pax_log_log; /* (p) XXX */ + int pr_pax_log_ulog; /* (p) XXX */ }; =20 struct prison_racct { diff --git a/sys/sys/kernel.h b/sys/sys/kernel.h index 3c5258a..aedb52e 100644 --- a/sys/sys/kernel.h +++ b/sys/sys/kernel.h @@ -102,6 +102,7 @@ enum sysinit_sub_id { SI_SUB_WITNESS =3D 0x1A80000, /* witness initialization */ SI_SUB_MTX_POOL_DYNAMIC =3D 0x1AC0000, /* dynamic mutex pool */ SI_SUB_LOCK =3D 0x1B00000, /* various locks */ + SI_SUB_PAX =3D 0x1B50000, /* pax setup */ SI_SUB_EVENTHANDLER =3D 0x1C00000, /* eventhandler init */ SI_SUB_VNET_PRELINK =3D 0x1E00000, /* vnet init before modules */ SI_SUB_KLD =3D 0x2000000, /* KLD and module setup */ diff --git a/sys/sys/pax.h b/sys/sys/pax.h new file mode 100644 index 0000000..a0f2bf6 --- /dev/null +++ b/sys/sys/pax.h @@ -0,0 +1,226 @@ +/*- + * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> + * Copyright (c) 2013-2014, by Oliver Pinter <oliver.pntr at gmail.com> + * Copyright (c) 2014, by Shawn Webb <lattera at gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTI= ES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF US= E, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef __SYS_PAX_H +#define __SYS_PAX_H + +struct image_params; +struct prison; +struct thread; +struct vnode; +struct vmspace; +struct vm_offset_t; + +/* + * used in sysctl handler + */ +#define PAX_ASLR_DISABLED 0 +#define PAX_ASLR_OPTIN 1 +#define PAX_ASLR_OPTOUT 2 +#define PAX_ASLR_FORCE_ENABLED 3 + +#ifndef PAX_ASLR_DELTA +#define PAX_ASLR_DELTA(delta, lsb, len) \ + (((delta) & ((1UL << (len)) - 1)) << (lsb)) +#endif /* PAX_ASLR_DELTA */ + +#ifdef PAX_ASLR +/* + * generic ASLR values + * + * MMAP | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 8 bit | 16 bit | + * +-------+--------+--------+ + * | DEF | 8 bit | 21 bit | + * +-------+--------+--------+ + * | MAX | 16 bit | 32 bit | + * +-------+--------+--------+ + * + * STACK | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 6 bit | 12 bit | + * +-------+--------+--------+ + * | DEF | 6 bit | 16 bit | + * +-------+--------+--------+ + * | MAX | 10 bit | 21 bit | + * +-------+--------+--------+ + * + * EXEC | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 6 bit | 12 bit | + * +-------+--------+--------+ + * | DEF | 6 bit | 21 bit | + * +-------+--------+--------+ + * | MAX | 10 bit | 21 bit | + * +-------+--------+--------+ + * + */ +#ifndef PAX_ASLR_DELTA_MMAP_LSB +#define PAX_ASLR_DELTA_MMAP_LSB PAGE_SHIFT +#endif /* PAX_ASLR_DELTA_MMAP_LSB */ + +#ifndef PAX_ASLR_DELTA_MMAP_MIN_LEN +#define PAX_ASLR_DELTA_MMAP_MIN_LEN ((sizeof(void *) * NBBY) / 4) +#endif /* PAX_ASLR_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_MMAP_MAX_LEN +#define PAX_ASLR_DELTA_MMAP_MAX_LEN ((sizeof(void *) * NBBY) / 2) +#endif /* PAX_ASLR_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_STACK_LSB +#define PAX_ASLR_DELTA_STACK_LSB 3 +#endif /* PAX_ASLR_DELTA_STACK_LSB */ + +#ifndef PAX_ASLR_DELTA_STACK_MIN_LEN +#define PAX_ASLR_DELTA_STACK_MIN_LEN ((sizeof(void *) * NBBY) / 5) +#endif /* PAX_ASLR_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_STACK_MAX_LEN +#define PAX_ASLR_DELTA_STACK_MAX_LEN ((sizeof(void *) * NBBY) / 3) +#endif /* PAX_ASLR_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_EXEC_LSB +#define PAX_ASLR_DELTA_EXEC_LSB PAGE_SHIFT +#endif /* PAX_ASLR_DELTA_EXEC_LSB */ + +#ifndef PAX_ASLR_DELTA_EXEC_MIN_LEN +#define PAX_ASLR_DELTA_EXEC_MIN_LEN ((sizeof(void *) * NBBY) / 5) +#endif /* PAX_ASLR_DELTA_EXEC_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_EXEC_MAX_LEN +#define PAX_ASLR_DELTA_EXEC_MAX_LEN ((sizeof(void *) * NBBY) / 3) +#endif /* PAX_ASLR_DELTA_EXEC_MAX_LEN */ + +/* + * ASLR default values for native host + */ +#ifdef __amd64__ +#ifndef PAX_ASLR_DELTA_MMAP_DEF_LEN +#define PAX_ASLR_DELTA_MMAP_DEF_LEN 21 +#endif /* PAX_ASLR_DELTA_MMAP_DEF_LEN */ +#ifndef PAX_ASLR_DELTA_STACK_DEF_LEN +#define PAX_ASLR_DELTA_STACK_DEF_LEN 16 +#endif /* PAX_ASLR_DELTA_STACK_DEF_LEN */ +#ifndef PAX_ASLR_DELTA_EXEC_DEF_LEN +#define PAX_ASLR_DELTA_EXEC_DEF_LEN 21 +#endif /* PAX_ASLR_DELTA_EXEC_DEF_LEN */ +#else +#ifndef PAX_ASLR_DELTA_MMAP_DEF_LEN +#define PAX_ASLR_DELTA_MMAP_DEF_LEN PAX_ASLR_DELTA_MMAP_MIN_LEN +#endif /* PAX_ASLR_DELTA_MMAP_DEF_LEN */ +#ifndef PAX_ASLR_DELTA_STACK_DEF_LEN +#define PAX_ASLR_DELTA_STACK_DEF_LEN PAX_ASLR_DELTA_STACK_MIN_LEN +#endif /* PAX_ASLR_DELTA_STACK_DEF_LEN */ +#ifndef PAX_ASLR_DELTA_EXEC_DEF_LEN +#define PAX_ASLR_DELTA_EXEC_DEF_LEN PAX_ASLR_DELTA_EXEC_MIN_LEN +#endif /* PAX_ASLR_DELTA_EXEC_DEF_LEN */ +#endif /* __amd64__ */ + +/* + * ASLR values for COMPAT_FREEBSD32 and COMPAT_LINUX + */ +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_LSB +#define PAX_ASLR_COMPAT_DELTA_MMAP_LSB PAGE_SHIFT +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_LSB */ + +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN ((sizeof(int) * NBBY) / 4) +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN ((sizeof(int) * NBBY) / 2) +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_LSB +#define PAX_ASLR_COMPAT_DELTA_STACK_LSB 3 +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_LSB */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN ((sizeof(int) * NBBY) / 5) +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN ((sizeof(int) * NBBY) / 3) +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN ((sizeof(int) * NBBY) / 5) +#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN ((sizeof(int) * NBBY) / 3) +#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN */ + +extern int pax_aslr_status; +extern int pax_aslr_debug; + +extern int pax_aslr_mmap_len; +extern int pax_aslr_stack_len; +extern int pax_aslr_exec_len; +#ifdef COMPAT_FREEBSD32 +extern int pax_aslr_compat_status; +extern int pax_aslr_compat_mmap_len; +extern int pax_aslr_compat_stack_len; +extern int pax_aslr_compat_exec_len; +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_ASLR */ + +extern int pax_log_log; +extern int pax_log_ulog; + +#define ELF_NOTE_TYPE_PAX_TAG 3 +#define PAX_NOTE_MPROTECT 0x01 +#define PAX_NOTE_NOMPROTECT 0x02 +#define PAX_NOTE_GUARD 0x04 +#define