kern/kern_pax.c: Get maxsmap from sys/resourcevar.h.

Respect alignment requests of executable when PAX_ASLR is enabled on
kernel, but disabled for the process, as in the same manner as PAX_ASLR
is disabled; see pax_aslr_exec_offset() for !PAX_ASLR in sys/sys/pax.h.

This is a regression introduced in kern_pax.c rev 1.58:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/kern_pax.c#rev1.58

Part of PR port-arm/56380 but unfortunately this does not fix the
problem described in the PR...

PAX_SEGVGUARD doesn't seem to work properly in testing for me, but at least
make it not cause problems:

- Cover it with exec_lock so the updates are not racy.
- Using fileassoc is silly. Just hang a pointer off the vnode.

branches: 1.60.6; 1.60.12;
fix typo

Extend the mmap(2) interface to allow requesting protections for later
use with mprotect(2), but without enabling them immediately.

Extend the mremap(2) interface to allow duplicating mappings, i.e.
create a second range of virtual addresses references the same physical
pages. Duplicated mappings can have different effective protections.

Adjust PAX mprotect logic to disallow effective protections of W&X, but
allow one mapping W and another X protections. This obsoletes using
temporary files for purposes like JIT.

Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested
and not silently drop the X protection.

Improve test cases to ensure correct operation of the changed
interfaces.

branches: 1.58.4;
obey the executable's ELF alignment constraints for PIE.
this fixes gdb of PIE binaries on mac68k (and other platforms
which use an ELF alignment that is larger than PAGE_SIZE).

branches: 1.57.2;
move aslr stuff to the aslr section

vsize_t is not always u_long :-)

branches: 1.55.2;
fix compilation without PAX_MPROTECT

Consistent indent.

Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)

randomize the location of the rtld.

Effectively disable aslr for non-topdown-VA binaries (unless they are
compat32, which we deal with properly). It would be possible to get
those working too, but it is not worth the code complexity.

This makes binaries compiled with -mcmodel=medlow (and ancient binaries)
work again on sparc64, smoothing the upgrade path.

ok: christos

reduce #ifdef mess caused by PaX

Account for the VA hole differently (simpler)

fix for ILP32.

Hook to clamp the random value for mmap for machies that don't have enough
VA bits.

only print debugging info if we are actually going to change the permission.

- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs

Fix stack allocation; limit delta to a quarter of the stack size. This should
get rid of the random aborts.

Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.

GC PAX_ASLR_EXEC

Fix ASLR stack setup:
- make it work on machine where the stack grows up.
- use the same limits as mmap.

Add a flags sysctl for ASLR to disable particular features. We seem to be
having issues with stack setup.

Add PAX_MPROTECT_DEBUG

Add some diagnostic printf's when we reset permissions.

simplify.

Let PaX ASLR know about the current emulation

This effectively fixes PaX ASLR with 32-bits emulation on 64-bits
platforms. Without this knowledge, the offset applied for 32-bits
programs was really meant for a 64-bits address space - thus
shifting the address up to 12 bits, with a success rate of about
1/4096. This offset is calculated once in the lifetime of the
process, which therefore behaved normally when able to start.

Fixes kern/50469, probably also kern/50986

Tested on NetBSD/amd64 (emul_netbsd32)

Allow enabling and disabling PaX ASLR debug

PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation
when PAX_ASLR is not defined.

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.

Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()

Small changes:
- rename pax_aslr_init() to pax_aslr_init_vm()
- remove the PAX_ flags (unused)
- fix a comment in pax.h

Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as argument the PaX flag
of the ELF PaX note section, and which sets the proc flag as
appropriate. Also introduce a couple of other functions used for that
purpose.
- modify pax_aslr_active(), and all the other similar pieces of code, so
that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
- declare PAX_DPRINTF, makes it more readable
- fix a typo in exec_elf.h

<sys/rnd.h> not needed for kern_pax.c.

branches: 1.27.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

branches: 1.26.8; 1.26.12;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.4;
- Replace few malloc(9) uses with kmem(9).
- Rename buf_malloc() to buf_alloc(), fix comments.
- Remove some unnecessary inclusions.

branches: 1.24.2;
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!

rename DEBUG_ASLR -> PAX_ASLR_DEBUG

branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20;
Fix broken enable test; fixes random coredumps.

