#
1.63 |
|
26-Oct-2022 |
riastradh |
kern/kern_pax.c: Get maxsmap from sys/resourcevar.h.
|
Revision tags: bouyer-sunxi-drm-base
|
#
1.62 |
|
30-Aug-2021 |
rin |
Respect alignment requests of executable when PAX_ASLR is enabled on kernel, but disabled for the process, as in the same manner as PAX_ASLR is disabled; see pax_aslr_exec_offset() for !PAX_ASLR in sys/sys/pax.h.
This is a regression introduced in kern_pax.c rev 1.58: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/kern_pax.c#rev1.58
Part of PR port-arm/56380 but unfortunately this does not fix the problem described in the PR...
|
Revision tags: thorpej-i2c-spi-conf2-base thorpej-futex2-base thorpej-cfargs2-base cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base thorpej-i2c-spi-conf-base thorpej-cfargs-base thorpej-futex-base bouyer-xenpvh-base2 phil-wifi-20200421 bouyer-xenpvh-base1 phil-wifi-20200411 bouyer-xenpvh-base is-mlppp-base phil-wifi-20200406 ad-namecache-base3 ad-namecache-base2
|
#
1.61 |
|
23-Jan-2020 |
ad |
PAX_SEGVGUARD doesn't seem to work properly in testing for me, but at least make it not cause problems:
- Cover it with exec_lock so the updates are not racy. - Using fileassoc is silly. Just hang a pointer off the vnode.
|
Revision tags: netbsd-9-3-RELEASE netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 ad-namecache-base1 ad-namecache-base netbsd-9-0-RC1 phil-wifi-20191119 netbsd-9-base phil-wifi-20190609 isaki-audio2-base pgoyette-compat-merge-20190127 pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base tls-maxphys-base-20171202 nick-nhusb-base-20170825 perseant-stdc-iso10646-base
|
#
1.60 |
|
25-Jun-2017 |
snj |
branches: 1.60.6; 1.60.12; fix typo
|
Revision tags: netbsd-8-2-RELEASE netbsd-8-1-RELEASE netbsd-8-1-RC1 netbsd-8-0-RELEASE netbsd-8-0-RC2 netbsd-8-0-RC1 matt-nb8-mediatek-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2
|
#
1.59 |
|
06-May-2017 |
joerg |
Extend the mmap(2) interface to allow requesting protections for later use with mprotect(2), but without enabling them immediately.
Extend the mremap(2) interface to allow duplicating mappings, i.e. create a second range of virtual addresses references the same physical pages. Duplicated mappings can have different effective protections.
Adjust PAX mprotect logic to disallow effective protections of W&X, but allow one mapping W and another X protections. This obsoletes using temporary files for purposes like JIT.
Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested and not silently drop the X protection.
Improve test cases to ensure correct operation of the changed interfaces.
|
Revision tags: prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320
|
#
1.58 |
|
18-Feb-2017 |
chs |
branches: 1.58.4; obey the executable's ELF alignment constraints for PIE. this fixes gdb of PIE binaries on mac68k (and other platforms which use an ELF alignment that is larger than PAGE_SIZE).
|
Revision tags: nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004
|
#
1.57 |
|
17-Sep-2016 |
christos |
branches: 1.57.2; move aslr stuff to the aslr section
|
Revision tags: localcount-20160914
|
#
1.56 |
|
03-Sep-2016 |
christos |
vsize_t is not always u_long :-)
|
Revision tags: pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529
|
#
1.55 |
|
27-May-2016 |
christos |
branches: 1.55.2; fix compilation without PAX_MPROTECT
|
#
1.54 |
|
25-May-2016 |
wiz |
Consistent indent.
|
#
1.53 |
|
25-May-2016 |
christos |
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1 as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
|
#
1.52 |
|
25-May-2016 |
christos |
Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass mprotect settings so that debuggers can write to the text segment of traced processes so that they can insert breakpoints. Turned off by default. Ok: chuq (for now)
|
#
1.51 |
|
25-May-2016 |
christos |
randomize the location of the rtld.
|
#
1.50 |
|
24-May-2016 |
martin |
Effectively disable aslr for non-topdown-VA binaries (unless they are compat32, which we deal with properly). It would be possible to get those working too, but it is not worth the code complexity.
This makes binaries compiled with -mcmodel=medlow (and ancient binaries) work again on sparc64, smoothing the upgrade path.
ok: christos
|
#
1.49 |
|
22-May-2016 |
christos |
reduce #ifdef mess caused by PaX
|
#
1.48 |
|
22-May-2016 |
christos |
Account for the VA hole differently (simpler)
|
#
1.47 |
|
19-May-2016 |
christos |
fix for ILP32.
|
#
1.46 |
|
17-May-2016 |
christos |
Hook to clamp the random value for mmap for machies that don't have enough VA bits.
|
#
1.45 |
|
14-May-2016 |
christos |
only print debugging info if we are actually going to change the permission.
|
#
1.44 |
|
13-May-2016 |
christos |
- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4 and reduce the length of the randomization bits since this is unused. - call the pax aslr stack function sooner so we don't need to re-adjust the stack size. - adjust the stack max resource limit to account for the maximum space that can be lost by aslr - tidy up debugging printfs
|
#
1.43 |
|
08-May-2016 |
christos |
Fix stack allocation; limit delta to a quarter of the stack size. This should get rid of the random aborts.
|
#
1.42 |
|
08-May-2016 |
christos |
Move all the randomization inside kern_pax.c so we can control it directly. Add debugging flags to be able to set the random number externally.
|
Revision tags: nick-nhusb-base-20160422
|
#
1.41 |
|
10-Apr-2016 |
christos |
GC PAX_ASLR_EXEC
|
#
1.40 |
|
10-Apr-2016 |
christos |
Fix ASLR stack setup: - make it work on machine where the stack grows up. - use the same limits as mmap.
|
#
1.39 |
|
10-Apr-2016 |
christos |
Add a flags sysctl for ASLR to disable particular features. We seem to be having issues with stack setup.
|
#
1.38 |
|
07-Apr-2016 |
christos |
Add PAX_MPROTECT_DEBUG
|
#
1.37 |
|
04-Apr-2016 |
christos |
Add some diagnostic printf's when we reset permissions.
|
#
1.36 |
|
20-Mar-2016 |
christos |
simplify.
|
#
1.35 |
|
20-Mar-2016 |
khorben |
Let PaX ASLR know about the current emulation
This effectively fixes PaX ASLR with 32-bits emulation on 64-bits platforms. Without this knowledge, the offset applied for 32-bits programs was really meant for a 64-bits address space - thus shifting the address up to 12 bits, with a success rate of about 1/4096. This offset is calculated once in the lifetime of the process, which therefore behaved normally when able to start.
Fixes kern/50469, probably also kern/50986
Tested on NetBSD/amd64 (emul_netbsd32)
|
#
1.34 |
|
19-Mar-2016 |
christos |
Allow enabling and disabling PaX ASLR debug
|
Revision tags: nick-nhusb-base-20160319 nick-nhusb-base-20151226
|
#
1.33 |
|
09-Oct-2015 |
christos |
PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation when PAX_ASLR is not defined.
|
#
1.32 |
|
26-Sep-2015 |
maxv |
Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two months ago, but no one reviewed it - probably because it's not a trivial change.
This change fixes the following bug: when loading a PaX'ed binary, the kernel updates the PaX flag of the calling process before it makes sure the new process is actually launched. If the kernel fails to launch the new process, it does not restore the PaX flag of the calling process, leaving it in an inconsistent state.
Actually, simply restoring it would be horrible as well, since in the meantime another thread may have used the flag.
The solution is therefore: modify all the functions used by PaX so that they take as argument the exec package instead of the lwp, and set the PaX flag in the process *right before* launching the new process - it cannot fail in the meantime.
|
Revision tags: nick-nhusb-base-20150921
|
#
1.31 |
|
04-Aug-2015 |
maxv |
Some changes, to reduce a bit my tech-kern@ patch: - move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h - add a generic pax_flags_active() function - fix a comment in exec_elf.c; interp is not static - KNF for return - rename pax_aslr() to pax_aslr_mmap() - rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
|
#
1.30 |
|
31-Jul-2015 |
maxv |
Small changes: - rename pax_aslr_init() to pax_aslr_init_vm() - remove the PAX_ flags (unused) - fix a comment in pax.h
|
#
1.29 |
|
30-Jul-2015 |
maxv |
Revamp PaX: - don't confuse between ELF flags and proc flags. Introduce the proc- specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags. - introduce pax_setup_elf_flags(), which takes as argument the PaX flag of the ELF PaX note section, and which sets the proc flag as appropriate. Also introduce a couple of other functions used for that purpose. - modify pax_aslr_active(), and all the other similar pieces of code, so that it checks the proc flag directly, without extra ELF computation
In addition to making PaX clearer, the combination of these changes fixes the following bug: if a non-PaX'ed process is launched, and then someone sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes PaX'ed while its address space hasn't been randomized, which is not likely to be a good idea.
Now, only the proc flag is checked at runtime, which means the process's PaX status won't be altered during the execution.
Also: - declare PAX_DPRINTF, makes it more readable - fix a typo in exec_elf.h
|
Revision tags: nick-nhusb-base-20150606
|
#
1.28 |
|
13-Apr-2015 |
riastradh |
<sys/rnd.h> not needed for kern_pax.c.
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.27 |
|
25-Feb-2014 |
pooka |
branches: 1.27.6; Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate lines of code.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.26 |
|
19-Nov-2011 |
tls |
branches: 1.26.8; 1.26.12; First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time.
A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run.
A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.25 |
|
24-Apr-2011 |
rmind |
branches: 1.25.4; - Replace few malloc(9) uses with kmem(9). - Rename buf_malloc() to buf_alloc(), fix comments. - Remove some unnecessary inclusions.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.24 |
|
23-Aug-2010 |
christos |
branches: 1.24.2; Fix issues with stack allocation and pax aslr: - since the size is unsigned, don't check just that it is > 0, but limit it to the MAXSSIZ - if the stack size is reduced because of aslr, make sure we reduce the actual allocation by the same size so that the size does not wrap around. NB: Must be pulled up to 5.x!
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1
|
#
1.23 |
|
15-Mar-2010 |
christos |
rename DEBUG_ASLR -> PAX_ASLR_DEBUG
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 yamt-nfs-mp-base9 uebayasi-xip-base netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-premerge-20091211 yamt-nfs-mp-base8 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 yamt-nfs-mp-base7 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.22 |
|
04-Jun-2008 |
ad |
branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20; Fix broken enable test; fixes random coredumps.
|
#
1.21 |
|
03-Jun-2008 |
ad |
Don't use proc specificdata. Speeds up mmap() and others.
|
Revision tags: yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.20 |
|
28-Dec-2007 |
elad |
branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12; Provide 8 more bits of stack randomization, from the PaX author.
While here, don't make too much use of one random value, and call arc4random() directly. Allows for the removal of 'ep_random' from the exec_package.
Prompted by and okay christos@.
|
#
1.19 |
|
27-Dec-2007 |
elad |
PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h. Export randomized bits # for stack and exec base too via sysctl.
okay christos@.
|
#
1.18 |
|
26-Dec-2007 |
christos |
Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]
For regular (non PIE) executables randomization is enabled for: 1. The data segment 2. The stack
For PIE executables(*) randomization is enabled for: 1. The program itself 2. All shared libraries 3. The data segment 4. The stack
(*) To generate a PIE executable: - compile everything with -fPIC - link with -shared-libgcc -Wl,-pie
This feature is experimental, and might change. To use selectively add options PAX_ASLR=0 in your kernel.
Currently we are using 12 bits for the stack, program, and data segment and 16 or 24 bits for mmap, depending on __LP64__.
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.17 |
|
21-Sep-2007 |
dsl |
branches: 1.17.6; 1.17.12; Include sys/cdefs.h first.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.16 |
|
24-Jun-2007 |
christos |
branches: 1.16.6; 1.16.8; Use an elf note to handle pax arguments. This is a temporary solution to avoid wasting OS flag bits. In the future we'll probably use fileassoc to achieve this (once there is a way to make fileassoc persistent) or in the shorter term libelf, so that we can add and remove the note on demand instead of burning bits on each binary. Of course since this is a tool, this means that we'll need to think about how to handle libelf...