PAX_NOTE_NOGUARD 0x08 +#define PAX_NOTE_ASLR 0x10 +#define PAX_NOTE_NOASLR 0x20 + +#define PAX_LOG_LOG 0 +#define PAX_LOG_ULOG 0 + +void pax_init(void); +void pax_init_prison(struct prison *pr); +bool pax_aslr_active(struct thread *td, struct proc *proc); +void _pax_aslr_init(struct vmspace *vm, struct prison *pr); +void _pax_aslr_init32(struct vmspace *vm, struct prison *pr); +void pax_aslr_init(struct thread *td, struct image_params *imgp); +void pax_aslr_mmap(struct thread *td, vm_offset_t *addr,=20 + vm_offset_t orig_addr, int flags); +void pax_aslr_stack(struct thread *td, uintptr_t *addr); +struct prison *pax_get_prison(struct thread *td, struct proc *proc); +void pax_elf(struct image_params *, uint32_t); + +void pax_log_aslr(struct prison *pr, const char *func, const char *fmt, ..= =2E); +void pax_ulog_aslr(struct prison *pr, const char *func, const char *fmt, .= =2E.); + +#endif /* __SYS_PAX_H */ diff --git a/sys/sys/proc.h b/sys/sys/proc.h index fbd064c..558d7bf 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -539,6 +539,7 @@ struct proc { u_int p_stops; /* (c) Stop event bitmask. */ u_int p_stype; /* (c) Stop event type. */ char p_step; /* (c) Process is stopped. */ + u_int p_pax; /* (b) PaX is enabled to this process */ u_char p_pfsflags; /* (c) Procfs flags. */ struct nlminfo *p_nlminfo; /* (?) Only used by/for lockd. */ struct kaioinfo *p_aioinfo; /* (y) ASYNC I/O info. */ diff --git a/sys/sys/sysent.h b/sys/sys/sysent.h index c49db41..cfbcdc0 100644 --- a/sys/sys/sysent.h +++ b/sys/sys/sysent.h @@ -77,9 +77,11 @@ struct sysent { /* system call table */ #define SY_THR_INCR 0x8 =20 struct image_params; +struct prison; struct __sigset; struct syscall_args; struct trapframe; +struct vmspace; struct vnode; =20 struct sysentvec { @@ -130,6 +132,7 @@ struct sysentvec { uint32_t sv_timekeep_gen; void *sv_shared_page_obj; void (*sv_schedtail)(struct thread *); + void (*sv_pax_aslr_init)(struct vmspace *vm, struct prison *pr); }; =20 #define SV_ILP32 0x000100 diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index d8ba33f..4ba8106 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -65,6 +65,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/kernel.h> @@ -292,6 +294,12 @@ vmspace_alloc(vm_offset_t min, vm_offset_t max, pmap_p= init_t pinit) vm->vm_taddr =3D 0; vm->vm_daddr =3D 0; vm->vm_maxsaddr =3D 0; +#ifdef PAX_ASLR + vm->vm_aslr_delta_mmap =3D 0; + vm->vm_aslr_delta_stack =3D 0; + vm->vm_aslr_delta_exec =3D 0; +#endif + return (vm); } =20 diff --git a/sys/vm/vm_map.h b/sys/vm/vm_map.h index 8cced05..e8e9ffe 100644 --- a/sys/vm/vm_map.h +++ b/sys/vm/vm_map.h @@ -241,6 +241,9 @@ struct vmspace { caddr_t vm_taddr; /* (c) user virtual address of text */ caddr_t vm_daddr; /* (c) user virtual address of data */ caddr_t vm_maxsaddr; /* user VA at max stack growth */ + vm_size_t vm_aslr_delta_mmap; /* mmap() random delta for ASLR */ + vm_size_t vm_aslr_delta_stack; /* stack random delta for ASLR */ + vm_size_t vm_aslr_delta_exec; /* exec base random delta for ASLR */ volatile