From owner-freebsd-hackers@FreeBSD.ORG Thu Jun 26 23:27:31 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E334EC3F; Thu, 26 Jun 2014 23:27:31 +0000 (UTC) Received: from mail-qc0-x229.google.com (mail-qc0-x229.google.com [IPv6:2607:f8b0:400d:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5AAF02482; Thu, 26 Jun 2014 23:27:31 +0000 (UTC) Received: by mail-qc0-f169.google.com with SMTP id c9so3861148qcz.28 for ; Thu, 26 Jun 2014 16:27:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=nIIlInPwepFUJPMI2urbakngKbDxTGLxLgLSvMpfsOo=; b=bIvL27EcVlBxQz6R0BPb6PDWdEb26fCHW9gCeODi+EiGLfWo2WvsLXLfsMYHa4rIO7 1kBGkOgGeHJQ+XCS4Ihi4KtcP2hlMdZFh2UOQtiXBzNbYcIqxAC3Y/dUhzqtJ6NkWjvp hY1p9GxX+91IZvfhjYzP/xzP75BlNgvqXsU61FazWC8fHu7XllgUTXxSg12aCdYoJmLt 9zdQBV5Hv9Df6wLkMkgthqh4qzOS7J7A6vlUNKPpksMQsCXse+HFXqFVT6iecJJMw0iC PUPHzuaztjttp1ccEvwjZ2p1EDOo6ohRgNg+gpSUlEuMIQi7wT8Jsic3hK/rPFN4cVOY +RMg== X-Received: by 10.224.70.7 with SMTP id b7mr27251033qaj.28.1403825250482; Thu, 26 Jun 2014 16:27:30 -0700 (PDT) Received: from pwnie.vrt.sourcefire.com (moist.vrt.sourcefire.com. [198.148.79.134]) by mx.google.com with ESMTPSA id g2sm13520087qaz.21.2014.06.26.16.27.29 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2014 16:27:29 -0700 (PDT) Date: Thu, 26 Jun 2014 19:27:27 -0400 From: Shawn Webb To: freebsd-hackers@freebsd.org Subject: Help With ASLR Message-ID: <20140626232727.GB1825@pwnie.vrt.sourcefire.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="S1BNGpv0yoYahz37" Content-Disposition: inline X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Oliver Pinter , kib@freebsd.org, alc@rice.edu X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2014 23:27:32 -0000 --S1BNGpv0yoYahz37 Content-Type: multipart/mixed; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey All, I've exchanged a few helpful emails with kib@. He has glanced over the ASLR patch we have against 11-CURRENT (which is also attached to this email as a reference point). He has suggested some changes to the VM subsystem that I'm having trouble getting my head wrapped around. Essentially, he suggests that instead of doing the randomization in various places like the ELF loader and sys_mmap, we should modify vm_map_find() in sys/vm/vm_map.c to apply the randomization there. Here's his suggestion in full (I hope he doesn't mind me directly quoting him): The mapping address randomization can only be performed in the vm_map_find(). This is the place where usermode mapping flags are already parsed, and the real decision for the placement is done, with all the contextual information collected, the fixed requests are not passed there. Doing the 'randomization' in vm_mmap() means that the mmap command must be parsed twice, which presented patch fails to do in any sane way. Only mappings in the usermode maps should be randomized. Current patch does not randomize the mapping location at all, it only randomizes the hint address passed from the userspace, which is completely useless. It also fails to correct the address to honour the placement flags like MAP_32BIT or MAP_ALIGNMENT_MASK. What must be done is vm_map_find() requesting vm_map_findspace() for the address hole of the size of the requested mapping + (number of address bits to randomize << PAGE_SHIFT). Then, the rng value should be obtained and final location for the mapping calculated as return value + (rng << PAGE_SHIFT). If no address space hole exists which can satisfy the enlarged request, either a direct fallback to the initial length should be performed (I prefer this), or exponential decrease of the length up to the initial size done, and findspace procedure repeated. Also, the vm_map_find() knows about the superpages