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base ad-audiomp-base
|
#
1.15 |
|
22-Feb-2007 |
thorpej |
branches: 1.15.4; 1.15.6; TRUE -> true, FALSE -> false
|
#
1.14 |
|
21-Feb-2007 |
thorpej |
Replace the Mach-derived boolean_t type with the C99 bool type. A future commit will replace use of TRUE and FALSE with true and false.
|
Revision tags: post-newlock2-merge newlock2-nbase newlock2-base
|
#
1.13 |
|
06-Feb-2007 |
elad |
branches: 1.13.2; PR/35253: YAMAMOTO Takashi: fileassoc hash size problem
fileassoc_table_add() was removed from the KPI and made internal. From now fileassoc(9) will manage the optimal table size internally.
Input from and okay yamt@.
|
#
1.12 |
|
09-Jan-2007 |
elad |
Remove advertising clause from all of my stuff.
|
#
1.11 |
|
26-Dec-2006 |
elad |
Fix copy/paste error: Veriexec's sysctl setup routine was named after PaX's.
|
#
1.10 |
|
23-Dec-2006 |
yamt |
- remove the fileassoc "tabledata" functionality. use mountspecific instead. - make pax_segvguard_cb static.
tested and ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base5 yamt-splraiseipl-base4
|
#
1.9 |
|
11-Dec-2006 |
yamt |
- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead. - make fileassoc_t a pointer and remove FILEASSOC_INVAL. - clean up kern_fileassoc.c. unify duplicated code. - unexport fileassoc_init using RUN_ONCE(9). - plug memory leaks in fileassoc_file_delete and fileassoc_table_delete. - always call callbacks, regardless of the value of the associated data.
ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base3 netbsd-4-base
|
#
1.8 |
|
22-Nov-2006 |
elad |
branches: 1.8.2; Initial implementation of PaX Segvguard (this is still work-in-progress, it's just to get it out of my local tree).
|
#
1.7 |
|
22-Nov-2006 |
elad |
Make PaX MPROTECT use specificdata(9), freeing up two P_* flags. While here, make more generic for upcoming PaX features.
|
#
1.6 |
|
01-Nov-2006 |
yamt |
- remove an unnecessary #include. - make some variables static.
|
#
1.5 |
|
25-Oct-2006 |
cbiere |
Added missing whitespace in sysctl description string. PR kern/34915.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.4 |
|
26-Sep-2006 |
elad |
Change the PaX mprotect(2) restrictions' "global_protection" knob to just "global" -- it's shorter and more readable. Update documentation.
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 rpaulo-netinet-merge-pcb-base yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timecounters-base yamt-pdpolicy-base5 chap-midi-base
|
#
1.3 |
|
20-May-2006 |
elad |
branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18; Better implementation of PaX MPROTECT, after looking some more into the code and not trying to use temporary solutions.
Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX author for being quick to recognize that something fishy's going on. :)
Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().
Next time I suggest to commit a temporary solution just revoke my commit bit.
|
#
1.2 |
|
18-May-2006 |
elad |
branches: 1.2.2; CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!
|
#
1.1 |
|
16-May-2006 |
elad |
Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen W^X mappings.
Disabled by default.
First proposed in:
http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html
More information in:
http://pax.grsecurity.net/docs/mprotect.txt
Read relevant parts of options(4) and sysctl(3) before using!
Lots of thanks to the PaX author and Matt Thomas.
|
#
1.62 |
|
30-Aug-2021 |
rin |
Respect alignment requests of executable when PAX_ASLR is enabled on kernel, but disabled for the process, as in the same manner as PAX_ASLR is disabled; see pax_aslr_exec_offset() for !PAX_ASLR in sys/sys/pax.h.
This is a regression introduced in kern_pax.c rev 1.58: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/kern_pax.c#rev1.58
Part of PR port-arm/56380 but unfortunately this does not fix the problem described in the PR...
|
Revision tags: thorpej-i2c-spi-conf2-base thorpej-futex2-base thorpej-cfargs2-base cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base thorpej-i2c-spi-conf-base thorpej-cfargs-base thorpej-futex-base bouyer-xenpvh-base2 phil-wifi-20200421 bouyer-xenpvh-base1 phil-wifi-20200411 bouyer-xenpvh-base is-mlppp-base phil-wifi-20200406 ad-namecache-base3 ad-namecache-base2
|
#
1.61 |
|
23-Jan-2020 |
ad |
PAX_SEGVGUARD doesn't seem to work properly in testing for me, but at least make it not cause problems:
- Cover it with exec_lock so the updates are not racy. - Using fileassoc is silly. Just hang a pointer off the vnode.
|
Revision tags: netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 ad-namecache-base1 ad-namecache-base netbsd-9-0-RC1 phil-wifi-20191119 netbsd-9-base phil-wifi-20190609 isaki-audio2-base pgoyette-compat-merge-20190127 pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base tls-maxphys-base-20171202 nick-nhusb-base-20170825 perseant-stdc-iso10646-base
|
#
1.60 |
|
25-Jun-2017 |
snj |
branches: 1.60.6; 1.60.12; fix typo
|
Revision tags: netbsd-8-2-RELEASE netbsd-8-1-RELEASE netbsd-8-1-RC1 netbsd-8-0-RELEASE netbsd-8-0-RC2 netbsd-8-0-RC1 matt-nb8-mediatek-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2
|
#
1.59 |
|
06-May-2017 |
joerg |
Extend the mmap(2) interface to allow requesting protections for later use with mprotect(2), but without enabling them immediately.
Extend the mremap(2) interface to allow duplicating mappings, i.e. create a second range of virtual addresses references the same physical pages. Duplicated mappings can have different effective protections.
Adjust PAX mprotect logic to disallow effective protections of W&X, but allow one mapping W and another X protections. This obsoletes using temporary files for purposes like JIT.
Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested and not silently drop the X protection.
Improve test cases to ensure correct operation of the changed interfaces.
|
Revision tags: prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320
|
#
1.58 |
|
18-Feb-2017 |
chs |
branches: 1.58.4; obey the executable's ELF alignment constraints for PIE. this fixes gdb of PIE binaries on mac68k (and other platforms which use an ELF alignment that is larger than PAGE_SIZE).
|
Revision tags: nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004
|
#
1.57 |
|
17-Sep-2016 |
christos |
branches: 1.57.2; move aslr stuff to the aslr section
|
Revision tags: localcount-20160914
|
#
1.56 |
|
03-Sep-2016 |
christos |
vsize_t is not always u_long :-)
|
Revision tags: pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529
|
#
1.55 |
|
27-May-2016 |
christos |
branches: 1.55.2; fix compilation without PAX_MPROTECT
|
#
1.54 |
|
25-May-2016 |
wiz |
Consistent indent.
|
#
1.53 |
|
25-May-2016 |
christos |
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1 as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
|
#
1.52 |
|
25-May-2016 |
christos |
Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass mprotect settings so that debuggers can write to the text segment of traced processes so that they can insert breakpoints. Turned off by default. Ok: chuq (for now)
|
#
1.51 |
|
25-May-2016 |
christos |
randomize the location of the rtld.
|
#
1.50 |
|
24-May-2016 |
martin |
Effectively disable aslr for non-topdown-VA binaries (unless they are compat32, which we deal with properly). It would be possible to get those working too, but it is not worth the code complexity.
This makes binaries compiled with -mcmodel=medlow (and ancient binaries) work again on sparc64, smoothing the upgrade path.
ok: christos
|
#
1.49 |
|
22-May-2016 |
christos |
reduce #ifdef mess caused by PaX
|
#
1.48 |
|
22-May-2016 |
christos |
Account for the VA hole differently (simpler)
|
#
1.47 |
|
19-May-2016 |
christos |
fix for ILP32.
|
#
1.46 |
|
17-May-2016 |
christos |
Hook to clamp the random value for mmap for machies that don't have enough VA bits.
|
#
1.45 |
|
14-May-2016 |
christos |
only print debugging info if we are actually going to change the permission.
|
#
1.44 |
|
13-May-2016 |
christos |
- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4 and reduce the length of the randomization bits since this is unused. - call the pax aslr stack function sooner so we don't need to re-adjust the stack size. - adjust the stack max resource limit to account for the maximum space that can be lost by aslr - tidy up debugging printfs
|
#
1.43 |
|
08-May-2016 |
christos |
Fix stack allocation; limit delta to a quarter of the stack size. This should get rid of the random aborts.
|
#
1.42 |
|
08-May-2016 |
christos |
Move all the randomization inside kern_pax.c so we can control it directly. Add debugging flags to be able to set the random number externally.
|
Revision tags: nick-nhusb-base-20160422
|
#
1.41 |
|
10-Apr-2016 |
christos |
GC PAX_ASLR_EXEC
|
#
1.40 |
|
10-Apr-2016 |
christos |
Fix ASLR stack setup: - make it work on machine where the stack grows up. - use the same limits as mmap.
|
#
1.39 |
|
10-Apr-2016 |
christos |
Add a flags sysctl for ASLR to disable particular features. We seem to be having issues with stack setup.
|
#
1.38 |
|
07-Apr-2016 |
christos |
Add PAX_MPROTECT_DEBUG
|
#
1.37 |
|
04-Apr-2016 |
christos |
Add some diagnostic printf's when we reset permissions.
|
#
1.36 |
|
20-Mar-2016 |
christos |
simplify.
|
#
1.35 |
|
20-Mar-2016 |
khorben |
Let PaX ASLR know about the current emulation
This effectively fixes PaX ASLR with 32-bits emulation on 64-bits platforms. Without this knowledge, the offset applied for 32-bits programs was really meant for a 64-bits address space - thus shifting the address up to 12 bits, with a success rate of about 1/4096. This offset is calculated once in the lifetime of the process, which therefore behaved normally when able to start.
Fixes kern/50469, probably also kern/50986
Tested on NetBSD/amd64 (emul_netbsd32)
|
#
1.34 |
|
19-Mar-2016 |
christos |
Allow enabling and disabling PaX ASLR debug
|
Revision tags: nick-nhusb-base-20160319 nick-nhusb-base-20151226
|
#
1.33 |
|
09-Oct-2015 |
christos |
PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation when PAX_ASLR is not defined.
|
#
1.32 |
|
26-Sep-2015 |
maxv |
Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two months ago, but no one reviewed it - probably because it's not a trivial change.
This change fixes the following bug: when loading a PaX'ed binary, the kernel updates the PaX flag of the calling process before it makes sure the new process is actually launched. If the kernel fails to launch the new process, it does not restore the PaX flag of the calling process, leaving it in an inconsistent state.
Actually, simply restoring it would be horrible as well, since in the meantime another thread may have used the flag.
The solution is therefore: modify all the functions used by PaX so that they take as argument the exec package instead of the lwp, and set the PaX flag in the process *right before* launching the new process - it cannot fail in the meantime.
|
Revision tags: nick-nhusb-base-20150921
|
#
1.31 |
|
04-Aug-2015 |
maxv |
Some changes, to reduce a bit my tech-kern@ patch: - move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h - add a generic pax_flags_active() function - fix a comment in exec_elf.c; interp is not static - KNF for return - rename pax_aslr() to pax_aslr_mmap() - rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
|
#
1.30 |
|
31-Jul-2015 |
maxv |
Small changes: - rename pax_aslr_init() to pax_aslr_init_vm() - remove the PAX_ flags (unused) - fix a comment in pax.h
|
#
1.29 |
|
30-Jul-2015 |
maxv |
Revamp PaX: - don't confuse between ELF flags and proc flags. Introduce the proc- specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags. - introduce pax_setup_elf_flags(), which takes as argument the PaX flag of the ELF PaX note section, and which sets the proc flag as appropriate. Also introduce a couple of other functions used for that purpose. - modify pax_aslr_active(), and all the other similar pieces of code, so that it checks the proc flag directly, without extra ELF computation
In addition to making PaX clearer, the combination of these changes fixes the following bug: if a non-PaX'ed process is launched, and then someone sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes PaX'ed while its address space hasn't been randomized, which is not likely to be a good idea.
Now, only the proc flag is checked at runtime, which means the process's PaX status won't be altered during the execution.