int vm_refcnt; /* number of references */ /* * Keep the PMAP last, so that CPU-specific variations of that diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c index a524839..fd8876e 100644 --- a/sys/vm/vm_mmap.c +++ b/sys/vm/vm_mmap.c @@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$"); =20 #include "opt_compat.h" #include "opt_hwpmc_hooks.h" +#include "opt_pax.h" =20 #include <sys/param.h> #include <sys/systm.h> @@ -91,6 +92,10 @@ __FBSDID("$FreeBSD$"); #include <sys/pmckern.h> #endif =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif + int old_mlock =3D 0; SYSCTL_INT(_vm, OID_AUTO, old_mlock, CTLFLAG_RW | CTLFLAG_TUN, &old_mlock,= 0, "Do not apply RLIMIT_MEMLOCK on mlockall"); @@ -203,6 +208,9 @@ sys_mmap(td, uap) struct file *fp; struct vnode *vp; vm_offset_t addr; +#ifdef PAX_ASLR + vm_offset_t orig_addr; +#endif vm_size_t size, pageoff; vm_prot_t cap_maxprot, prot, maxprot; void *handle; @@ -213,6 +221,9 @@ sys_mmap(td, uap) cap_rights_t rights; =20 addr =3D (vm_offset_t) uap->addr; +#ifdef PAX_ASLR + orig_addr =3D addr; +#endif size =3D uap->len; prot =3D uap->prot & VM_PROT_ALL; flags =3D uap->flags; @@ -416,6 +427,9 @@ sys_mmap(td, uap) map: td->td_fpop =3D fp; maxprot &=3D cap_maxprot; +#ifdef PAX_ASLR + pax_aslr_mmap(td, &addr, orig_addr, flags); +#endif error =3D vm_mmap(&vms->vm_map, &addr, size, prot, maxprot, flags, handle_type, handle, pos); td->td_fpop =3D NULL; diff --git a/tools/build/options/WITHOUT_PIE b/tools/build/options/WITHOUT_= PIE new file mode 100644 index 0000000..82019ce --- /dev/null +++ b/tools/build/options/WITHOUT_PIE @@ -0,0 +1 @@ +Enable building of Position-Independent Executables (PIEs). diff --git a/usr.sbin/ugidfw/ugidfw.c b/usr.sbin/ugidfw/ugidfw.c index 977922a..515df16 100644 --- a/usr.sbin/ugidfw/ugidfw.c +++ b/usr.sbin/ugidfw/ugidfw.c @@ -46,6 +46,8 @@ __FBSDID("$FreeBSD$"); #include <string.h> #include <ugidfw.h> =20 +#define UGIDFW_BUFSIZ (BUFSIZ*2) + void add_rule(int argc, char *argv[]); void list_rules(void); void remove_rule(int argc, char *argv[]); @@ -71,22 +73,22 @@ usage(void) void add_rule(int argc, char *argv[]) { - char errstr[BUFSIZ], charstr[BUFSIZ]; + char errstr[UGIDFW_BUFSIZ], charstr[UGIDFW_BUFSIZ]; struct mac_bsdextended_rule rule; int error, rulenum; =20 - error =3D bsde_parse_rule(argc, argv, &rule, BUFSIZ, errstr); + error =3D bsde_parse_rule(argc, argv, &rule, UGIDFW_BUFSIZ, errstr); if (error) { warnx("%s", errstr); return; } =20 - error =3D bsde_add_rule(&rulenum, &rule, BUFSIZ, errstr); + error =3D bsde_add_rule(&rulenum, &rule, UGIDFW_BUFSIZ, errstr); if (error) { warnx("%s", errstr); return; } - if (bsde_rule_to_string(&rule, charstr, BUFSIZ) =3D=3D -1) + if (bsde_rule_to_string(&rule, charstr, UGIDFW_BUFSIZ) =3D=3D -1) warnx("Added rule, but unable to print string."); else printf("%d %s\n", rulenum, charstr); @@ -95,25 +97,25 @@ add_rule(int argc, char *argv[]) void list_rules(void) { - char errstr[BUFSIZ], charstr[BUFSIZ]; + char errstr[UGIDFW_BUFSIZ], charstr[UGIDFW_BUFSIZ]; struct mac_bsdextended_rule