hint for the mapping being performed, which allows to not break superpages. When superpage-aligned mapping is requested, SUPERPAGE_SHIFT (available =66rom pagesizes[1]) should be used instead of PAGE_SHIFT in the formula above, and probably, a different amount of address bits in the page table page level 2 to randomize, selected. =3D=3D=3D end of kib@ suggestions =3D=3D=3D I have a few concerns, though: 1) vm_map_find is also used when loading certain bits of data in the kernel (like KLDs, for example); 2) It's not possible to tell in vm_map_find if we're creating a mapping for the stack, the execbase, or any other suitable mmap call. We apply ASLR differently based on those three aspects; 3) vm_map_find is also used in initializing the VM system upon boot. What impacts would this cause? I would really appreciate any feedback. Thank you in advance for any help or guidance. Thanks, Shawn --61jdw2sOBCFtR2d/ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="2014-06-21_aslr.patch" Content-Transfer-Encoding: quoted-printable diff --git a/lib/libugidfw/ugidfw.c b/lib/libugidfw/ugidfw.c index 0dc423d..a4a38bc 100644 --- a/lib/libugidfw/ugidfw.c +++ b/lib/libugidfw/ugidfw.c @@ -36,6 +36,9 @@ #include #include #include +#include +#include +#include =20 #include =20 @@ -44,6 +47,8 @@ #include #include #include +#include +#include =20 #include "ugidfw.h" =20 @@ -329,14 +334,19 @@ bsde_rule_to_string(struct mac_bsdextended_rule *rule= , char *buf, size_t buflen) cur +=3D len; } if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) { - numfs =3D getmntinfo(&mntbuf, MNT_NOWAIT); - for (i =3D 0; i < numfs; i++) - if (memcmp(&(rule->mbr_object.mbo_fsid), - &(mntbuf[i].f_fsid), - sizeof(mntbuf[i].f_fsid)) =3D=3D 0) - break; - len =3D snprintf(cur, left, "filesys %s ", - i =3D=3D numfs ? "???" : mntbuf[i].f_mntonname); + if (rule->mbr_object.mbo_inode =3D=3D 0) { + numfs =3D getmntinfo(&mntbuf, MNT_NOWAIT); + for (i =3D 0; i < numfs; i++) + if (memcmp(&(rule->mbr_object.mbo_fsid), + &(mntbuf[i].f_fsid), + sizeof(mntbuf[i].f_fsid)) =3D=3D 0) + break; + len =3D snprintf(cur, left, "filesys %s ", + i =3D=3D numfs ? "???" : mntbuf[i].f_mntonname); + } else { + len =3D snprintf(cur, left, "filesys %s ", + rule->mbr_object.mbo_paxpath); + } if (len < 0 || len > left) goto truncated; left -=3D len; @@ -500,6 +510,33 @@ bsde_rule_to_string(struct mac_bsdextended_rule *rule,= char *buf, size_t buflen) cur +=3D len; } =20 + if (rule->mbr_pax) { + len =3D snprintf(cur, left, " paxflags "); + if (len < 0 || len > left) + goto truncated; + left -=3D len; + cur +=3D len; + + if (rule->mbr_pax & MBI_FORCE_ASLR_ENABLED) { + len =3D snprintf(cur, left, "A"); + if (len < 0 || len > left) + goto truncated; + + left -=3D len; + cur +=3D len; + } + + if (rule->mbr_pax & MBI_FORCE_ASLR_DISABLED) { + len =3D snprintf(cur, left, "a"); + if (len < 0 || len > left) + goto truncated; + + left -=3D len; + cur +=3D len; + } + + } + return (0); =20 truncated: @@ -507,8 +544,8 @@ truncated: } =20 int -bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max, - size_t buflen, char *errstr){ +bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max, size_t buflen, cha= r *errstr) +{ struct passwd *pwd; uid_t uid1, uid2; char *spec1, *spec2, *endp; @@ -556,8 +593,8 @@ bsde_parse_uidrange(char *spec, uid_t *min, uid_t *max, } =20 int -bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max, - size_t buflen, char *errstr){ +bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max, size_t buflen, cha= r *errstr) +{ struct group *grp; gid_t gid1, gid2; char *spec1, *spec2, *endp; @@ -766,10 +803,15 @@ bsde_parse_type(char *spec, int *type, size_t buflen,= char *errstr) } =20 int -bsde_parse_fsid(char *spec, struct fsid *fsid, size_t buflen, char *errstr) +bsde_parse_fsid(char *spec, struct fsid *fsid, ino_t *inode, size_t buflen= , char *errstr) { size_t len; struct statfs buf; + struct stat sb; + int fd, paxstatus; + size_t bufsz; + + *inode =3D 0; =20 if (statfs(spec, &buf) < 0) { len =3D snprintf(errstr, buflen, "Unable to get id for %s: %s", @@ -779,6 +821,21 @@ bsde_parse_fsid(char *spec, struct fsid *fsid, size_t = buflen, char *errstr) =20 *fsid =3D buf.f_fsid; =20 + if (strcmp(buf.f_fstypename, "devfs") !