Also: - declare PAX_DPRINTF, makes it more readable - fix a typo in exec_elf.h
|
Revision tags: nick-nhusb-base-20150606
|
#
1.28 |
|
13-Apr-2015 |
riastradh |
<sys/rnd.h> not needed for kern_pax.c.
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.27 |
|
25-Feb-2014 |
pooka |
branches: 1.27.6; Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate lines of code.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.26 |
|
19-Nov-2011 |
tls |
branches: 1.26.8; 1.26.12; First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time.
A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run.
A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.25 |
|
24-Apr-2011 |
rmind |
branches: 1.25.4; - Replace few malloc(9) uses with kmem(9). - Rename buf_malloc() to buf_alloc(), fix comments. - Remove some unnecessary inclusions.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.24 |
|
23-Aug-2010 |
christos |
branches: 1.24.2; Fix issues with stack allocation and pax aslr: - since the size is unsigned, don't check just that it is > 0, but limit it to the MAXSSIZ - if the stack size is reduced because of aslr, make sure we reduce the actual allocation by the same size so that the size does not wrap around. NB: Must be pulled up to 5.x!
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1
|
#
1.23 |
|
15-Mar-2010 |
christos |
rename DEBUG_ASLR -> PAX_ASLR_DEBUG
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 yamt-nfs-mp-base9 uebayasi-xip-base netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-premerge-20091211 yamt-nfs-mp-base8 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 yamt-nfs-mp-base7 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.22 |
|
04-Jun-2008 |
ad |
branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20; Fix broken enable test; fixes random coredumps.
|
#
1.21 |
|
03-Jun-2008 |
ad |
Don't use proc specificdata. Speeds up mmap() and others.
|
Revision tags: yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.20 |
|
28-Dec-2007 |
elad |
branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12; Provide 8 more bits of stack randomization, from the PaX author.
While here, don't make too much use of one random value, and call arc4random() directly. Allows for the removal of 'ep_random' from the exec_package.
Prompted by and okay christos@.
|
#
1.19 |
|
27-Dec-2007 |
elad |
PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h. Export randomized bits # for stack and exec base too via sysctl.
okay christos@.
|
#
1.18 |
|
26-Dec-2007 |
christos |
Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]
For regular (non PIE) executables randomization is enabled for: 1. The data segment 2. The stack
For PIE executables(*) randomization is enabled for: 1. The program itself 2. All shared libraries 3. The data segment 4. The stack
(*) To generate a PIE executable: - compile everything with -fPIC - link with -shared-libgcc -Wl,-pie
This feature is experimental, and might change. To use selectively add options PAX_ASLR=0 in your kernel.
Currently we are using 12 bits for the stack, program, and data segment and 16 or 24 bits for mmap, depending on __LP64__.
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.17 |
|
21-Sep-2007 |
dsl |
branches: 1.17.6; 1.17.12; Include sys/cdefs.h first.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.16 |
|
24-Jun-2007 |
christos |
branches: 1.16.6; 1.16.8; Use an elf note to handle pax arguments. This is a temporary solution to avoid wasting OS flag bits. In the future we'll probably use fileassoc to achieve this (once there is a way to make fileassoc persistent) or in the shorter term libelf, so that we can add and remove the note on demand instead of burning bits on each binary. Of course since this is a tool, this means that we'll need to think about how to handle libelf...
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base ad-audiomp-base
|
#
1.15 |
|
22-Feb-2007 |
thorpej |
branches: 1.15.4; 1.15.6; TRUE -> true, FALSE -> false
|
#
1.14 |
|
21-Feb-2007 |
thorpej |
Replace the Mach-derived boolean_t type with the C99 bool type. A future commit will replace use of TRUE and FALSE with true and false.
|
Revision tags: post-newlock2-merge newlock2-nbase newlock2-base
|
#
1.13 |
|
06-Feb-2007 |
elad |
branches: 1.13.2; PR/35253: YAMAMOTO Takashi: fileassoc hash size problem
fileassoc_table_add() was removed from the KPI and made internal. From now fileassoc(9) will manage the optimal table size internally.
Input from and okay yamt@.
|
#
1.12 |
|
09-Jan-2007 |
elad |
Remove advertising clause from all of my stuff.
|
#
1.11 |
|
26-Dec-2006 |
elad |
Fix copy/paste error: Veriexec's sysctl setup routine was named after PaX's.
|
#
1.10 |
|
23-Dec-2006 |
yamt |
- remove the fileassoc "tabledata" functionality. use mountspecific instead. - make pax_segvguard_cb static.
tested and ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base5 yamt-splraiseipl-base4
|
#
1.9 |
|
11-Dec-2006 |
yamt |
- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead. - make fileassoc_t a pointer and remove FILEASSOC_INVAL. - clean up kern_fileassoc.c. unify duplicated code. - unexport fileassoc_init using RUN_ONCE(9). - plug memory leaks in fileassoc_file_delete and fileassoc_table_delete. - always call callbacks, regardless of the value of the associated data.
ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base3 netbsd-4-base
|
#
1.8 |
|
22-Nov-2006 |
elad |
branches: 1.8.2; Initial implementation of PaX Segvguard (this is still work-in-progress, it's just to get it out of my local tree).
|
#
1.7 |
|
22-Nov-2006 |
elad |
Make PaX MPROTECT use specificdata(9), freeing up two P_* flags. While here, make more generic for upcoming PaX features.
|
#
1.6 |
|
01-Nov-2006 |
yamt |
- remove an unnecessary #include. - make some variables static.
|
#
1.5 |
|
25-Oct-2006 |
cbiere |
Added missing whitespace in sysctl description string. PR kern/34915.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.4 |
|
26-Sep-2006 |
elad |
Change the PaX mprotect(2) restrictions' "global_protection" knob to just "global" -- it's shorter and more readable. Update documentation.
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 rpaulo-netinet-merge-pcb-base yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timecounters-base yamt-pdpolicy-base5 chap-midi-base
|
#
1.3 |
|
20-May-2006 |
elad |
branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18; Better implementation of PaX MPROTECT, after looking some more into the code and not trying to use temporary solutions.
Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX author for being quick to recognize that something fishy's going on. :)
Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().
Next time I suggest to commit a temporary solution just revoke my commit bit.
|
#
1.2 |
|
18-May-2006 |
elad |
branches: 1.2.2; CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!
|
#
1.1 |
|
16-May-2006 |
elad |
Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen W^X mappings.
Disabled by default.
First proposed in:
http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html
More information in:
http://pax.grsecurity.net/docs/mprotect.txt
Read relevant parts of options(4) and sysctl(3) before using!
Lots of thanks to the PaX author and Matt Thomas.
|
#
1.61 |
|
23-Jan-2020 |
ad |
PAX_SEGVGUARD doesn't seem to work properly in testing for me, but at least make it not cause problems:
- Cover it with exec_lock so the updates are not racy. - Using fileassoc is silly. Just hang a pointer off the vnode.
|
Revision tags: ad-namecache-base1 ad-namecache-base netbsd-9-0-RC1 phil-wifi-20191119 netbsd-9-base phil-wifi-20190609 isaki-audio2-base pgoyette-compat-merge-20190127 pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base tls-maxphys-base-20171202 nick-nhusb-base-20170825 perseant-stdc-iso10646-base
|
#
1.60 |
|
25-Jun-2017 |
snj |
fix typo
|
Revision tags: netbsd-8-1-RELEASE netbsd-8-1-RC1 netbsd-8-0-RELEASE netbsd-8-0-RC2 netbsd-8-0-RC1 matt-nb8-mediatek-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2
|
#
1.59 |
|
06-May-2017 |
joerg |
Extend the mmap(2) interface to allow requesting protections for later use with mprotect(2), but without enabling them immediately.
Extend the mremap(2) interface to allow duplicating mappings, i.e. create a second range of virtual addresses references the same physical pages. Duplicated mappings can have different effective protections.
Adjust PAX mprotect logic to disallow effective protections of W&X, but allow one mapping W and another X protections. This obsoletes using temporary files for purposes like JIT.
Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested and not silently drop the X protection.
Improve test cases to ensure correct operation of the changed interfaces.
|
Revision tags: prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320
|
#
1.58 |
|
18-Feb-2017 |
chs |
branches: 1.58.4; obey the executable's ELF alignment constraints for PIE. this fixes gdb of PIE binaries on mac68k (and other platforms which use an ELF alignment that is larger than PAGE_SIZE).
|
Revision tags: nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004
|
#
1.57 |
|
17-Sep-2016 |
christos |
branches: 1.57.2; move aslr stuff to the aslr section
|
Revision tags: localcount-20160914
|
#
1.56 |
|
03-Sep-2016 |
christos |
vsize_t is not always u_long :-)
|
Revision tags: pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529
|
#
1.55 |
|
27-May-2016 |
christos |
branches: 1.55.2; fix compilation without PAX_MPROTECT
|
#
1.54 |
|
25-May-2016 |
wiz |
Consistent indent.
|
#
1.53 |
|
25-May-2016 |
christos |
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1 as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
|
#
1.52 |
|
25-May-2016 |
christos |
Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass mprotect settings so that debuggers can write to the text segment of traced processes so that they can insert breakpoints. Turned off by default. Ok: chuq (for now)
|
#
1.51 |
|
25-May-2016 |
christos |
randomize the location of the rtld.
|
#
1.50 |
|
24-May-2016 |
martin |
Effectively disable aslr for non-topdown-VA binaries (unless they are compat32, which we deal with properly). It would be possible to get those working too, but it is not worth the code complexity.
This makes binaries compiled with -mcmodel=medlow (and ancient binaries) work again on sparc64, smoothing the upgrade path.
ok: christos
|
#
1.49 |
|
22-May-2016 |
christos |
reduce #ifdef mess caused by PaX
|
#
1.48 |
|
22-May-2016 |
christos |
Account for the VA hole differently (simpler)
|
#
1.47 |
|
19-May-2016 |
christos |
fix for ILP32.
|
#
1.46 |
|
17-May-2016 |
christos |
Hook to clamp the random value for mmap for machies that don't have enough VA bits.
|
#
1.45 |
|
14-May-2016 |
christos |
only print debugging info if we are actually going to change the permission.
|
#
1.44 |
|
13-May-2016 |
christos |
- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4 and reduce the length of the randomization bits since this is unused. - call the pax aslr stack function sooner so we don't need to re-adjust the stack size. - adjust the stack max resource limit to account for the maximum space that can be lost by aslr - tidy up debugging printfs
|
#
1.43 |
|
08-May-2016 |
christos |
Fix stack allocation; limit delta to a quarter of the stack size. This should get rid of the random aborts.
|
#
1.42 |
|
08-May-2016 |
christos |
Move all the randomization inside kern_pax.c so we can control it directly. Add debugging flags to be able to set the random number externally.
|
Revision tags: nick-nhusb-base-20160422
|
#
1.41 |
|
10-Apr-2016 |
christos |
GC PAX_ASLR_EXEC
|
#
1.40 |
|
10-Apr-2016 |
christos |
Fix ASLR stack setup: - make it work on machine where the stack grows up. - use the same limits as mmap.
|
#
1.39 |
|
10-Apr-2016 |
christos |
Add a flags sysctl for ASLR to disable particular features. We seem to be having issues with stack setup.
|
#
1.38 |
|
07-Apr-2016 |
christos |
Add PAX_MPROTECT_DEBUG
|
#
1.37 |
|
04-Apr-2016 |
christos |
Add some diagnostic printf's when we reset permissions.
|
#
1.36 |
|
20-Mar-2016 |
christos |
simplify.
|
#
1.35 |
|
20-Mar-2016 |
khorben |
Let PaX ASLR know about the current emulation
This effectively fixes PaX ASLR with 32-bits emulation on 64-bits platforms. Without this knowledge, the offset applied for 32-bits programs was really meant for a 64-bits address space - thus shifting the address up to 12 bits, with a success rate of about 1/4096. This offset is calculated once in the lifetime of the process, which therefore behaved normally when able to start.
Fixes kern/50469, probably also kern/50986
Tested on NetBSD/amd64 (emul_netbsd32)
|
#
1.34 |
|
19-Mar-2016 |
christos |
Allow enabling and disabling PaX ASLR debug
|
Revision tags: nick-nhusb-base-20160319 nick-nhusb-base-20151226
|
#
1.33 |
|
09-Oct-2015 |
christos |
PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation when PAX_ASLR is not defined.
|
#
1.32 |
|
26-Sep-2015 |
maxv |
Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two months ago, but no one reviewed it - probably because it's not a trivial change.