rule; int error, i, rule_count, rule_slots; =20 - rule_slots =3D bsde_get_rule_slots(BUFSIZ, errstr); + rule_slots =3D bsde_get_rule_slots(UGIDFW_BUFSIZ, errstr); if (rule_slots =3D=3D -1) { warnx("unable to get rule slots; mac_bsdextended.ko " "may not be loaded"); errx(1, "bsde_get_rule_slots: %s", errstr); } =20 - rule_count =3D bsde_get_rule_count(BUFSIZ, errstr); + rule_count =3D bsde_get_rule_count(UGIDFW_BUFSIZ, errstr); if (rule_count =3D=3D -1) errx(1, "bsde_get_rule_count: %s", errstr); =20 printf("%d slots, %d rules\n", rule_slots, rule_count); =20 for (i =3D 0; i < rule_slots; i++) { - error =3D bsde_get_rule(i, &rule, BUFSIZ, errstr); + error =3D bsde_get_rule(i, &rule, UGIDFW_BUFSIZ, errstr); switch (error) { case -2: continue; @@ -124,7 +126,7 @@ list_rules(void) break; } =20 - if (bsde_rule_to_string(&rule, charstr, BUFSIZ) =3D=3D -1) + if (bsde_rule_to_string(&rule, charstr, UGIDFW_BUFSIZ) =3D=3D -1) warnx("unable to translate rule %d to string", i); else printf("%d %s\n", i, charstr); @@ -134,7 +136,7 @@ list_rules(void) void set_rule(int argc, char *argv[]) { - char errstr[BUFSIZ]; + char errstr[UGIDFW_BUFSIZ]; struct mac_bsdextended_rule rule; long value; int error, rulenum; @@ -152,13 +154,13 @@ set_rule(int argc, char *argv[]) =20 rulenum =3D value; =20 - error =3D bsde_parse_rule(argc - 1, argv + 1, &rule, BUFSIZ, errstr); + error =3D bsde_parse_rule(argc - 1, argv + 1, &rule, UGIDFW_BUFSIZ, errst= r); if (error) { warnx("%s", errstr); return; } =20 - error =3D bsde_set_rule(rulenum, &rule, BUFSIZ, errstr); + error =3D bsde_set_rule(rulenum, &rule, UGIDFW_BUFSIZ, errstr); if (error) { warnx("%s", errstr); return; @@ -168,7 +170,7 @@ set_rule(int argc, char *argv[]) void remove_rule(int argc, char *argv[]) { - char errstr[BUFSIZ]; + char errstr[UGIDFW_BUFSIZ]; long value; int error, rulenum; char *endp; @@ -185,7 +187,7 @@ remove_rule(int argc, char *argv[]) =20 rulenum =3D value; =20 - error =3D bsde_delete_rule(rulenum, BUFSIZ, errstr); + error =3D bsde_delete_rule(rulenum, UGIDFW_BUFSIZ, errstr); if (error) warnx("%s", errstr); } --+PbGPm1eXpwOoWkI-- --5me2qT3T17SWzdxI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJTpt/EAAoJEGqEZY9SRW7uMyAP/i12UiM1dgawxmPgt4ayafH5 mEsml8tB0ue25DtMehO95aFY9J3APq6VRHEneIUH58hfMFS79x3xLNPKiDbGYpI+ uVyAjJ1hrMKx2lsX/NSWjIt72U01lQ5BTh5DcGGly8Px8pmnhlheOjtXZ84Kx3bk ApjPWc9qQt9HUCgzWdzNYKS93LiXGWBCIhD9YoZG+bRQArobRqB6pFFWBVgjjNQY sqnym/6N7/rc125g2LTN71i3Li7WL7IDBd/RD/1730zkhAa0xuFOKm5t2GZVvIxn 9igyiSK7MWynFLo5RYG/ATLdWclfzbH7EgoJp5HgVAU1o9OMSUlLRUcVcX6O69e9 U+s1qYyAHdVKyuO7gkcxKRsMe4jHMRw8LmrD6DjGOFK2gnVBiwE3qh1oc7nb7yBs lQA5dppoVZ7BZLeSOT7ZIno6wGajsD7d1nd5lKfLvwidNKqHqp7aWzGjhEegM9ZK RhXiyxCtWFBfhg5s9btEWvRQiBj4An35sf9TQ+EBfx10OYrIPNOyM9Ha6R2kO8wN L/lkWVpvWOsQBWqQxKihFzcgaiWTpH0y9Ksi11GQyIm1he4fjMNob24ZmScygECx dcqKF48Xv9aVUbAu1glEVl/vY86UVKiE1EIJTPrLedQoKFZA4+3QiFn08VQNmDIA EYM2sjrG51wnXNaLjpyI =IFoC -----END PGP SIGNATURE----- --5me2qT3T17SWzdxI--

‣ 返回看板[ FB_hackers ] BSD

‣ 更多 lattera. 的文章

文章代碼(AID): #1JfndUCv (FB_hackers)