1/* $NetBSD: t_mprotect.c,v 1.3 2011/07/20 22:53:44 jym Exp $ */ 2 3/*- 4 * Copyright (c) 2011 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Jukka Ruohonen. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31#include <sys/cdefs.h> 32__RCSID("$NetBSD: t_mprotect.c,v 1.3 2011/07/20 22:53:44 jym Exp $"); 33 34#include <sys/param.h> 35#include <sys/mman.h> 36#include <sys/sysctl.h> 37#include <sys/wait.h> 38 39#include <errno.h> 40#include <fcntl.h> 41#include <stdlib.h> 42#include <string.h> 43#include <unistd.h> 44 45#include <atf-c.h> 46 47#ifdef __NetBSD__ 48#include "../common/exec_prot.h" 49#endif 50 51static long page = 0; 52static int pax_global = -1; 53static int pax_enabled = -1; 54static char path[] = "mmap"; 55 56static void sighandler(int); 57static bool paxinit(void); 58static bool paxset(int, int); 59 60static void 61sighandler(int signo) 62{ 63 _exit(signo); 64} 65 66static bool 67paxinit(void) 68{ 69 size_t len = sizeof(int); 70 int rv; 71 72 rv = sysctlbyname("security.pax.mprotect.global", 73 &pax_global, &len, NULL, 0); 74 75 if (rv != 0) 76 return false; 77 78 rv = sysctlbyname("security.pax.mprotect.enabled", 79 &pax_enabled, &len, NULL, 0); 80 81 if (rv != 0) 82 return false; 83 84 return paxset(1, 1); 85} 86 87static bool 88paxset(int global, int enabled) 89{ 90 size_t len = sizeof(int); 91 int rv; 92 93 rv = sysctlbyname("security.pax.mprotect.global", 94 NULL, NULL, &global, len); 95 96 if (rv != 0) 97 return false; 98 99 rv = sysctlbyname("security.pax.mprotect.enabled", 100 NULL, NULL, &enabled, len); 101 102 if (rv != 0) 103 return false; 104 105 return true; 106} 107 108 109ATF_TC_WITH_CLEANUP(mprotect_access); 110ATF_TC_HEAD(mprotect_access, tc) 111{ 112 atf_tc_set_md_var(tc, "descr", "Test for EACCES from mprotect(2)"); 113} 114 115ATF_TC_BODY(mprotect_access, tc) 116{ 117 int prot[2] = { PROT_NONE, PROT_READ }; 118 void *map; 119 size_t i; 120 int fd; 121 122 fd = open(path, O_RDONLY | O_CREAT); 123 ATF_REQUIRE(fd >= 0); 124 125 /* 126 * The call should fail with EACCES if we try to mark 127 * a PROT_NONE or PROT_READ file/section as PROT_WRITE. 128 */ 129 for (i = 0; i < __arraycount(prot); i++) { 130 131 map = mmap(NULL, page, prot[i], MAP_SHARED, fd, 0); 132 133 if (map == MAP_FAILED) 134 continue; 135 136 errno = 0; 137 138 ATF_REQUIRE(mprotect(map, page, PROT_WRITE) != 0); 139 ATF_REQUIRE(errno == EACCES); 140 ATF_REQUIRE(munmap(map, page) == 0); 141 } 142 143 ATF_REQUIRE(close(fd) == 0); 144} 145 146ATF_TC_CLEANUP(mprotect_access, tc) 147{ 148 (void)unlink(path); 149} 150 151ATF_TC(mprotect_err); 152ATF_TC_HEAD(mprotect_err, tc) 153{ 154 atf_tc_set_md_var(tc, "descr", "Test error conditions of mprotect(2)"); 155} 156 157ATF_TC_BODY(mprotect_err, tc) 158{ 159 errno = 0; 160 161 ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ) != 0); 162 ATF_REQUIRE(errno == EINVAL); 163} 164 165#ifdef __NetBSD__ 166ATF_TC(mprotect_exec); 167ATF_TC_HEAD(mprotect_exec, tc) 168{ 169 atf_tc_set_md_var(tc, "descr", 170 "Test mprotect(2) executable space protections"); 171} 172 173/* 174 * Trivial function -- should fit into a page 175 */ 176ATF_TC_BODY(mprotect_exec, tc) 177{ 178 pid_t pid; 179 void *map; 180 int sta, xp_support; 181 182 xp_support = exec_prot_support(); 183 184 switch (xp_support) { 185 case NOTIMPL: 186 atf_tc_skip( 187 "Execute protection callback check not implemented"); 188 break; 189 case NO_XP: 190 atf_tc_skip( 191 "Host does not support executable space protection"); 192 break; 193 case PARTIAL_XP: case PERPAGE_XP: default: 194 break; 195 } 196 197 /* 198 * Map a page read/write and copy a trivial assembly function inside. 199 * We will then change the mapping rights: 200 * - first by setting the execution right, and check that we can 201 * call the code found in the allocated page. 202 * - second by removing the execution right. This should generate 203 * a SIGSEGV on architectures that can enforce --x permissions. 