This change fixes the following bug: when loading a PaX'ed binary, the kernel updates the PaX flag of the calling process before it makes sure the new process is actually launched. If the kernel fails to launch the new process, it does not restore the PaX flag of the calling process, leaving it in an inconsistent state.
Actually, simply restoring it would be horrible as well, since in the meantime another thread may have used the flag.
The solution is therefore: modify all the functions used by PaX so that they take as argument the exec package instead of the lwp, and set the PaX flag in the process *right before* launching the new process - it cannot fail in the meantime.
|
Revision tags: nick-nhusb-base-20150921
|
#
1.31 |
|
04-Aug-2015 |
maxv |
Some changes, to reduce a bit my tech-kern@ patch: - move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h - add a generic pax_flags_active() function - fix a comment in exec_elf.c; interp is not static - KNF for return - rename pax_aslr() to pax_aslr_mmap() - rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
|
#
1.30 |
|
31-Jul-2015 |
maxv |
Small changes: - rename pax_aslr_init() to pax_aslr_init_vm() - remove the PAX_ flags (unused) - fix a comment in pax.h
|
#
1.29 |
|
30-Jul-2015 |
maxv |
Revamp PaX: - don't confuse between ELF flags and proc flags. Introduce the proc- specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags. - introduce pax_setup_elf_flags(), which takes as argument the PaX flag of the ELF PaX note section, and which sets the proc flag as appropriate. Also introduce a couple of other functions used for that purpose. - modify pax_aslr_active(), and all the other similar pieces of code, so that it checks the proc flag directly, without extra ELF computation
In addition to making PaX clearer, the combination of these changes fixes the following bug: if a non-PaX'ed process is launched, and then someone sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes PaX'ed while its address space hasn't been randomized, which is not likely to be a good idea.
Now, only the proc flag is checked at runtime, which means the process's PaX status won't be altered during the execution.
Also: - declare PAX_DPRINTF, makes it more readable - fix a typo in exec_elf.h
|
Revision tags: nick-nhusb-base-20150606
|
#
1.28 |
|
13-Apr-2015 |
riastradh |
<sys/rnd.h> not needed for kern_pax.c.
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.27 |
|
25-Feb-2014 |
pooka |
branches: 1.27.6; Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate lines of code.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.26 |
|
19-Nov-2011 |
tls |
branches: 1.26.8; 1.26.12; First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time.
A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run.
A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.25 |
|
24-Apr-2011 |
rmind |
branches: 1.25.4; - Replace few malloc(9) uses with kmem(9). - Rename buf_malloc() to buf_alloc(), fix comments. - Remove some unnecessary inclusions.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.24 |
|
23-Aug-2010 |
christos |
branches: 1.24.2; Fix issues with stack allocation and pax aslr: - since the size is unsigned, don't check just that it is > 0, but limit it to the MAXSSIZ - if the stack size is reduced because of aslr, make sure we reduce the actual allocation by the same size so that the size does not wrap around. NB: Must be pulled up to 5.x!
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1
|
#
1.23 |
|
15-Mar-2010 |
christos |
rename DEBUG_ASLR -> PAX_ASLR_DEBUG
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 yamt-nfs-mp-base9 uebayasi-xip-base netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-premerge-20091211 yamt-nfs-mp-base8 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 yamt-nfs-mp-base7 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.22 |
|
04-Jun-2008 |
ad |
branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20; Fix broken enable test; fixes random coredumps.
|
#
1.21 |
|
03-Jun-2008 |
ad |
Don't use proc specificdata. Speeds up mmap() and others.
|
Revision tags: yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.20 |
|
28-Dec-2007 |
elad |
branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12; Provide 8 more bits of stack randomization, from the PaX author.
While here, don't make too much use of one random value, and call arc4random() directly. Allows for the removal of 'ep_random' from the exec_package.
Prompted by and okay christos@.
|
#
1.19 |
|
27-Dec-2007 |
elad |
PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h. Export randomized bits # for stack and exec base too via sysctl.
okay christos@.
|
#
1.18 |
|
26-Dec-2007 |
christos |
Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]
For regular (non PIE) executables randomization is enabled for: 1. The data segment 2. The stack
For PIE executables(*) randomization is enabled for: 1. The program itself 2. All shared libraries 3. The data segment 4. The stack
(*) To generate a PIE executable: - compile everything with -fPIC - link with -shared-libgcc -Wl,-pie
This feature is experimental, and might change. To use selectively add options PAX_ASLR=0 in your kernel.
Currently we are using 12 bits for the stack, program, and data segment and 16 or 24 bits for mmap, depending on __LP64__.
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.17 |
|
21-Sep-2007 |
dsl |
branches: 1.17.6; 1.17.12; Include sys/cdefs.h first.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.16 |
|
24-Jun-2007 |
christos |
branches: 1.16.6; 1.16.8; Use an elf note to handle pax arguments. This is a temporary solution to avoid wasting OS flag bits. In the future we'll probably use fileassoc to achieve this (once there is a way to make fileassoc persistent) or in the shorter term libelf, so that we can add and remove the note on demand instead of burning bits on each binary. Of course since this is a tool, this means that we'll need to think about how to handle libelf...
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base ad-audiomp-base
|
#
1.15 |
|
22-Feb-2007 |
thorpej |
branches: 1.15.4; 1.15.6; TRUE -> true, FALSE -> false
|
#
1.14 |
|
21-Feb-2007 |
thorpej |
Replace the Mach-derived boolean_t type with the C99 bool type. A future commit will replace use of TRUE and FALSE with true and false.
|
Revision tags: post-newlock2-merge newlock2-nbase newlock2-base
|
#
1.13 |
|
06-Feb-2007 |
elad |
branches: 1.13.2; PR/35253: YAMAMOTO Takashi: fileassoc hash size problem
fileassoc_table_add() was removed from the KPI and made internal. From now fileassoc(9) will manage the optimal table size internally.
Input from and okay yamt@.
|
#
1.12 |
|
09-Jan-2007 |
elad |
Remove advertising clause from all of my stuff.
|
#
1.11 |
|
26-Dec-2006 |
elad |
Fix copy/paste error: Veriexec's sysctl setup routine was named after PaX's.
|
#
1.10 |
|
23-Dec-2006 |
yamt |
- remove the fileassoc "tabledata" functionality. use mountspecific instead. - make pax_segvguard_cb static.
tested and ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base5 yamt-splraiseipl-base4
|
#
1.9 |
|
11-Dec-2006 |
yamt |
- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead. - make fileassoc_t a pointer and remove FILEASSOC_INVAL. - clean up kern_fileassoc.c. unify duplicated code. - unexport fileassoc_init using RUN_ONCE(9). - plug memory leaks in fileassoc_file_delete and fileassoc_table_delete. - always call callbacks, regardless of the value of the associated data.
ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base3 netbsd-4-base
|
#
1.8 |
|
22-Nov-2006 |
elad |
branches: 1.8.2; Initial implementation of PaX Segvguard (this is still work-in-progress, it's just to get it out of my local tree).
|
#
1.7 |
|
22-Nov-2006 |
elad |
Make PaX MPROTECT use specificdata(9), freeing up two P_* flags. While here, make more generic for upcoming PaX features.
|
#
1.6 |
|
01-Nov-2006 |
yamt |
- remove an unnecessary #include. - make some variables static.
|
#
1.5 |
|
25-Oct-2006 |
cbiere |
Added missing whitespace in sysctl description string. PR kern/34915.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.4 |
|
26-Sep-2006 |
elad |
Change the PaX mprotect(2) restrictions' "global_protection" knob to just "global" -- it's shorter and more readable. Update documentation.
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 rpaulo-netinet-merge-pcb-base yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timecounters-base yamt-pdpolicy-base5 chap-midi-base
|
#
1.3 |
|
20-May-2006 |
elad |
branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18; Better implementation of PaX MPROTECT, after looking some more into the code and not trying to use temporary solutions.
Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX author for being quick to recognize that something fishy's going on. :)
Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().
Next time I suggest to commit a temporary solution just revoke my commit bit.
|
#
1.2 |
|
18-May-2006 |
elad |
branches: 1.2.2; CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!
|
#
1.1 |
|
16-May-2006 |
elad |
Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen W^X mappings.
Disabled by default.
First proposed in:
http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html
More information in:
http://pax.grsecurity.net/docs/mprotect.txt
Read relevant parts of options(4) and sysctl(3) before using!
Lots of thanks to the PaX author and Matt Thomas.
|
#
1.60 |
|
25-Jun-2017 |
snj |
fix typo
|
Revision tags: netbsd-8-base prg-localcount2-base3 prg-localcount2-base2
|
#
1.59 |
|
06-May-2017 |
joerg |
Extend the mmap(2) interface to allow requesting protections for later use with mprotect(2), but without enabling them immediately.
Extend the mremap(2) interface to allow duplicating mappings, i.e. create a second range of virtual addresses references the same physical pages. Duplicated mappings can have different effective protections.
Adjust PAX mprotect logic to disallow effective protections of W&X, but allow one mapping W and another X protections. This obsoletes using temporary files for purposes like JIT.
Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested and not silently drop the X protection.
Improve test cases to ensure correct operation of the changed interfaces.
|
Revision tags: prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320
|
#
1.58 |
|
18-Feb-2017 |
chs |
branches: 1.58.4; obey the executable's ELF alignment constraints for PIE. this fixes gdb of PIE binaries on mac68k (and other platforms which use an ELF alignment that is larger than PAGE_SIZE).
|
Revision tags: nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004
|
#
1.57 |
|
17-Sep-2016 |
christos |
branches: 1.57.2; move aslr stuff to the aslr section
|
Revision tags: localcount-20160914
|
#
1.56 |
|
03-Sep-2016 |
christos |
vsize_t is not always u_long :-)
|
Revision tags: pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529
|
#
1.55 |
|
27-May-2016 |
christos |
branches: 1.55.2; fix compilation without PAX_MPROTECT
|
#
1.54 |
|
25-May-2016 |
wiz |
Consistent indent.
|
#
1.53 |
|
25-May-2016 |
christos |
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1 as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
|
#
1.52 |
|
25-May-2016 |
christos |
Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass mprotect settings so that debuggers can write to the text segment of traced processes so that they can insert breakpoints. Turned off by default. Ok: chuq (for now)
|
#
1.51 |
|
25-May-2016 |
christos |
randomize the location of the rtld.
|
#
1.50 |
|
24-May-2016 |
martin |
Effectively disable aslr for non-topdown-VA binaries (unless they are compat32, which we deal with properly). It would be possible to get those working too, but it is not worth the code complexity.
This makes binaries compiled with -mcmodel=medlow (and ancient binaries) work again on sparc64, smoothing the upgrade path.
ok: christos
|
#
1.49 |
|
22-May-2016 |
christos |
reduce #ifdef mess caused by PaX
|
#
1.48 |
|
22-May-2016 |
christos |
Account for the VA hole differently (simpler)
|
#
1.47 |
|
19-May-2016 |
christos |
fix for ILP32.
|
#
1.46 |
|
17-May-2016 |
christos |
Hook to clamp the random value for mmap for machies that don't have enough VA bits.
|
#
1.45 |
|
14-May-2016 |
christos |
only print debugging info if we are actually going to change the permission.
|
#
1.44 |
|
13-May-2016 |
christos |
- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4 and reduce the length of the randomization bits since this is unused. - call the pax aslr stack function sooner so we don't need to re-adjust the stack size. - adjust the stack max resource limit to account for the maximum space that can be lost by aslr - tidy up debugging printfs
|
#
1.43 |
|
08-May-2016 |
christos |
Fix stack allocation; limit delta to a quarter of the stack size. This should get rid of the random aborts.
|
#
1.42 |
|
08-May-2016 |
christos |
Move all the randomization inside kern_pax.c so we can control it directly. Add debugging flags to be able to set the random number externally.
|
Revision tags: nick-nhusb-base-20160422
|
#
1.41 |
|
10-Apr-2016 |
christos |
GC PAX_ASLR_EXEC
|
#
1.40 |
|
10-Apr-2016 |
christos |
Fix ASLR stack setup: - make it work on machine where the stack grows up. - use the same limits as mmap.
|
#
1.39 |
|
10-Apr-2016 |
christos |
Add a flags sysctl for ASLR to disable particular features. We seem to be having issues with stack setup.
|
#
1.38 |
|
07-Apr-2016 |
christos |
Add PAX_MPROTECT_DEBUG
|
#
1.37 |
|
04-Apr-2016 |
christos |
Add some diagnostic printf's when we reset permissions.
|
#
1.36 |
|
20-Mar-2016 |
christos |
simplify.
|
#
1.35 |
|
20-Mar-2016 |
khorben |
Let PaX ASLR know about the current emulation
This effectively fixes PaX ASLR with 32-bits emulation on 64-bits platforms. Without this knowledge, the offset applied for 32-bits programs was really meant for a 64-bits address space - thus shifting the address up to 12 bits, with a success rate of about 1/4096. This offset is calculated once in the lifetime of the process, which therefore behaved normally when able to start.
