Date: Tue, 15 Oct 2013 06:38:41 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r256504 - in head/sys: kern sys Message-ID: <201310150638.r9F6cfuY058880@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Tue Oct 15 06:38:40 2013 New Revision: 256504 URL: http://svnweb.freebsd.org/changeset/base/256504 Log: Add a sysctl kern.disallow_high_osrel which disables executing the images compiled on the world with higher major version number than the high version number of the booted kernel. Default to disable. Sponsored by: The FreeBSD Foundation Discussed with: bapt MFC after: 1 week Modified: head/sys/kern/kern_exec.c head/sys/sys/param.h Modified: head/sys/kern/kern_exec.c ============================================================================== --- head/sys/kern/kern_exec.c Tue Oct 15 06:35:22 2013 (r256503) +++ head/sys/kern/kern_exec.c Tue Oct 15 06:38:40 2013 (r256504) @@ -123,6 +123,11 @@ u_long ps_arg_cache_limit = PAGE_SIZE / SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, &ps_arg_cache_limit, 0, ""); +static int disallow_high_osrel; +SYSCTL_INT(_kern, OID_AUTO, disallow_high_osrel, CTLFLAG_RW, + &disallow_high_osrel, 0, + "Disallow execution of binaries built for higher version of the world"); + static int map_at_zero = 0; TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero); SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0, @@ -552,6 +557,15 @@ interpret: vn_fullpath(td, imgp->vp, &imgp->execpath, &imgp->freepath) != 0)) imgp->execpath = args->fname; + if (disallow_high_osrel && + P_OSREL_MAJOR(p->p_osrel) > P_OSREL_MAJOR(__FreeBSD_version)) { + error = ENOEXEC; + uprintf("Osrel %d for image %s too high\n", p->p_osrel, + imgp->execpath != NULL ? imgp->execpath : "<unresolved>"); + vn_lock(imgp->vp, LK_SHARED | LK_RETRY); + goto exec_fail_dealloc; + } + /* * Copy out strings (args and env) and initialize stack base */ Modified: head/sys/sys/param.h ============================================================================== --- head/sys/sys/param.h Tue Oct 15 06:35:22 2013 (r256503) +++ head/sys/sys/param.h Tue Oct 15 06:38:40 2013 (r256504) @@ -80,6 +80,8 @@ #define P_OSREL_SIGWAIT 700000 #define P_OSREL_SIGSEGV 700004 #define P_OSREL_MAP_ANON 800104 + +#define P_OSREL_MAJOR(x) ((x) / 100000) #endif #ifndef LOCORE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310150638.r9F6cfuY058880>