kern_pax.c revision 1.3
1/* $NetBSD: kern_pax.c,v 1.3 2006/05/20 15:45:37 elad Exp $ */ 2 3/*- 4 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Elad Efrat. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include "opt_pax.h" 34 35#include <sys/param.h> 36#include <sys/proc.h> 37#include <sys/exec_elf.h> 38#include <uvm/uvm_extern.h> 39#include <sys/pax.h> 40#include <sys/sysctl.h> 41 42int pax_mprotect_enabled = 1; 43int pax_mprotect_global = PAX_MPROTECT; 44 45SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup") 46{ 47 const struct sysctlnode *rnode = NULL; 48 49 sysctl_createv(clog, 0, NULL, &rnode, 50 CTLFLAG_PERMANENT, 51 CTLTYPE_NODE, "security", NULL, 52 NULL, 0, NULL, 0, 53 CTL_CREATE, CTL_EOL); 54 55 sysctl_createv(clog, 0, &rnode, &rnode, 56 CTLFLAG_PERMANENT, 57 CTLTYPE_NODE, "pax", 58 SYSCTL_DESCR("PaX (exploit mitigation) features."), 59 NULL, 0, NULL, 0, 60 CTL_CREATE, CTL_EOL); 61 62 sysctl_createv(clog, 0, &rnode, &rnode, 63 CTLFLAG_PERMANENT, 64 CTLTYPE_NODE, "mprotect", 65 SYSCTL_DESCR("mprotect(2) W^X restrictions."), 66 NULL, 0, NULL, 0, 67 CTL_CREATE, CTL_EOL); 68 sysctl_createv(clog, 0, &rnode, NULL, 69 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 70 CTLTYPE_INT, "enabled", 71 SYSCTL_DESCR("Restrictions enabled."), 72 NULL, 0, &pax_mprotect_enabled, 0, 73 CTL_CREATE, CTL_EOL); 74 sysctl_createv(clog, 0, &rnode, NULL, 75 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 76 CTLTYPE_INT, "global_protection", 77 SYSCTL_DESCR("When enabled, unless explicitly " 78 "specified, apply restrictions to" 79 "all processes."), 80 NULL, 0, &pax_mprotect_global, 0, 81 CTL_CREATE, CTL_EOL); 82} 83 84void 85pax_mprotect_adjust(struct lwp *l, int f) 86{ 87 if (!pax_mprotect_enabled) 88 return; 89 90 if (f & PF_PAXMPROTECT) 91 l->l_proc->p_flag |= P_PAXMPROTECT; 92 if (f & PF_PAXNOMPROTECT) 93 l->l_proc->p_flag |= P_PAXNOMPROTECT; 94} 95 96void 97pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot) 98{ 99 if (!pax_mprotect_enabled || 100 (pax_mprotect_global && (l->l_proc->p_flag & P_PAXNOMPROTECT)) || 101 (!pax_mprotect_global && !(l->l_proc->p_flag & P_PAXMPROTECT))) 102 return; 103 104 if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) { 105 *prot &= ~VM_PROT_EXECUTE; 106 *maxprot &= ~VM_PROT_EXECUTE; 107 } else { 108 *prot &= ~VM_PROT_WRITE; 109 *maxprot &= ~VM_PROT_WRITE; 110 } 111} 112