=3D 0) { + bufsz =3D sizeof(int); + if (!sysctlbyname("kern.features.aslr", &paxstatus, &bufsz, + NULL, 0)) { + fd =3D open(spec, O_RDONLY); + if (fd !=3D -1) { + if (fstat(fd, &sb) =3D=3D 0) + if(S_ISDIR(sb.st_mode) =3D=3D 0) + *inode =3D sb.st_ino; + + close(fd); + } + } + } + return (0); } =20 @@ -852,13 +909,18 @@ bsde_parse_object(int argc, char *argv[], return (-1); } if (bsde_parse_fsid(argv[current+1], &fsid, - buflen, errstr) < 0) + &object->mbo_inode, buflen, errstr) < 0) return (-1); flags |=3D MBO_FSID_DEFINED; if (nextnot) { neg ^=3D MBO_FSID_DEFINED; nextnot =3D 0; } + if (object->mbo_inode) + snprintf(object->mbo_paxpath, MAXPATHLEN, "%s", + argv[current+1]); + else + memset(object->mbo_paxpath, 0x00, MAXPATHLEN); current +=3D 2; } else if (strcmp(argv[current], "suid") =3D=3D 0) { flags |=3D MBO_SUID; @@ -991,12 +1053,48 @@ bsde_parse_mode(int argc, char *argv[], mode_t *mode= , size_t buflen, } =20 int +bsde_parse_paxflags(int argc, char *argv[], uint32_t *pax, size_t buflen, = char *errstr) +{ + size_t len; + int i; + + if (argc =3D=3D 0) { + len =3D snprintf(errstr, buflen, "paxflags expects mode value"); + return (-1); + } + + if (argc !=3D 1) { + len =3D snprintf(errstr, buflen, "'%s' unexpected", argv[1]); + return (-1); + } + + *pax =3D 0; + for (i =3D 0; i < strlen(argv[0]); i++) { + switch (argv[0][i]) { + case 'A': + *pax |=3D MBI_FORCE_ASLR_ENABLED; + break; + case 'a': + *pax |=3D MBI_FORCE_ASLR_DISABLED; + break; + default: + len =3D snprintf(errstr, buflen, "Unknown mode letter: %c", + argv[0][i]); + return (-1); + }=20 + } + + return (0); +} + +int bsde_parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule, size_t buflen, char *errstr) { int subject, subject_elements, subject_elements_length; int object, object_elements, object_elements_length; int mode, mode_elements, mode_elements_length; + int paxflags, paxflags_elements, paxflags_elements_length=3D0; int error, i; size_t len; =20 @@ -1037,11 +1135,23 @@ bsde_parse_rule(int argc, char *argv[], struct mac_= bsdextended_rule *rule, return (-1); } =20 + /* Search forward for paxflags */ + paxflags =3D -1; + for (i =3D 1; i < argc; i++) + if (strcmp(argv[i], "paxflags") =3D=3D 0) + paxflags =3D i; + + if (paxflags >=3D 0) { + paxflags_elements =3D paxflags + 1; + paxflags_elements_length =3D argc - paxflags_elements; + } + subject_elements_length =3D object - subject - 1; object_elements =3D object + 1; object_elements_length =3D mode - object_elements; mode_elements =3D mode + 1; - mode_elements_length =3D argc - mode_elements; + mode_elements_length =3D argc - mode_elements - + (paxflags_elements_length ? paxflags_elements_length+1 : 0); =20 error =3D bsde_parse_subject(subject_elements_length, argv + subject_elements, &rule->mbr_subject, buflen, errstr); @@ -1058,6 +1168,13 @@ bsde_parse_rule(int argc, char *argv[], struct mac_b= sdextended_rule *rule, if (error) return (-1); =20 + if (paxflags >=3D 0) { + error =3D bsde_parse_paxflags(paxflags_elements_length, argv + paxflags_= elements, + &rule->mbr_pax, buflen, errstr); + if (error) + return (-1); + } + return (0); } =20 diff --git a/lib/libugidfw/ugidfw.h