Don't use proc specificdata. Speeds up mmap() and others.

branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12;
Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

branches: 1.17.6; 1.17.12;
Include sys/cdefs.h first.

branches: 1.16.6; 1.16.8;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

branches: 1.15.4; 1.15.6;
TRUE -> true, FALSE -> false

Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.

branches: 1.13.2;
PR/35253: YAMAMOTO Takashi: fileassoc hash size problem

fileassoc_table_add() was removed from the KPI and made internal. From now
fileassoc(9) will manage the optimal table size internally.

Input from and okay yamt@.

Remove advertising clause from all of my stuff.

Fix copy/paste error: Veriexec's sysctl setup routine was named after
PaX's.

- remove the fileassoc "tabledata" functionality. use mountspecific instead.
- make pax_segvguard_cb static.

tested and ok'ed by elad.

- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead.
- make fileassoc_t a pointer and remove FILEASSOC_INVAL.
- clean up kern_fileassoc.c. unify duplicated code.
- unexport fileassoc_init using RUN_ONCE(9).
- plug memory leaks in fileassoc_file_delete and fileassoc_table_delete.
- always call callbacks, regardless of the value of the associated data.

ok'ed by elad.

branches: 1.8.2;
Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

- remove an unnecessary #include.
- make some variables static.

Added missing whitespace in sysctl description string. PR kern/34915.

Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.

branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18;
Better implementation of PaX MPROTECT, after looking some more into the
code and not trying to use temporary solutions.

Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX
author for being quick to recognize that something fishy's going on. :)

Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().

Next time I suggest to commit a temporary solution just revoke my
commit bit.

branches: 1.2.2;
CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.

Respect alignment requests of executable when PAX_ASLR is enabled on
kernel, but disabled for the process, as in the same manner as PAX_ASLR
is disabled; see pax_aslr_exec_offset() for !PAX_ASLR in sys/sys/pax.h.

This is a regression introduced in kern_pax.c rev 1.58:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/kern_pax.c#rev1.58

Part of PR port-arm/56380 but unfortunately this does not fix the
problem described in the PR...

PAX_SEGVGUARD doesn't seem to work properly in testing for me, but at least
make it not cause problems:

- Cover it with exec_lock so the updates are not racy.
- Using fileassoc is silly. Just hang a pointer off the vnode.

branches: 1.60.6; 1.60.12;
fix typo

Extend the mmap(2) interface to allow requesting protections for later
use with mprotect(2), but without enabling them immediately.

Extend the mremap(2) interface to allow duplicating mappings, i.e.
create a second range of virtual addresses references the same physical
pages. Duplicated mappings can have different effective protections.

Adjust PAX mprotect logic to disallow effective protections of W&X, but
allow one mapping W and another X protections. This obsoletes using
temporary files for purposes like JIT.

Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested
and not silently drop the X protection.

Improve test cases to ensure correct operation of the changed
interfaces.

branches: 1.58.4;
obey the executable's ELF alignment constraints for PIE.
this fixes gdb of PIE binaries on mac68k (and other platforms
which use an ELF alignment that is larger than PAGE_SIZE).

branches: 1.57.2;
move aslr stuff to the aslr section

vsize_t is not always u_long :-)

branches: 1.55.2;
fix compilation without PAX_MPROTECT

Consistent indent.

Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)

randomize the location of the rtld.

Effectively disable aslr for non-topdown-VA binaries (unless they are
compat32, which we deal with properly). It would be possible to get
those working too, but it is not worth the code complexity.

This makes binaries compiled with -mcmodel=medlow (and ancient binaries)
work again on sparc64, smoothing the upgrade path.

ok: christos

reduce #ifdef mess caused by PaX

Account for the VA hole differently (simpler)

fix for ILP32.

Hook to clamp the random value for mmap for machies that don't have enough
VA bits.

only print debugging info if we are actually going to change the permission.

- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs

Fix stack allocation; limit delta to a quarter of the stack size. This should
get rid of the random aborts.

Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.

GC PAX_ASLR_EXEC

Fix ASLR stack setup:
- make it work on machine where the stack grows up.
- use the same limits as mmap.

Add a flags sysctl for ASLR to disable particular features. We seem to be
having issues with stack setup.

Add PAX_MPROTECT_DEBUG

Add some diagnostic printf's when we reset permissions.

simplify.

Let PaX ASLR know about the current emulation

This effectively fixes PaX ASLR with 32-bits emulation on 64-bits
platforms. Without this knowledge, the offset applied for 32-bits
programs was really meant for a 64-bits address space - thus
shifting the address up to 12 bits, with a success rate of about
1/4096. This offset is calculated once in the lifetime of the
process, which therefore behaved normally when able to start.

Fixes kern/50469, probably also kern/50986

Tested on NetBSD/amd64 (emul_netbsd32)

Allow enabling and disabling PaX ASLR debug

PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation
when PAX_ASLR is not defined.

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.

Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()

Small changes:
- rename pax_aslr_init() to pax_aslr_init_vm()
- remove the PAX_ flags (unused)
- fix a comment in pax.h

Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as argument the PaX flag
of the ELF PaX note section, and which sets the proc flag as
appropriate. Also introduce a couple of other functions used for that
purpose.
- modify pax_aslr_active(), and all the other similar pieces of code, so
that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
- declare PAX_DPRINTF, makes it more readable
- fix a typo in exec_elf.h

<sys/rnd.h> not needed for kern_pax.c.

branches: 1.27.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

branches: 1.26.8; 1.26.12;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.4;
- Replace few malloc(9) uses with kmem(9).
- Rename buf_malloc() to buf_alloc(), fix comments.
- Remove some unnecessary inclusions.

branches: 1.24.2;
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!

rename DEBUG_ASLR -> PAX_ASLR_DEBUG

branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20;
Fix broken enable test; fixes random coredumps.

Don't use proc specificdata. Speeds up mmap() and others.

branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12;
Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

branches: 1.17.6; 1.17.12;
Include sys/cdefs.h first.

branches: 1.16.6; 1.16.8;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

branches: 1.15.4; 1.15.6;
TRUE -> true, FALSE -> false

Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.

branches: 1.13.2;
PR/35253: YAMAMOTO Takashi: fileassoc hash size problem

fileassoc_table_add() was removed from the KPI and made internal. From now
fileassoc(9) will manage the optimal table size internally.

Input from and okay yamt@.

Remove advertising clause from all of my stuff.

Fix copy/paste error: Veriexec's sysctl setup routine was named after
PaX's.

- remove the fileassoc "tabledata" functionality. use mountspecific instead.
- make pax_segvguard_cb static.

tested and ok'ed by elad.

- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead.
- make fileassoc_t a pointer and remove FILEASSOC_INVAL.
- clean up kern_fileassoc.c. unify duplicated code.
- unexport fileassoc_init using RUN_ONCE(9).
- plug memory leaks in fileassoc_file_delete and fileassoc_table_delete.
- always call callbacks, regardless of the value of the associated data.

ok'ed by elad.

branches: 1.8.2;
Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

- remove an unnecessary #include.
- make some variables static.

Added missing whitespace in sysctl description string. PR kern/34915.

Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.

branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18;
Better implementation of PaX MPROTECT, after looking some more into the
code and not trying to use temporary solutions.

Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX
author for being quick to recognize that something fishy's going on. :)

Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().

Next time I suggest to commit a temporary solution just revoke my
commit bit.

branches: 1.2.2;
CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.

PAX_SEGVGUARD doesn't seem to work properly in testing for me, but at least
make it not cause problems:

- Cover it with exec_lock so the updates are not racy.
- Using fileassoc is silly. Just hang a pointer off the vnode.

fix typo

Extend the mmap(2) interface to allow requesting protections for later
use with mprotect(2), but without enabling them immediately.

Extend the mremap(2) interface to allow duplicating mappings, i.e.
create a second range of virtual addresses references the same physical
pages. Duplicated mappings can have different effective protections.