204 */ 205 206 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0); 207 ATF_REQUIRE(map != MAP_FAILED); 208 209 memcpy(map, (void *)return_one, 210 (uintptr_t)return_one_end - (uintptr_t)return_one); 211 212 /* give r-x rights then call code in page */ 213 ATF_REQUIRE(mprotect(map, page, PROT_EXEC|PROT_READ) == 0); 214 ATF_REQUIRE(((int (*)(void))map)() == 1); 215 216 /* remove --x right */ 217 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0); 218 219 pid = fork(); 220 ATF_REQUIRE(pid >= 0); 221 222 if (pid == 0) { 223 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR); 224 ATF_CHECK(((int (*)(void))map)() == 1); 225 _exit(0); 226 } 227 228 (void)wait(&sta); 229 230 ATF_REQUIRE(munmap(map, page) == 0); 231 232 ATF_REQUIRE(WIFEXITED(sta) != 0); 233 234 switch (xp_support) { 235 case PARTIAL_XP: 236 /* Partial protection might fail; skip the test when it does */ 237 if (WEXITSTATUS(sta) != SIGSEGV) { 238 atf_tc_skip("Host only supports " 239 "partial executable space protection"); 240 } 241 break; 242 case PERPAGE_XP: default: 243 /* Per-page --x protection should not fail */ 244 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 245 break; 246 } 247} 248#endif 249 250ATF_TC(mprotect_pax); 251ATF_TC_HEAD(mprotect_pax, tc) 252{ 253 atf_tc_set_md_var(tc, "descr", "PaX restrictions and mprotect(2)"); 254 atf_tc_set_md_var(tc, "require.user", "root"); 255} 256 257ATF_TC_BODY(mprotect_pax, tc) 258{ 259 const int prot[4] = { PROT_NONE, PROT_READ, PROT_WRITE }; 260 const char *str = NULL; 261 void *map; 262 size_t i; 263 int rv; 264 265 if (paxinit() != true) 266 return; 267 268 /* 269 * As noted in the original PaX documentation [1], 270 * the following restrictions should apply: 271 * 272 * (1) creating executable anonymous mappings 273 * 274 * (2) creating executable/writable file mappings 275 * 276 * (3) making a non-executable mapping executable 277 * 278 * (4) making an executable/read-only file mapping 279 * writable except for performing relocations 280 * on an ET_DYN ELF file (non-PIC shared library) 281 * 282 * The following will test only the case (3). 283 * 284 * [1] http://pax.grsecurity.net/docs/mprotect.txt 285 * 286 * (Sun Apr 3 11:06:53 EEST 2011.) 287 */ 288 for (i = 0; i < __arraycount(prot); i++) { 289 290 map = mmap(NULL, page, prot[i], MAP_ANON, -1, 0); 291 292 if (map == MAP_FAILED) 293 continue; 294 295 rv = mprotect(map, 1, prot[i] | PROT_EXEC); 296 297 (void)munmap(map, page); 298 299 if (rv == 0) { 300 str = "non-executable mapping made executable"; 301 goto out; 302 } 303 } 304 305out: 306 if (pax_global != -1 && pax_enabled != -1) 307 (void)paxset(pax_global, pax_enabled); 308 309 if (str != NULL) 310 atf_tc_fail("%s", str); 311} 312 313ATF_TC(mprotect_write); 314ATF_TC_HEAD(mprotect_write, tc) 315{ 316 atf_tc_set_md_var(tc, "descr", "Test mprotect(2) write protections"); 317} 318 319ATF_TC_BODY(mprotect_write, tc) 320{ 321 pid_t pid; 322 void *map; 323 int sta; 324 325 /* 326 * Map a page read/write, change the protection 327 * to read-only with mprotect(2), and try to write 328 * to the page. This should generate a SIGSEGV. 329 */ 330 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0); 331 ATF_REQUIRE(map != MAP_FAILED); 332 333 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 3); 334 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0); 335 336 pid = fork(); 337 ATF_REQUIRE(pid >= 0); 338 339 if (pid == 0) { 340 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR); 341 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 0); 342 } 343 344 (void)wait(&sta); 345 346 ATF_REQUIRE(WIFEXITED(sta) != 0); 347 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 348 ATF_REQUIRE(munmap(map, page) == 0); 349} 350 351ATF_TP_ADD_TCS(tp) 352{ 353 page = sysconf(_SC_PAGESIZE); 354 ATF_REQUIRE(page >= 0); 355 356 ATF_TP_ADD_TC(tp, mprotect_access); 357 ATF_TP_ADD_TC(tp, mprotect_err); 358#ifdef __NetBSD__ 359 ATF_TP_ADD_TC(tp, mprotect_exec); 360#endif 361 ATF_TP_ADD_TC(tp, mprotect_pax); 362 ATF_TP_ADD_TC(tp, mprotect_write); 363 364 return atf_no_error(); 365} 366