Fixes kern/50469, probably also kern/50986
Tested on NetBSD/amd64 (emul_netbsd32)
|
#
1.34 |
|
19-Mar-2016 |
christos |
Allow enabling and disabling PaX ASLR debug
|
Revision tags: nick-nhusb-base-20160319 nick-nhusb-base-20151226
|
#
1.33 |
|
09-Oct-2015 |
christos |
PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation when PAX_ASLR is not defined.
|
#
1.32 |
|
26-Sep-2015 |
maxv |
Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two months ago, but no one reviewed it - probably because it's not a trivial change.
This change fixes the following bug: when loading a PaX'ed binary, the kernel updates the PaX flag of the calling process before it makes sure the new process is actually launched. If the kernel fails to launch the new process, it does not restore the PaX flag of the calling process, leaving it in an inconsistent state.
Actually, simply restoring it would be horrible as well, since in the meantime another thread may have used the flag.
The solution is therefore: modify all the functions used by PaX so that they take as argument the exec package instead of the lwp, and set the PaX flag in the process *right before* launching the new process - it cannot fail in the meantime.
|
Revision tags: nick-nhusb-base-20150921
|
#
1.31 |
|
04-Aug-2015 |
maxv |
Some changes, to reduce a bit my tech-kern@ patch: - move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h - add a generic pax_flags_active() function - fix a comment in exec_elf.c; interp is not static - KNF for return - rename pax_aslr() to pax_aslr_mmap() - rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
|
#
1.30 |
|
31-Jul-2015 |
maxv |
Small changes: - rename pax_aslr_init() to pax_aslr_init_vm() - remove the PAX_ flags (unused) - fix a comment in pax.h
|
#
1.29 |
|
30-Jul-2015 |
maxv |
Revamp PaX: - don't confuse between ELF flags and proc flags. Introduce the proc- specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags. - introduce pax_setup_elf_flags(), which takes as argument the PaX flag of the ELF PaX note section, and which sets the proc flag as appropriate. Also introduce a couple of other functions used for that purpose. - modify pax_aslr_active(), and all the other similar pieces of code, so that it checks the proc flag directly, without extra ELF computation
In addition to making PaX clearer, the combination of these changes fixes the following bug: if a non-PaX'ed process is launched, and then someone sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes PaX'ed while its address space hasn't been randomized, which is not likely to be a good idea.
Now, only the proc flag is checked at runtime, which means the process's PaX status won't be altered during the execution.
Also: - declare PAX_DPRINTF, makes it more readable - fix a typo in exec_elf.h
|
Revision tags: nick-nhusb-base-20150606
|
#
1.28 |
|
13-Apr-2015 |
riastradh |
<sys/rnd.h> not needed for kern_pax.c.
|
Revision tags: netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.27 |
|
25-Feb-2014 |
pooka |
branches: 1.27.6; Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate lines of code.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.26 |
|
19-Nov-2011 |
tls |
branches: 1.26.8; 1.26.12; First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time.
A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run.
A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.25 |
|
24-Apr-2011 |
rmind |
branches: 1.25.4; - Replace few malloc(9) uses with kmem(9). - Rename buf_malloc() to buf_alloc(), fix comments. - Remove some unnecessary inclusions.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.24 |
|
23-Aug-2010 |
christos |
branches: 1.24.2; Fix issues with stack allocation and pax aslr: - since the size is unsigned, don't check just that it is > 0, but limit it to the MAXSSIZ - if the stack size is reduced because of aslr, make sure we reduce the actual allocation by the same size so that the size does not wrap around. NB: Must be pulled up to 5.x!
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1
|
#
1.23 |
|
15-Mar-2010 |
christos |
rename DEBUG_ASLR -> PAX_ASLR_DEBUG
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 yamt-nfs-mp-base9 uebayasi-xip-base netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-premerge-20091211 yamt-nfs-mp-base8 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 yamt-nfs-mp-base7 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.22 |
|
04-Jun-2008 |
ad |
branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20; Fix broken enable test; fixes random coredumps.
|
#
1.21 |
|
03-Jun-2008 |
ad |
Don't use proc specificdata. Speeds up mmap() and others.
|
Revision tags: yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.20 |
|
28-Dec-2007 |
elad |
branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12; Provide 8 more bits of stack randomization, from the PaX author.
While here, don't make too much use of one random value, and call arc4random() directly. Allows for the removal of 'ep_random' from the exec_package.
Prompted by and okay christos@.
|
#
1.19 |
|
27-Dec-2007 |
elad |
PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h. Export randomized bits # for stack and exec base too via sysctl.
okay christos@.
|
#
1.18 |
|
26-Dec-2007 |
christos |
Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]
For regular (non PIE) executables randomization is enabled for: 1. The data segment 2. The stack
For PIE executables(*) randomization is enabled for: 1. The program itself 2. All shared libraries 3. The data segment 4. The stack
(*) To generate a PIE executable: - compile everything with -fPIC - link with -shared-libgcc -Wl,-pie
This feature is experimental, and might change. To use selectively add options PAX_ASLR=0 in your kernel.
Currently we are using 12 bits for the stack, program, and data segment and 16 or 24 bits for mmap, depending on __LP64__.
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.17 |
|
21-Sep-2007 |
dsl |
branches: 1.17.6; 1.17.12; Include sys/cdefs.h first.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.16 |
|
24-Jun-2007 |
christos |
branches: 1.16.6; 1.16.8; Use an elf note to handle pax arguments. This is a temporary solution to avoid wasting OS flag bits. In the future we'll probably use fileassoc to achieve this (once there is a way to make fileassoc persistent) or in the shorter term libelf, so that we can add and remove the note on demand instead of burning bits on each binary. Of course since this is a tool, this means that we'll need to think about how to handle libelf...
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base ad-audiomp-base
|
#
1.15 |
|
22-Feb-2007 |
thorpej |
branches: 1.15.4; 1.15.6; TRUE -> true, FALSE -> false
|
#
1.14 |
|
21-Feb-2007 |
thorpej |
Replace the Mach-derived boolean_t type with the C99 bool type. A future commit will replace use of TRUE and FALSE with true and false.
|
Revision tags: post-newlock2-merge newlock2-nbase newlock2-base
|
#
1.13 |
|
06-Feb-2007 |
elad |
branches: 1.13.2; PR/35253: YAMAMOTO Takashi: fileassoc hash size problem
fileassoc_table_add() was removed from the KPI and made internal. From now fileassoc(9) will manage the optimal table size internally.
Input from and okay yamt@.
|
#
1.12 |
|
09-Jan-2007 |
elad |
Remove advertising clause from all of my stuff.
|
#
1.11 |
|
26-Dec-2006 |
elad |
Fix copy/paste error: Veriexec's sysctl setup routine was named after PaX's.
|
#
1.10 |
|
23-Dec-2006 |
yamt |
- remove the fileassoc "tabledata" functionality. use mountspecific instead. - make pax_segvguard_cb static.
tested and ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base5 yamt-splraiseipl-base4
|
#
1.9 |
|
11-Dec-2006 |
yamt |
- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead. - make fileassoc_t a pointer and remove FILEASSOC_INVAL. - clean up kern_fileassoc.c. unify duplicated code. - unexport fileassoc_init using RUN_ONCE(9). - plug memory leaks in fileassoc_file_delete and fileassoc_table_delete. - always call callbacks, regardless of the value of the associated data.
ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base3 netbsd-4-base
|
#
1.8 |
|
22-Nov-2006 |
elad |
branches: 1.8.2; Initial implementation of PaX Segvguard (this is still work-in-progress, it's just to get it out of my local tree).
|
#
1.7 |
|
22-Nov-2006 |
elad |
Make PaX MPROTECT use specificdata(9), freeing up two P_* flags. While here, make more generic for upcoming PaX features.
|
#
1.6 |
|
01-Nov-2006 |
yamt |
- remove an unnecessary #include. - make some variables static.
|
#
1.5 |
|
25-Oct-2006 |
cbiere |
Added missing whitespace in sysctl description string. PR kern/34915.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.4 |
|
26-Sep-2006 |
elad |
Change the PaX mprotect(2) restrictions' "global_protection" knob to just "global" -- it's shorter and more readable. Update documentation.
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 rpaulo-netinet-merge-pcb-base yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timecounters-base yamt-pdpolicy-base5 chap-midi-base
|
#
1.3 |
|
20-May-2006 |
elad |
branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18; Better implementation of PaX MPROTECT, after looking some more into the code and not trying to use temporary solutions.
Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX author for being quick to recognize that something fishy's going on. :)
Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().
Next time I suggest to commit a temporary solution just revoke my commit bit.
|
#
1.2 |
|
18-May-2006 |
elad |
branches: 1.2.2; CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!
|
#
1.1 |
|
16-May-2006 |
elad |
Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen W^X mappings.
Disabled by default.
First proposed in:
http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html
More information in:
http://pax.grsecurity.net/docs/mprotect.txt
Read relevant parts of options(4) and sysctl(3) before using!
Lots of thanks to the PaX author and Matt Thomas.
|
#
1.59 |
|
06-May-2017 |
joerg |
Extend the mmap(2) interface to allow requesting protections for later use with mprotect(2), but without enabling them immediately.
Extend the mremap(2) interface to allow duplicating mappings, i.e. create a second range of virtual addresses references the same physical pages. Duplicated mappings can have different effective protections.
Adjust PAX mprotect logic to disallow effective protections of W&X, but allow one mapping W and another X protections. This obsoletes using temporary files for purposes like JIT.
Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested and not silently drop the X protection.
Improve test cases to ensure correct operation of the changed interfaces.
|
Revision tags: prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320
|
#
1.58 |
|
18-Feb-2017 |
chs |
obey the executable's ELF alignment constraints for PIE. this fixes gdb of PIE binaries on mac68k (and other platforms which use an ELF alignment that is larger than PAGE_SIZE).
|
Revision tags: nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004
|
#
1.57 |
|
17-Sep-2016 |
christos |
branches: 1.57.2; move aslr stuff to the aslr section
|
Revision tags: localcount-20160914
|
#
1.56 |
|
03-Sep-2016 |
christos |
vsize_t is not always u_long :-)
|
Revision tags: pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529
|
#
1.55 |
|
27-May-2016 |
christos |
branches: 1.55.2; fix compilation without PAX_MPROTECT
|
#
1.54 |
|
25-May-2016 |
wiz |
Consistent indent.
|
#
1.53 |
|
25-May-2016 |
christos |
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1 as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
|
#
1.52 |
|
25-May-2016 |
christos |
Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass mprotect settings so that debuggers can write to the text segment of traced processes so that they can insert breakpoints. Turned off by default. Ok: chuq (for now)
|
#
1.51 |
|
25-May-2016 |
christos |
randomize the location of the rtld.
|
#
1.50 |
|
24-May-2016 |
martin |
Effectively disable aslr for non-topdown-VA binaries (unless they are compat32, which we deal with properly). It would be possible to get those working too, but it is not worth the code complexity.