Adjust PAX mprotect logic to disallow effective protections of W&X, but
allow one mapping W and another X protections. This obsoletes using
temporary files for purposes like JIT.

Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested
and not silently drop the X protection.

Improve test cases to ensure correct operation of the changed
interfaces.

branches: 1.58.4;
obey the executable's ELF alignment constraints for PIE.
this fixes gdb of PIE binaries on mac68k (and other platforms
which use an ELF alignment that is larger than PAGE_SIZE).

branches: 1.57.2;
move aslr stuff to the aslr section

vsize_t is not always u_long :-)

branches: 1.55.2;
fix compilation without PAX_MPROTECT

Consistent indent.

Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)

randomize the location of the rtld.

Effectively disable aslr for non-topdown-VA binaries (unless they are
compat32, which we deal with properly). It would be possible to get
those working too, but it is not worth the code complexity.

This makes binaries compiled with -mcmodel=medlow (and ancient binaries)
work again on sparc64, smoothing the upgrade path.

ok: christos

reduce #ifdef mess caused by PaX

Account for the VA hole differently (simpler)

fix for ILP32.

Hook to clamp the random value for mmap for machies that don't have enough
VA bits.

only print debugging info if we are actually going to change the permission.

- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs

Fix stack allocation; limit delta to a quarter of the stack size. This should
get rid of the random aborts.

Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.

GC PAX_ASLR_EXEC

Fix ASLR stack setup:
- make it work on machine where the stack grows up.
- use the same limits as mmap.

Add a flags sysctl for ASLR to disable particular features. We seem to be
having issues with stack setup.

Add PAX_MPROTECT_DEBUG

Add some diagnostic printf's when we reset permissions.

simplify.

Let PaX ASLR know about the current emulation

This effectively fixes PaX ASLR with 32-bits emulation on 64-bits
platforms. Without this knowledge, the offset applied for 32-bits
programs was really meant for a 64-bits address space - thus
shifting the address up to 12 bits, with a success rate of about
1/4096. This offset is calculated once in the lifetime of the
process, which therefore behaved normally when able to start.

Fixes kern/50469, probably also kern/50986

Tested on NetBSD/amd64 (emul_netbsd32)

Allow enabling and disabling PaX ASLR debug

PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation
when PAX_ASLR is not defined.

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.

Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()

Small changes:
- rename pax_aslr_init() to pax_aslr_init_vm()
- remove the PAX_ flags (unused)
- fix a comment in pax.h

Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as argument the PaX flag
of the ELF PaX note section, and which sets the proc flag as
appropriate. Also introduce a couple of other functions used for that
purpose.
- modify pax_aslr_active(), and all the other similar pieces of code, so
that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
- declare PAX_DPRINTF, makes it more readable
- fix a typo in exec_elf.h

<sys/rnd.h> not needed for kern_pax.c.

branches: 1.27.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

branches: 1.26.8; 1.26.12;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.4;
- Replace few malloc(9) uses with kmem(9).
- Rename buf_malloc() to buf_alloc(), fix comments.
- Remove some unnecessary inclusions.

branches: 1.24.2;
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!

rename DEBUG_ASLR -> PAX_ASLR_DEBUG

branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20;
Fix broken enable test; fixes random coredumps.

Don't use proc specificdata. Speeds up mmap() and others.

branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12;
Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

branches: 1.17.6; 1.17.12;
Include sys/cdefs.h first.

branches: 1.16.6; 1.16.8;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

branches: 1.15.4; 1.15.6;
TRUE -> true, FALSE -> false

Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.

branches: 1.13.2;
PR/35253: YAMAMOTO Takashi: fileassoc hash size problem

fileassoc_table_add() was removed from the KPI and made internal. From now
fileassoc(9) will manage the optimal table size internally.

Input from and okay yamt@.

Remove advertising clause from all of my stuff.

Fix copy/paste error: Veriexec's sysctl setup routine was named after
PaX's.

- remove the fileassoc "tabledata" functionality. use mountspecific instead.
- make pax_segvguard_cb static.

tested and ok'ed by elad.

- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead.
- make fileassoc_t a pointer and remove FILEASSOC_INVAL.
- clean up kern_fileassoc.c. unify duplicated code.
- unexport fileassoc_init using RUN_ONCE(9).
- plug memory leaks in fileassoc_file_delete and fileassoc_table_delete.
- always call callbacks, regardless of the value of the associated data.

ok'ed by elad.

branches: 1.8.2;
Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

- remove an unnecessary #include.
- make some variables static.

Added missing whitespace in sysctl description string. PR kern/34915.

Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.

branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18;
Better implementation of PaX MPROTECT, after looking some more into the
code and not trying to use temporary solutions.

Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX
author for being quick to recognize that something fishy's going on. :)

Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().

Next time I suggest to commit a temporary solution just revoke my
commit bit.

branches: 1.2.2;
CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.

fix typo

Extend the mmap(2) interface to allow requesting protections for later
use with mprotect(2), but without enabling them immediately.

Extend the mremap(2) interface to allow duplicating mappings, i.e.
create a second range of virtual addresses references the same physical
pages. Duplicated mappings can have different effective protections.

Adjust PAX mprotect logic to disallow effective protections of W&X, but
allow one mapping W and another X protections. This obsoletes using
temporary files for purposes like JIT.

Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested
and not silently drop the X protection.

Improve test cases to ensure correct operation of the changed
interfaces.

branches: 1.58.4;
obey the executable's ELF alignment constraints for PIE.
this fixes gdb of PIE binaries on mac68k (and other platforms
which use an ELF alignment that is larger than PAGE_SIZE).

branches: 1.57.2;
move aslr stuff to the aslr section

vsize_t is not always u_long :-)

branches: 1.55.2;
fix compilation without PAX_MPROTECT

Consistent indent.

Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)

randomize the location of the rtld.

Effectively disable aslr for non-topdown-VA binaries (unless they are
compat32, which we deal with properly). It would be possible to get
those working too, but it is not worth the code complexity.

This makes binaries compiled with -mcmodel=medlow (and ancient binaries)
work again on sparc64, smoothing the upgrade path.

ok: christos

reduce #ifdef mess caused by PaX

Account for the VA hole differently (simpler)

fix for ILP32.

Hook to clamp the random value for mmap for machies that don't have enough
VA bits.

only print debugging info if we are actually going to change the permission.

- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs

Fix stack allocation; limit delta to a quarter of the stack size. This should
get rid of the random aborts.

Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.

GC PAX_ASLR_EXEC

Fix ASLR stack setup:
- make it work on machine where the stack grows up.
- use the same limits as mmap.

Add a flags sysctl for ASLR to disable particular features. We seem to be
having issues with stack setup.

Add PAX_MPROTECT_DEBUG

Add some diagnostic printf's when we reset permissions.

simplify.

Let PaX ASLR know about the current emulation

This effectively fixes PaX ASLR with 32-bits emulation on 64-bits
platforms. Without this knowledge, the offset applied for 32-bits
programs was really meant for a 64-bits address space - thus
shifting the address up to 12 bits, with a success rate of about
1/4096. This offset is calculated once in the lifetime of the
process, which therefore behaved normally when able to start.

Fixes kern/50469, probably also kern/50986

Tested on NetBSD/amd64 (emul_netbsd32)

Allow enabling and disabling PaX ASLR debug

PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation
when PAX_ASLR is not defined.

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.

Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()

Small changes:
- rename pax_aslr_init() to pax_aslr_init_vm()
- remove the PAX_ flags (unused)
- fix a comment in pax.h

Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as argument the PaX flag
of the ELF PaX note section, and which sets the proc flag as
appropriate. Also introduce a couple of other functions used for that
purpose.
- modify pax_aslr_active(), and all the other similar pieces of code, so
that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
- declare PAX_DPRINTF, makes it more readable
- fix a typo in exec_elf.h

<sys/rnd.h> not needed for kern_pax.c.

branches: 1.27.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

branches: 1.26.8; 1.26.12;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.4;
- Replace few malloc(9) uses with kmem(9).
- Rename buf_malloc() to buf_alloc(), fix comments.
- Remove some unnecessary inclusions.

branches: 1.24.2;
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!

rename DEBUG_ASLR -> PAX_ASLR_DEBUG

branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20;
Fix broken enable test; fixes random coredumps.