This makes binaries compiled with -mcmodel=medlow (and ancient binaries) work again on sparc64, smoothing the upgrade path.
ok: christos
|
#
1.49 |
|
22-May-2016 |
christos |
reduce #ifdef mess caused by PaX
|
#
1.48 |
|
22-May-2016 |
christos |
Account for the VA hole differently (simpler)
|
#
1.47 |
|
19-May-2016 |
christos |
fix for ILP32.
|
#
1.46 |
|
17-May-2016 |
christos |
Hook to clamp the random value for mmap for machies that don't have enough VA bits.
|
#
1.45 |
|
14-May-2016 |
christos |
only print debugging info if we are actually going to change the permission.
|
#
1.44 |
|
13-May-2016 |
christos |
- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4 and reduce the length of the randomization bits since this is unused. - call the pax aslr stack function sooner so we don't need to re-adjust the stack size. - adjust the stack max resource limit to account for the maximum space that can be lost by aslr - tidy up debugging printfs
|
#
1.43 |
|
08-May-2016 |
christos |
Fix stack allocation; limit delta to a quarter of the stack size. This should get rid of the random aborts.
|
#
1.42 |
|
08-May-2016 |
christos |
Move all the randomization inside kern_pax.c so we can control it directly. Add debugging flags to be able to set the random number externally.
|
Revision tags: nick-nhusb-base-20160422
|
#
1.41 |
|
10-Apr-2016 |
christos |
GC PAX_ASLR_EXEC
|
#
1.40 |
|
10-Apr-2016 |
christos |
Fix ASLR stack setup: - make it work on machine where the stack grows up. - use the same limits as mmap.
|
#
1.39 |
|
10-Apr-2016 |
christos |
Add a flags sysctl for ASLR to disable particular features. We seem to be having issues with stack setup.
|
#
1.38 |
|
07-Apr-2016 |
christos |
Add PAX_MPROTECT_DEBUG
|
#
1.37 |
|
04-Apr-2016 |
christos |
Add some diagnostic printf's when we reset permissions.
|
#
1.36 |
|
20-Mar-2016 |
christos |
simplify.
|
#
1.35 |
|
20-Mar-2016 |
khorben |
Let PaX ASLR know about the current emulation
This effectively fixes PaX ASLR with 32-bits emulation on 64-bits platforms. Without this knowledge, the offset applied for 32-bits programs was really meant for a 64-bits address space - thus shifting the address up to 12 bits, with a success rate of about 1/4096. This offset is calculated once in the lifetime of the process, which therefore behaved normally when able to start.
Fixes kern/50469, probably also kern/50986
Tested on NetBSD/amd64 (emul_netbsd32)
|
#
1.34 |
|
19-Mar-2016 |
christos |
Allow enabling and disabling PaX ASLR debug
|
Revision tags: nick-nhusb-base-20160319 nick-nhusb-base-20151226
|
#
1.33 |
|
09-Oct-2015 |
christos |
PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation when PAX_ASLR is not defined.
|
#
1.32 |
|
26-Sep-2015 |
maxv |
Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two months ago, but no one reviewed it - probably because it's not a trivial change.
This change fixes the following bug: when loading a PaX'ed binary, the kernel updates the PaX flag of the calling process before it makes sure the new process is actually launched. If the kernel fails to launch the new process, it does not restore the PaX flag of the calling process, leaving it in an inconsistent state.
Actually, simply restoring it would be horrible as well, since in the meantime another thread may have used the flag.
The solution is therefore: modify all the functions used by PaX so that they take as argument the exec package instead of the lwp, and set the PaX flag in the process *right before* launching the new process - it cannot fail in the meantime.
|
Revision tags: nick-nhusb-base-20150921
|
#
1.31 |
|
04-Aug-2015 |
maxv |
Some changes, to reduce a bit my tech-kern@ patch: - move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h - add a generic pax_flags_active() function - fix a comment in exec_elf.c; interp is not static - KNF for return - rename pax_aslr() to pax_aslr_mmap() - rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
|
#
1.30 |
|
31-Jul-2015 |
maxv |
Small changes: - rename pax_aslr_init() to pax_aslr_init_vm() - remove the PAX_ flags (unused) - fix a comment in pax.h
|
#
1.29 |
|
30-Jul-2015 |
maxv |
Revamp PaX: - don't confuse between ELF flags and proc flags. Introduce the proc- specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags. - introduce pax_setup_elf_flags(), which takes as argument the PaX flag of the ELF PaX note section, and which sets the proc flag as appropriate. Also introduce a couple of other functions used for that purpose. - modify pax_aslr_active(), and all the other similar pieces of code, so that it checks the proc flag directly, without extra ELF computation
In addition to making PaX clearer, the combination of these changes fixes the following bug: if a non-PaX'ed process is launched, and then someone sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes PaX'ed while its address space hasn't been randomized, which is not likely to be a good idea.
Now, only the proc flag is checked at runtime, which means the process's PaX status won't be altered during the execution.
Also: - declare PAX_DPRINTF, makes it more readable - fix a typo in exec_elf.h
|
Revision tags: nick-nhusb-base-20150606
|
#
1.28 |
|
13-Apr-2015 |
riastradh |
<sys/rnd.h> not needed for kern_pax.c.
|
Revision tags: netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.27 |
|
25-Feb-2014 |
pooka |
branches: 1.27.6; Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate lines of code.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.26 |
|
19-Nov-2011 |
tls |
branches: 1.26.8; 1.26.12; First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time.
A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run.
A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.25 |
|
24-Apr-2011 |
rmind |
branches: 1.25.4; - Replace few malloc(9) uses with kmem(9). - Rename buf_malloc() to buf_alloc(), fix comments. - Remove some unnecessary inclusions.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.24 |
|
23-Aug-2010 |
christos |
branches: 1.24.2; Fix issues with stack allocation and pax aslr: - since the size is unsigned, don't check just that it is > 0, but limit it to the MAXSSIZ - if the stack size is reduced because of aslr, make sure we reduce the actual allocation by the same size so that the size does not wrap around. NB: Must be pulled up to 5.x!
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1
|
#
1.23 |
|
15-Mar-2010 |
christos |
rename DEBUG_ASLR -> PAX_ASLR_DEBUG
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 yamt-nfs-mp-base9 uebayasi-xip-base netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-premerge-20091211 yamt-nfs-mp-base8 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 yamt-nfs-mp-base7 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.22 |
|
04-Jun-2008 |
ad |
branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20; Fix broken enable test; fixes random coredumps.
|
#
1.21 |
|
03-Jun-2008 |
ad |
Don't use proc specificdata. Speeds up mmap() and others.
|
Revision tags: yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.20 |
|
28-Dec-2007 |
elad |
branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12; Provide 8 more bits of stack randomization, from the PaX author.
While here, don't make too much use of one random value, and call arc4random() directly. Allows for the removal of 'ep_random' from the exec_package.
Prompted by and okay christos@.
|
#
1.19 |
|
27-Dec-2007 |
elad |
PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h. Export randomized bits # for stack and exec base too via sysctl.
okay christos@.
|
#
1.18 |
|
26-Dec-2007 |
christos |
Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]
For regular (non PIE) executables randomization is enabled for: 1. The data segment 2. The stack
For PIE executables(*) randomization is enabled for: 1. The program itself 2. All shared libraries 3. The data segment 4. The stack
(*) To generate a PIE executable: - compile everything with -fPIC - link with -shared-libgcc -Wl,-pie
This feature is experimental, and might change. To use selectively add options PAX_ASLR=0 in your kernel.
Currently we are using 12 bits for the stack, program, and data segment and 16 or 24 bits for mmap, depending on __LP64__.
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.17 |
|
21-Sep-2007 |
dsl |
branches: 1.17.6; 1.17.12; Include sys/cdefs.h first.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.16 |
|
24-Jun-2007 |
christos |
branches: 1.16.6; 1.16.8; Use an elf note to handle pax arguments. This is a temporary solution to avoid wasting OS flag bits. In the future we'll probably use fileassoc to achieve this (once there is a way to make fileassoc persistent) or in the shorter term libelf, so that we can add and remove the note on demand instead of burning bits on each binary. Of course since this is a tool, this means that we'll need to think about how to handle libelf...
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base ad-audiomp-base
|
#
1.15 |
|
22-Feb-2007 |
thorpej |
branches: 1.15.4; 1.15.6; TRUE -> true, FALSE -> false
|
#
1.14 |
|
21-Feb-2007 |
thorpej |
Replace the Mach-derived boolean_t type with the C99 bool type. A future commit will replace use of TRUE and FALSE with true and false.
|
Revision tags: post-newlock2-merge newlock2-nbase newlock2-base
|
#
1.13 |
|
06-Feb-2007 |
elad |
branches: 1.13.2; PR/35253: YAMAMOTO Takashi: fileassoc hash size problem
fileassoc_table_add() was removed from the KPI and made internal. From now fileassoc(9) will manage the optimal table size internally.
Input from and okay yamt@.
|
#
1.12 |
|
09-Jan-2007 |
elad |
Remove advertising clause from all of my stuff.
|
#
1.11 |
|
26-Dec-2006 |
elad |
Fix copy/paste error: Veriexec's sysctl setup routine was named after PaX's.
|
#
1.10 |
|
23-Dec-2006 |
yamt |
- remove the fileassoc "tabledata" functionality. use mountspecific instead. - make pax_segvguard_cb static.
tested and ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base5 yamt-splraiseipl-base4
|
#
1.9 |
|
11-Dec-2006 |
yamt |
- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead. - make fileassoc_t a pointer and remove FILEASSOC_INVAL. - clean up kern_fileassoc.c. unify duplicated code. - unexport fileassoc_init using RUN_ONCE(9). - plug memory leaks in fileassoc_file_delete and fileassoc_table_delete. - always call callbacks, regardless of the value of the associated data.
ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base3 netbsd-4-base
|
#
1.8 |
|
22-Nov-2006 |
elad |
branches: 1.8.2; Initial implementation of PaX Segvguard (this is still work-in-progress, it's just to get it out of my local tree).
|
#
1.7 |
|
22-Nov-2006 |
elad |
Make PaX MPROTECT use specificdata(9), freeing up two P_* flags. While here, make more generic for upcoming PaX features.
|
#
1.6 |
|
01-Nov-2006 |
yamt |
- remove an unnecessary #include. - make some variables static.
|
#
1.5 |
|
25-Oct-2006 |
cbiere |
Added missing whitespace in sysctl description string. PR kern/34915.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.4 |
|
26-Sep-2006 |
elad |
Change the PaX mprotect(2) restrictions' "global_protection" knob to just "global" -- it's shorter and more readable. Update documentation.
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 rpaulo-netinet-merge-pcb-base yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timecounters-base yamt-pdpolicy-base5 chap-midi-base
|
#
1.3 |
|
20-May-2006 |
elad |
branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18; Better implementation of PaX MPROTECT, after looking some more into the code and not trying to use temporary solutions.
Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX author for being quick to recognize that something fishy's going on. :)
Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().
Next time I suggest to commit a temporary solution just revoke my commit bit.
|
#
1.2 |
|
18-May-2006 |
elad |
branches: 1.2.2; CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!
|
#
1.1 |
|
16-May-2006 |
elad |
Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen W^X mappings.
Disabled by default.
First proposed in:
http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html
More information in:
http://pax.grsecurity.net/docs/mprotect.txt
Read relevant parts of options(4) and sysctl(3) before using!
Lots of thanks to the PaX author and Matt Thomas.
|
#
1.58 |
|
18-Feb-2017 |
chs |
obey the executable's ELF alignment constraints for PIE. this fixes gdb of PIE binaries on mac68k (and other platforms which use an ELF alignment that is larger than PAGE_SIZE).
|
Revision tags: nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004
|
#
1.57 |
|
17-Sep-2016 |
christos |
move aslr stuff to the aslr section
|
Revision tags: localcount-20160914
|
#
1.56 |
|
03-Sep-2016 |
christos |
vsize_t is not always u_long :-)
|
Revision tags: pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529
|
#
1.55 |
|
27-May-2016 |
christos |
branches: 1.55.2; fix compilation without PAX_MPROTECT
|
#
1.54 |
|
25-May-2016 |
wiz |
Consistent indent.
|
#
1.53 |
|
25-May-2016 |
christos |
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1 as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
|
#
1.52 |
|
25-May-2016 |
christos |
Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass mprotect settings so that debuggers can write to the text segment of traced processes so that they can insert breakpoints. Turned off by default. Ok: chuq (for now)
|
#
1.51 |
|
25-May-2016 |
christos |
randomize the location of the rtld.
|
#
1.50 |
|
24-May-2016 |
martin |
Effectively disable aslr for non-topdown-VA binaries (unless they are compat32, which we deal with properly). It would be possible to get those working too, but it is not worth the code complexity.
This makes binaries compiled with -mcmodel=medlow (and ancient binaries) work again on sparc64, smoothing the upgrade path.
ok: christos
|
#
1.49 |
|
22-May-2016 |
christos |
reduce #ifdef mess caused by PaX
|
#
1.48 |
|
22-May-2016 |
christos |
Account for the VA hole differently (simpler)
|
#
1.47 |
|
19-May-2016 |
christos |
fix for ILP32.
|
#
1.46 |
|
17-May-2016 |
christos |
Hook to clamp the random value for mmap for machies that don't have enough VA bits.
|
#
1.45 |
|
14-May-2016 |
christos |
only print debugging info if we are actually going to change the permission.
|
#
1.44 |
|
13-May-2016 |
christos |
- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4 and reduce the length of the randomization bits since this is unused. - call the pax aslr stack function sooner so we don't need to re-adjust the stack size. - adjust the stack max resource limit to account for the maximum space that can be lost by aslr - tidy up debugging printfs
|
#
1.43 |
|
08-May-2016 |
christos |
Fix stack allocation; limit delta to a quarter of the stack size. This should get rid of the random aborts.
|
#
1.42 |
|
08-May-2016 |
christos |
Move all the randomization inside kern_pax.c so we can control it directly. Add debugging flags to be able to set the random number externally.
|
Revision tags: nick-nhusb-base-20160422
|
#
1.41 |
|
10-Apr-2016 |
christos |
GC PAX_ASLR_EXEC
|
#
1.40 |
|
10-Apr-2016 |
christos |
Fix ASLR stack setup: - make it work on machine where the stack grows up. - use the same limits as mmap.
|
#
1.39 |
|
10-Apr-2016 |
christos |
Add a flags sysctl for ASLR to disable particular features. We seem to be having issues with stack setup.
|
#
1.38 |
|
07-Apr-2016 |
christos |
Add PAX_MPROTECT_DEBUG
|
#
1.37 |
|
04-Apr-2016 |
christos |
Add some diagnostic printf's when we reset permissions.
|
#
1.36 |
|
20-Mar-2016 |
christos |
simplify.
|
#
1.35 |
|
20-Mar-2016 |
khorben |
Let PaX ASLR know about the current emulation
This effectively fixes PaX ASLR with 32-bits emulation on 64-bits platforms. Without this knowledge, the offset applied for 32-bits programs was really meant for a 64-bits address space - thus shifting the address up to 12 bits, with a success rate of about 1/4096. This offset is calculated once in the lifetime of the process, which therefore behaved normally when able to start.
Fixes kern/50469, probably also kern/50986
Tested on NetBSD/amd64 (emul_netbsd32)
|
#
1.34 |
|
19-Mar-2016 |
christos |
Allow enabling and disabling PaX ASLR debug
|
Revision tags: nick-nhusb-base-20160319 nick-nhusb-base-20151226
|
#
1.33 |
|
09-Oct-2015 |
christos |
PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation when PAX_ASLR is not defined.
|
#
1.32 |
|
26-Sep-2015 |
maxv |
Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two months ago, but no one reviewed it - probably because it's not a trivial change.
This change fixes the following bug: when loading a PaX'ed binary, the kernel updates the PaX flag of the calling process before it makes sure the new process is actually launched. If the kernel fails to launch the new process, it does not restore the PaX flag of the calling process, leaving it in an inconsistent state.
Actually, simply restoring it would be horrible as well, since in the meantime another thread may have used the flag.
The solution is therefore: modify all the functions used by PaX so that they take as argument the exec package instead of the lwp, and set the PaX flag in the process *right before* launching the new process - it cannot fail in the meantime.
|
Revision tags: nick-nhusb-base-20150921
|
#
1.31 |
|
04-Aug-2015 |
maxv |
Some changes, to reduce a bit my tech-kern@ patch: - move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h - add a generic pax_flags_active() function - fix a comment in exec_elf.c; interp is not static - KNF for return - rename pax_aslr() to pax_aslr_mmap() - rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
|
#
1.30 |
|
31-Jul-2015 |
maxv |
Small changes: - rename pax_aslr_init() to pax_aslr_init_vm() - remove the PAX_ flags (unused) - fix a comment in pax.h
|
#
1.29 |
|
30-Jul-2015 |
maxv |
Revamp PaX: - don't confuse between ELF flags and proc flags. Introduce the proc- specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags. - introduce pax_setup_elf_flags(), which takes as argument the PaX flag of the ELF PaX note section, and which sets the proc flag as appropriate. Also introduce a couple of other functions used for that purpose. - modify pax_aslr_active(), and all the other similar pieces of code, so that it checks the proc flag directly, without extra ELF computation
In addition to making PaX clearer, the combination of these changes fixes the following bug: if a non-PaX'ed process is launched, and then someone sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes PaX'ed while its address space hasn't been randomized, which is not likely to be a good idea.
Now, only the proc flag is checked at runtime, which means the process's PaX status won't be altered during the execution.
Also: - declare PAX_DPRINTF, makes it more readable - fix a typo in exec_elf.h
|
Revision tags: nick-nhusb-base-20150606
|
#
1.28 |
|
13-Apr-2015 |
riastradh |
<sys/rnd.h> not needed for kern_pax.c.
|
Revision tags: netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.27 |
|
25-Feb-2014 |
pooka |
branches: 1.27.6; Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate lines of code.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.26 |
|
19-Nov-2011 |
tls |
branches: 1.26.8; 1.26.12; First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time.
A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run.
A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.25 |
|
24-Apr-2011 |
rmind |
branches: 1.25.4; - Replace few malloc(9) uses with kmem(9). - Rename buf_malloc() to buf_alloc(), fix comments. - Remove some unnecessary inclusions.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.24 |
|
23-Aug-2010 |
christos |
branches: 1.24.2; Fix issues with stack allocation and pax aslr: - since the size is unsigned, don't check just that it is > 0, but limit it to the MAXSSIZ - if the stack size is reduced because of aslr, make sure we reduce the actual allocation by the same size so that the size does not wrap around. NB: Must be pulled up to 5.x!
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1
|
#
1.23 |
|
15-Mar-2010 |
christos |
rename DEBUG_ASLR -> PAX_ASLR_DEBUG
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 yamt-nfs-mp-base9 uebayasi-xip-base netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-premerge-20091211 yamt-nfs-mp-base8 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 yamt-nfs-mp-base7 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.22 |
|
04-Jun-2008 |
ad |
branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20; Fix broken enable test; fixes random coredumps.
|
#
1.21 |
|
03-Jun-2008 |
ad |
Don't use proc specificdata. Speeds up mmap() and others.
|
Revision tags: yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.20 |
|
28-Dec-2007 |
elad |
branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12; Provide 8 more bits of stack randomization, from the PaX author.
While here, don't make too much use of one random value, and call arc4random() directly. Allows for the removal of 'ep_random' from the exec_package.
Prompted by and okay christos@.
|
#
1.19 |
|
27-Dec-2007 |
elad |
PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h. Export randomized bits # for stack and exec base too via sysctl.
okay christos@.
|
#
1.18 |
|
26-Dec-2007 |
christos |
Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]
For regular (non PIE) executables randomization is enabled for: 1. The data segment 2. The stack
For PIE executables(*) randomization is enabled for: 1. The program itself 2. All shared libraries 3. The data segment 4. The stack
(*) To generate a PIE executable: - compile everything with -fPIC - link with -shared-libgcc -Wl,-pie
This feature is experimental, and might change. To use selectively add options PAX_ASLR=0 in your kernel.
Currently we are using 12 bits for the stack, program, and data segment and 16 or 24 bits for mmap, depending on __LP64__.
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.17 |
|
21-Sep-2007 |
dsl |
branches: 1.17.6; 1.17.12; Include sys/cdefs.h first.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.16 |
|
24-Jun-2007 |
christos |
branches: 1.16.6; 1.16.8; Use an elf note to handle pax arguments. This is a temporary solution to avoid wasting OS flag bits. In the future we'll probably use fileassoc to achieve this (once there is a way to make fileassoc persistent) or in the shorter term libelf, so that we can add and remove the note on demand instead of burning bits on each binary. Of course since this is a tool, this means that we'll need to think about how to handle libelf...
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base ad-audiomp-base
|
#
1.15 |
|
22-Feb-2007 |
thorpej |
branches: 1.15.4; 1.15.6; TRUE -> true, FALSE -> false
|
#
1.14 |
|
21-Feb-2007 |
thorpej |
Replace the Mach-derived boolean_t type with the C99 bool type. A future commit will replace use of TRUE and FALSE with true and false.
|
Revision tags: post-newlock2-merge newlock2-nbase newlock2-base
|
#
1.13 |
|
06-Feb-2007 |
elad |
branches: 1.13.2; PR/35253: YAMAMOTO Takashi: fileassoc hash size problem
fileassoc_table_add() was removed from the KPI and made internal. From now fileassoc(9) will manage the optimal table size internally.
Input from and okay yamt@.
|
#
1.12 |
|
09-Jan-2007 |
elad |
Remove advertising clause from all of my stuff.
|
#
1.11 |
|
26-Dec-2006 |
elad |
Fix copy/paste error: Veriexec's sysctl setup routine was named after PaX's.
|
#
1.10 |
|
23-Dec-2006 |
yamt |
- remove the fileassoc "tabledata" functionality. use mountspecific instead. - make pax_segvguard_cb static.
tested and ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base5 yamt-splraiseipl-base4
|
#
1.9 |
|
11-Dec-2006 |
yamt |
- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead. - make fileassoc_t a pointer and remove FILEASSOC_INVAL. - clean up kern_fileassoc.c. unify duplicated code. - unexport fileassoc_init using RUN_ONCE(9). - plug memory leaks in fileassoc_file_delete and fileassoc_table_delete. - always call callbacks, regardless of the value of the associated data.
ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base3 netbsd-4-base
|
#
1.8 |
|
22-Nov-2006 |
elad |
branches: 1.8.2; Initial implementation of PaX Segvguard (this is still work-in-progress, it's just to get it out of my local tree).
|
#
1.7 |
|
22-Nov-2006 |
elad |
Make PaX MPROTECT use specificdata(9), freeing up two P_* flags. While here, make more generic for upcoming PaX features.
|
#
1.6 |
|
01-Nov-2006 |
yamt |
- remove an unnecessary #include. - make some variables static.
|
#
1.5 |
|
25-Oct-2006 |
cbiere |
Added missing whitespace in sysctl description string. PR kern/34915.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.4 |
|
26-Sep-2006 |
elad |
Change the PaX mprotect(2) restrictions' "global_protection" knob to just "global" -- it's shorter and more readable. Update documentation.
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 rpaulo-netinet-merge-pcb-base yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timecounters-base yamt-pdpolicy-base5 chap-midi-base
|
#
1.3 |
|
20-May-2006 |
elad |
branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18; Better implementation of PaX MPROTECT, after looking some more into the code and not trying to use temporary solutions.
Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX author for being quick to recognize that something fishy's going on. :)
Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().
Next time I suggest to commit a temporary solution just revoke my commit bit.
|
#
1.2 |
|
18-May-2006 |
elad |
branches: 1.2.2; CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!
|
#
1.1 |
|
16-May-2006 |
elad |
Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen W^X mappings.
Disabled by default.
First proposed in:
http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html
More information in:
http://pax.grsecurity.net/docs/mprotect.txt
Read relevant parts of options(4) and sysctl(3) before using!