Don't use proc specificdata. Speeds up mmap() and others.

branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12;
Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

branches: 1.17.6; 1.17.12;
Include sys/cdefs.h first.

branches: 1.16.6; 1.16.8;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

branches: 1.15.4; 1.15.6;
TRUE -> true, FALSE -> false

Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.

branches: 1.13.2;
PR/35253: YAMAMOTO Takashi: fileassoc hash size problem

fileassoc_table_add() was removed from the KPI and made internal. From now
fileassoc(9) will manage the optimal table size internally.

Input from and okay yamt@.

Remove advertising clause from all of my stuff.

Fix copy/paste error: Veriexec's sysctl setup routine was named after
PaX's.

- remove the fileassoc "tabledata" functionality. use mountspecific instead.
- make pax_segvguard_cb static.

tested and ok'ed by elad.

- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead.
- make fileassoc_t a pointer and remove FILEASSOC_INVAL.
- clean up kern_fileassoc.c. unify duplicated code.
- unexport fileassoc_init using RUN_ONCE(9).
- plug memory leaks in fileassoc_file_delete and fileassoc_table_delete.
- always call callbacks, regardless of the value of the associated data.

ok'ed by elad.

branches: 1.8.2;
Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

- remove an unnecessary #include.
- make some variables static.

Added missing whitespace in sysctl description string. PR kern/34915.

Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.

branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18;
Better implementation of PaX MPROTECT, after looking some more into the
code and not trying to use temporary solutions.

Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX
author for being quick to recognize that something fishy's going on. :)

Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().

Next time I suggest to commit a temporary solution just revoke my
commit bit.

branches: 1.2.2;
CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.

Extend the mmap(2) interface to allow requesting protections for later
use with mprotect(2), but without enabling them immediately.

Extend the mremap(2) interface to allow duplicating mappings, i.e.
create a second range of virtual addresses references the same physical
pages. Duplicated mappings can have different effective protections.

Adjust PAX mprotect logic to disallow effective protections of W&X, but
allow one mapping W and another X protections. This obsoletes using
temporary files for purposes like JIT.

Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested
and not silently drop the X protection.

Improve test cases to ensure correct operation of the changed
interfaces.

obey the executable's ELF alignment constraints for PIE.
this fixes gdb of PIE binaries on mac68k (and other platforms
which use an ELF alignment that is larger than PAGE_SIZE).

branches: 1.57.2;
move aslr stuff to the aslr section

vsize_t is not always u_long :-)

branches: 1.55.2;
fix compilation without PAX_MPROTECT

Consistent indent.

Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)

randomize the location of the rtld.

Effectively disable aslr for non-topdown-VA binaries (unless they are
compat32, which we deal with properly). It would be possible to get
those working too, but it is not worth the code complexity.

This makes binaries compiled with -mcmodel=medlow (and ancient binaries)
work again on sparc64, smoothing the upgrade path.

ok: christos

reduce #ifdef mess caused by PaX

Account for the VA hole differently (simpler)

fix for ILP32.

Hook to clamp the random value for mmap for machies that don't have enough
VA bits.

only print debugging info if we are actually going to change the permission.

- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs

Fix stack allocation; limit delta to a quarter of the stack size. This should
get rid of the random aborts.

Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.

GC PAX_ASLR_EXEC

Fix ASLR stack setup:
- make it work on machine where the stack grows up.
- use the same limits as mmap.

Add a flags sysctl for ASLR to disable particular features. We seem to be
having issues with stack setup.

Add PAX_MPROTECT_DEBUG

Add some diagnostic printf's when we reset permissions.

simplify.

Let PaX ASLR know about the current emulation

This effectively fixes PaX ASLR with 32-bits emulation on 64-bits
platforms. Without this knowledge, the offset applied for 32-bits
programs was really meant for a 64-bits address space - thus
shifting the address up to 12 bits, with a success rate of about
1/4096. This offset is calculated once in the lifetime of the
process, which therefore behaved normally when able to start.

Fixes kern/50469, probably also kern/50986

Tested on NetBSD/amd64 (emul_netbsd32)

Allow enabling and disabling PaX ASLR debug

PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation
when PAX_ASLR is not defined.

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.

Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()

Small changes:
- rename pax_aslr_init() to pax_aslr_init_vm()
- remove the PAX_ flags (unused)
- fix a comment in pax.h

Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as argument the PaX flag
of the ELF PaX note section, and which sets the proc flag as
appropriate. Also introduce a couple of other functions used for that
purpose.
- modify pax_aslr_active(), and all the other similar pieces of code, so
that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
- declare PAX_DPRINTF, makes it more readable
- fix a typo in exec_elf.h

<sys/rnd.h> not needed for kern_pax.c.

branches: 1.27.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

branches: 1.26.8; 1.26.12;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.4;
- Replace few malloc(9) uses with kmem(9).
- Rename buf_malloc() to buf_alloc(), fix comments.
- Remove some unnecessary inclusions.

branches: 1.24.2;
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!

rename DEBUG_ASLR -> PAX_ASLR_DEBUG

branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20;
Fix broken enable test; fixes random coredumps.

Don't use proc specificdata. Speeds up mmap() and others.

branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12;
Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

branches: 1.17.6; 1.17.12;
Include sys/cdefs.h first.

branches: 1.16.6; 1.16.8;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

branches: 1.15.4; 1.15.6;
TRUE -> true, FALSE -> false

Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.

branches: 1.13.2;
PR/35253: YAMAMOTO Takashi: fileassoc hash size problem

fileassoc_table_add() was removed from the KPI and made internal. From now
fileassoc(9) will manage the optimal table size internally.

Input from and okay yamt@.

Remove advertising clause from all of my stuff.

Fix copy/paste error: Veriexec's sysctl setup routine was named after
PaX's.

- remove the fileassoc "tabledata" functionality. use mountspecific instead.
- make pax_segvguard_cb static.

tested and ok'ed by elad.

- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead.
- make fileassoc_t a pointer and remove FILEASSOC_INVAL.
- clean up kern_fileassoc.c. unify duplicated code.
- unexport fileassoc_init using RUN_ONCE(9).
- plug memory leaks in fileassoc_file_delete and fileassoc_table_delete.
- always call callbacks, regardless of the value of the associated data.

ok'ed by elad.

branches: 1.8.2;
Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

- remove an unnecessary #include.
- make some variables static.

Added missing whitespace in sysctl description string. PR kern/34915.

Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.

branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18;
Better implementation of PaX MPROTECT, after looking some more into the
code and not trying to use temporary solutions.

Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX
author for being quick to recognize that something fishy's going on. :)

Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().

Next time I suggest to commit a temporary solution just revoke my
commit bit.

branches: 1.2.2;
CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.

obey the executable's ELF alignment constraints for PIE.
this fixes gdb of PIE binaries on mac68k (and other platforms
which use an ELF alignment that is larger than PAGE_SIZE).

move aslr stuff to the aslr section

vsize_t is not always u_long :-)

branches: 1.55.2;
fix compilation without PAX_MPROTECT

Consistent indent.

Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)

randomize the location of the rtld.

Effectively disable aslr for non-topdown-VA binaries (unless they are
compat32, which we deal with properly). It would be possible to get
those working too, but it is not worth the code complexity.

This makes binaries compiled with -mcmodel=medlow (and ancient binaries)
work again on sparc64, smoothing the upgrade path.

ok: christos

reduce #ifdef mess caused by PaX

Account for the VA hole differently (simpler)

fix for ILP32.

Hook to clamp the random value for mmap for machies that don't have enough
VA bits.

only print debugging info if we are actually going to change the permission.

- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs

Fix stack allocation; limit delta to a quarter of the stack size. This should
get rid of the random aborts.

Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.

GC PAX_ASLR_EXEC

Fix ASLR stack setup:
- make it work on machine where the stack grows up.
- use the same limits as mmap.

Add a flags sysctl for ASLR to disable particular features. We seem to be
having issues with stack setup.