Lots of thanks to the PaX author and Matt Thomas.
|
Revision tags: nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004
|
#
1.57 |
|
17-Sep-2016 |
christos |
move aslr stuff to the aslr section
|
Revision tags: localcount-20160914
|
#
1.56 |
|
03-Sep-2016 |
christos |
vsize_t is not always u_long :-)
|
Revision tags: pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529
|
#
1.55 |
|
27-May-2016 |
christos |
branches: 1.55.2; fix compilation without PAX_MPROTECT
|
#
1.54 |
|
25-May-2016 |
wiz |
Consistent indent.
|
#
1.53 |
|
25-May-2016 |
christos |
Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1 as documented in sysctl(7): 0 - ptrace does not affect mprotect 1 - (default) mprotect is disabled for processes that start executing from the debugger (being traced) 2 - mprotect restrictions are relaxed for traced processes
|
#
1.52 |
|
25-May-2016 |
christos |
Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass mprotect settings so that debuggers can write to the text segment of traced processes so that they can insert breakpoints. Turned off by default. Ok: chuq (for now)
|
#
1.51 |
|
25-May-2016 |
christos |
randomize the location of the rtld.
|
#
1.50 |
|
24-May-2016 |
martin |
Effectively disable aslr for non-topdown-VA binaries (unless they are compat32, which we deal with properly). It would be possible to get those working too, but it is not worth the code complexity.
This makes binaries compiled with -mcmodel=medlow (and ancient binaries) work again on sparc64, smoothing the upgrade path.
ok: christos
|
#
1.49 |
|
22-May-2016 |
christos |
reduce #ifdef mess caused by PaX
|
#
1.48 |
|
22-May-2016 |
christos |
Account for the VA hole differently (simpler)
|
#
1.47 |
|
19-May-2016 |
christos |
fix for ILP32.
|
#
1.46 |
|
17-May-2016 |
christos |
Hook to clamp the random value for mmap for machies that don't have enough VA bits.
|
#
1.45 |
|
14-May-2016 |
christos |
only print debugging info if we are actually going to change the permission.
|
#
1.44 |
|
13-May-2016 |
christos |
- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4 and reduce the length of the randomization bits since this is unused. - call the pax aslr stack function sooner so we don't need to re-adjust the stack size. - adjust the stack max resource limit to account for the maximum space that can be lost by aslr - tidy up debugging printfs
|
#
1.43 |
|
08-May-2016 |
christos |
Fix stack allocation; limit delta to a quarter of the stack size. This should get rid of the random aborts.
|
#
1.42 |
|
08-May-2016 |
christos |
Move all the randomization inside kern_pax.c so we can control it directly. Add debugging flags to be able to set the random number externally.
|
Revision tags: nick-nhusb-base-20160422
|
#
1.41 |
|
10-Apr-2016 |
christos |
GC PAX_ASLR_EXEC
|
#
1.40 |
|
10-Apr-2016 |
christos |
Fix ASLR stack setup: - make it work on machine where the stack grows up. - use the same limits as mmap.
|
#
1.39 |
|
10-Apr-2016 |
christos |
Add a flags sysctl for ASLR to disable particular features. We seem to be having issues with stack setup.
|
#
1.38 |
|
07-Apr-2016 |
christos |
Add PAX_MPROTECT_DEBUG
|
#
1.37 |
|
04-Apr-2016 |
christos |
Add some diagnostic printf's when we reset permissions.
|
#
1.36 |
|
20-Mar-2016 |
christos |
simplify.
|
#
1.35 |
|
20-Mar-2016 |
khorben |
Let PaX ASLR know about the current emulation
This effectively fixes PaX ASLR with 32-bits emulation on 64-bits platforms. Without this knowledge, the offset applied for 32-bits programs was really meant for a 64-bits address space - thus shifting the address up to 12 bits, with a success rate of about 1/4096. This offset is calculated once in the lifetime of the process, which therefore behaved normally when able to start.
Fixes kern/50469, probably also kern/50986
Tested on NetBSD/amd64 (emul_netbsd32)
|
#
1.34 |
|
19-Mar-2016 |
christos |
Allow enabling and disabling PaX ASLR debug
|
Revision tags: nick-nhusb-base-20160319 nick-nhusb-base-20151226
|
#
1.33 |
|
09-Oct-2015 |
christos |
PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation when PAX_ASLR is not defined.
|
#
1.32 |
|
26-Sep-2015 |
maxv |
Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two months ago, but no one reviewed it - probably because it's not a trivial change.
This change fixes the following bug: when loading a PaX'ed binary, the kernel updates the PaX flag of the calling process before it makes sure the new process is actually launched. If the kernel fails to launch the new process, it does not restore the PaX flag of the calling process, leaving it in an inconsistent state.
Actually, simply restoring it would be horrible as well, since in the meantime another thread may have used the flag.
The solution is therefore: modify all the functions used by PaX so that they take as argument the exec package instead of the lwp, and set the PaX flag in the process *right before* launching the new process - it cannot fail in the meantime.
|
Revision tags: nick-nhusb-base-20150921
|
#
1.31 |
|
04-Aug-2015 |
maxv |
Some changes, to reduce a bit my tech-kern@ patch: - move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h - add a generic pax_flags_active() function - fix a comment in exec_elf.c; interp is not static - KNF for return - rename pax_aslr() to pax_aslr_mmap() - rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
|
#
1.30 |
|
31-Jul-2015 |
maxv |
Small changes: - rename pax_aslr_init() to pax_aslr_init_vm() - remove the PAX_ flags (unused) - fix a comment in pax.h
|
#
1.29 |
|
30-Jul-2015 |
maxv |
Revamp PaX: - don't confuse between ELF flags and proc flags. Introduce the proc- specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags. - introduce pax_setup_elf_flags(), which takes as argument the PaX flag of the ELF PaX note section, and which sets the proc flag as appropriate. Also introduce a couple of other functions used for that purpose. - modify pax_aslr_active(), and all the other similar pieces of code, so that it checks the proc flag directly, without extra ELF computation
In addition to making PaX clearer, the combination of these changes fixes the following bug: if a non-PaX'ed process is launched, and then someone sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes PaX'ed while its address space hasn't been randomized, which is not likely to be a good idea.
Now, only the proc flag is checked at runtime, which means the process's PaX status won't be altered during the execution.
Also: - declare PAX_DPRINTF, makes it more readable - fix a typo in exec_elf.h
|
Revision tags: nick-nhusb-base-20150606
|
#
1.28 |
|
13-Apr-2015 |
riastradh |
<sys/rnd.h> not needed for kern_pax.c.
|
Revision tags: netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.27 |
|
25-Feb-2014 |
pooka |
branches: 1.27.6; Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate lines of code.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.26 |
|
19-Nov-2011 |
tls |
branches: 1.26.8; 1.26.12; First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time.
A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run.
A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.25 |
|
24-Apr-2011 |
rmind |
branches: 1.25.4; - Replace few malloc(9) uses with kmem(9). - Rename buf_malloc() to buf_alloc(), fix comments. - Remove some unnecessary inclusions.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.24 |
|
23-Aug-2010 |
christos |
branches: 1.24.2; Fix issues with stack allocation and pax aslr: - since the size is unsigned, don't check just that it is > 0, but limit it to the MAXSSIZ - if the stack size is reduced because of aslr, make sure we reduce the actual allocation by the same size so that the size does not wrap around. NB: Must be pulled up to 5.x!
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1
|
#
1.23 |
|
15-Mar-2010 |
christos |
rename DEBUG_ASLR -> PAX_ASLR_DEBUG
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 yamt-nfs-mp-base9 uebayasi-xip-base netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-premerge-20091211 yamt-nfs-mp-base8 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 yamt-nfs-mp-base7 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.22 |
|
04-Jun-2008 |
ad |
branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20; Fix broken enable test; fixes random coredumps.
|
#
1.21 |
|
03-Jun-2008 |
ad |
Don't use proc specificdata. Speeds up mmap() and others.
|
Revision tags: yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.20 |
|
28-Dec-2007 |
elad |
branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12; Provide 8 more bits of stack randomization, from the PaX author.
While here, don't make too much use of one random value, and call arc4random() directly. Allows for the removal of 'ep_random' from the exec_package.
Prompted by and okay christos@.
|
#
1.19 |
|
27-Dec-2007 |
elad |
PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h. Export randomized bits # for stack and exec base too via sysctl.
okay christos@.
|
#
1.18 |
|
26-Dec-2007 |
christos |
Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]
For regular (non PIE) executables randomization is enabled for: 1. The data segment 2. The stack
For PIE executables(*) randomization is enabled for: 1. The program itself 2. All shared libraries 3. The data segment 4. The stack
(*) To generate a PIE executable: - compile everything with -fPIC - link with -shared-libgcc -Wl,-pie
This feature is experimental, and might change. To use selectively add options PAX_ASLR=0 in your kernel.
Currently we are using 12 bits for the stack, program, and data segment and 16 or 24 bits for mmap, depending on __LP64__.
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.17 |
|
21-Sep-2007 |
dsl |
branches: 1.17.6; 1.17.12; Include sys/cdefs.h first.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.16 |
|
24-Jun-2007 |
christos |
branches: 1.16.6; 1.16.8; Use an elf note to handle pax arguments. This is a temporary solution to avoid wasting OS flag bits. In the future we'll probably use fileassoc to achieve this (once there is a way to make fileassoc persistent) or in the shorter term libelf, so that we can add and remove the note on demand instead of burning bits on each binary. Of course since this is a tool, this means that we'll need to think about how to handle libelf...
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base ad-audiomp-base
|
#
1.15 |
|
22-Feb-2007 |
thorpej |
branches: 1.15.4; 1.15.6; TRUE -> true, FALSE -> false
|
#
1.14 |
|
21-Feb-2007 |
thorpej |
Replace the Mach-derived boolean_t type with the C99 bool type. A future commit will replace use of TRUE and FALSE with true and false.
|
Revision tags: post-newlock2-merge newlock2-nbase newlock2-base
|
#
1.13 |
|
06-Feb-2007 |
elad |
branches: 1.13.2; PR/35253: YAMAMOTO Takashi: fileassoc hash size problem
fileassoc_table_add() was removed from the KPI and made internal. From now fileassoc(9) will manage the optimal table size internally.
Input from and okay yamt@.
|
#
1.12 |
|
09-Jan-2007 |
elad |
Remove advertising clause from all of my stuff.
|
#
1.11 |
|
26-Dec-2006 |
elad |
Fix copy/paste error: Veriexec's sysctl setup routine was named after PaX's.
|
#
1.10 |
|
23-Dec-2006 |
yamt |
- remove the fileassoc "tabledata" functionality. use mountspecific instead. - make pax_segvguard_cb static.
tested and ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base5 yamt-splraiseipl-base4
|
#
1.9 |
|
11-Dec-2006 |
yamt |
- remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead. - make fileassoc_t a pointer and remove FILEASSOC_INVAL. - clean up kern_fileassoc.c. unify duplicated code. - unexport fileassoc_init using RUN_ONCE(9). - plug memory leaks in fileassoc_file_delete and fileassoc_table_delete. - always call callbacks, regardless of the value of the associated data.
ok'ed by elad.
|
Revision tags: yamt-splraiseipl-base3 netbsd-4-base
|
#
1.8 |
|
22-Nov-2006 |
elad |
branches: 1.8.2; Initial implementation of PaX Segvguard (this is still work-in-progress, it's just to get it out of my local tree).
|
#
1.7 |
|
22-Nov-2006 |
elad |
Make PaX MPROTECT use specificdata(9), freeing up two P_* flags. While here, make more generic for upcoming PaX features.
|
#
1.6 |
|
01-Nov-2006 |
yamt |
- remove an unnecessary #include. - make some variables static.
|
#
1.5 |
|
25-Oct-2006 |
cbiere |
Added missing whitespace in sysctl description string. PR kern/34915.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.4 |
|
26-Sep-2006 |
elad |
Change the PaX mprotect(2) restrictions' "global_protection" knob to just "global" -- it's shorter and more readable. Update documentation.
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 rpaulo-netinet-merge-pcb-base yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timecounters-base yamt-pdpolicy-base5 chap-midi-base
|
#
1.3 |
|
20-May-2006 |
elad |
branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18; Better implementation of PaX MPROTECT, after looking some more into the code and not trying to use temporary solutions.
Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX author for being quick to recognize that something fishy's going on. :)
Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().
Next time I suggest to commit a temporary solution just revoke my commit bit.
|
#
1.2 |
|
18-May-2006 |
elad |
branches: 1.2.2; CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!
|
#
1.1 |
|
16-May-2006 |
elad |
Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen W^X mappings.
Disabled by default.
First proposed in:
http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html
More information in:
http://pax.grsecurity.net/docs/mprotect.txt
Read relevant parts of options(4) and sysctl(3) before using!
Lots of thanks to the PaX author and Matt Thomas.
|