Add PAX_MPROTECT_DEBUG

Add some diagnostic printf's when we reset permissions.

simplify.

Let PaX ASLR know about the current emulation

This effectively fixes PaX ASLR with 32-bits emulation on 64-bits
platforms. Without this knowledge, the offset applied for 32-bits
programs was really meant for a 64-bits address space - thus
shifting the address up to 12 bits, with a success rate of about
1/4096. This offset is calculated once in the lifetime of the
process, which therefore behaved normally when able to start.

Fixes kern/50469, probably also kern/50986

Tested on NetBSD/amd64 (emul_netbsd32)

Allow enabling and disabling PaX ASLR debug

PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation
when PAX_ASLR is not defined.

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.

Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()

Small changes:
- rename pax_aslr_init() to pax_aslr_init_vm()
- remove the PAX_ flags (unused)
- fix a comment in pax.h

Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as argument the PaX flag
of the ELF PaX note section, and which sets the proc flag as
appropriate. Also introduce a couple of other functions used for that
purpose.
- modify pax_aslr_active(), and all the other similar pieces of code, so
that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
- declare PAX_DPRINTF, makes it more readable
- fix a typo in exec_elf.h

<sys/rnd.h> not needed for kern_pax.c.

branches: 1.27.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

branches: 1.26.8; 1.26.12;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.4;
- Replace few malloc(9) uses with kmem(9).
- Rename buf_malloc() to buf_alloc(), fix comments.
- Remove some unnecessary inclusions.

branches: 1.24.2;
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!

rename DEBUG_ASLR -> PAX_ASLR_DEBUG

branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20;
Fix broken enable test; fixes random coredumps.

Don't use proc specificdata. Speeds up mmap() and others.

branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12;
Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

branches: 1.17.6; 1.17.12;
Include sys/cdefs.h first.

branches: 1.16.6; 1.16.8;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

branches: 1.15.4; 1.15.6;
TRUE -> true, FALSE -> false

Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.

branches: 1.13.2;
PR/35253: YAMAMOTO Takashi: fileassoc hash size problem

fileassoc_table_add() was removed from the KPI and made internal. From now
fileassoc(9) will manage the optimal table size internally.

Input from and okay yamt@.

Remove advertising clause from all of my stuff.

Fix copy/paste error: Veriexec's sysctl setup routine was named after
PaX's.

- remove the fileassoc "tabledata" functionality. use mountspecific instead.
- make pax_segvguard_cb static.

tested and ok'ed by elad.

- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead.
- make fileassoc_t a pointer and remove FILEASSOC_INVAL.
- clean up kern_fileassoc.c. unify duplicated code.
- unexport fileassoc_init using RUN_ONCE(9).
- plug memory leaks in fileassoc_file_delete and fileassoc_table_delete.
- always call callbacks, regardless of the value of the associated data.

ok'ed by elad.

branches: 1.8.2;
Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

- remove an unnecessary #include.
- make some variables static.

Added missing whitespace in sysctl description string. PR kern/34915.

Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.

branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18;
Better implementation of PaX MPROTECT, after looking some more into the
code and not trying to use temporary solutions.

Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX
author for being quick to recognize that something fishy's going on. :)

Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().

Next time I suggest to commit a temporary solution just revoke my
commit bit.

branches: 1.2.2;
CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.

move aslr stuff to the aslr section

vsize_t is not always u_long :-)

branches: 1.55.2;
fix compilation without PAX_MPROTECT

Consistent indent.

Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes

Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)

randomize the location of the rtld.

Effectively disable aslr for non-topdown-VA binaries (unless they are
compat32, which we deal with properly). It would be possible to get
those working too, but it is not worth the code complexity.

This makes binaries compiled with -mcmodel=medlow (and ancient binaries)
work again on sparc64, smoothing the upgrade path.

ok: christos

reduce #ifdef mess caused by PaX

Account for the VA hole differently (simpler)

fix for ILP32.

Hook to clamp the random value for mmap for machies that don't have enough
VA bits.

only print debugging info if we are actually going to change the permission.

- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs

Fix stack allocation; limit delta to a quarter of the stack size. This should
get rid of the random aborts.

Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.