b/lib/libugidfw/ugidfw.h index 5b7fcf2..cef469c 100644 --- a/lib/libugidfw/ugidfw.h +++ b/lib/libugidfw/ugidfw.h @@ -39,6 +39,8 @@ int bsde_rule_to_string(struct mac_bsdextended_rule *rule= , char *buf, size_t buflen); int bsde_parse_mode(int argc, char *argv[], mode_t *mode, size_t buflen, char *errstr); +int bsde_parse_paxflags(int argc, char *argv[], uint32_t *pax, size_t bufl= en, + char *errstr); int bsde_parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule, size_t buflen, char *errstr); int bsde_parse_rule_string(const char *string, diff --git a/sys/amd64/amd64/elf_machdep.c b/sys/amd64/amd64/elf_machdep.c index fdc4d56..ffb5e31 100644 --- a/sys/amd64/amd64/elf_machdep.c +++ b/sys/amd64/amd64/elf_machdep.c @@ -26,12 +26,17 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include #include #include #include +#ifdef PAX_ASLR +#include +#endif #include #include #include @@ -81,6 +86,11 @@ struct sysentvec elf64_freebsd_sysvec =3D { .sv_shared_page_base =3D SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec); =20 diff --git a/sys/amd64/include/vmparam.h b/sys/amd64/include/vmparam.h index bda9722..5e83a8f 100644 --- a/sys/amd64/include/vmparam.h +++ b/sys/amd64/include/vmparam.h @@ -170,7 +170,7 @@ #define VM_MAXUSER_ADDRESS UVADDR(NUPML4E, 0, 0, 0) =20 #define SHAREDPAGE (VM_MAXUSER_ADDRESS - PAGE_SIZE) -#define USRSTACK SHAREDPAGE +#define USRSTACK (SHAREDPAGE - 4*PAGE_SIZE) =20 #define VM_MAX_ADDRESS UPT_MAX_ADDRESS #define VM_MIN_ADDRESS (0) diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32= _sysvec.c index c06ce11..f4f99f58 100644 --- a/sys/amd64/linux32/linux32_sysvec.c +++ b/sys/amd64/linux32/linux32_sysvec.c @@ -33,6 +33,7 @@ #include __FBSDID("$FreeBSD$"); #include "opt_compat.h" +#include "opt_pax.h" =20 #ifndef COMPAT_FREEBSD32 #error "Unable to compile Linux-emulator due to missing COMPAT_FREEBSD32 o= ption!" @@ -84,6 +85,10 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#ifdef PAX_ASLR +#include +#endif + MODULE_VERSION(linux, 1); =20 MALLOC_DEFINE(M_LINUX, "linux", "Linux mode structures"); @@ -1037,6 +1042,11 @@ struct sysentvec elf_linux_sysvec =3D { .sv_shared_page_base =3D LINUX32_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec); =20 diff --git a/sys/arm/arm/elf_machdep.c b/sys/arm/arm/elf_machdep.c index 8ef9bd4..26e37e6 100644 --- a/sys/arm/arm/elf_machdep.c +++ b/sys/arm/arm/elf_machdep.c @@ -26,6 +26,8 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include @@ -46,6 +48,10 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#ifdef PAX_ASLR +#include +#endif + struct sysentvec elf32_freebsd_sysvec =3D { .sv_size =3D SYS_MAXSYSCALL, .sv_table =3D sysent, @@ -79,6 +85,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static Elf32_Brandinfo freebsd_brand_info =3D { diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/f= reebsd32_misc.c index 68e761b..96a81d9 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -30,6 +30,7 @@ __FBSDID("$FreeBSD$"); #include "opt_compat.h" #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_pax.h" =20 #define __ELF_WORD_SIZE 32 =20 @@ -113,6 +114,10 @@ __FBSDID("$FreeBSD$"); =20 FEATURE(compat_freebsd_32bit, "Compatible with 32-bit FreeBSD"); =20 +#ifdef PAX_ASLR +#include +#endif + #ifndef __mips__ CTASSERT(sizeof(struct timeval32) =3D=3D 8); CTASSERT(sizeof(struct timespec32) =3D=3D 8); @@ -2886,6 +2891,10 @@ freebsd32_copyout_strings(struct image_params *imgp) szsigcode =3D 0; destp =3D (uintptr_t)arginfo; =20 +#ifdef PAX_ASLR + pax_aslr_stack(curthread, &destp); +#endif + /* * install sigcode */ diff --git a/sys/compat/ia32/ia32_sysvec.c b/sys/compat/ia32/ia32_sysvec.c index a8e52e8..ade8da5 100644 --- a/sys/compat/ia32/ia32_sysvec.c +++ b/sys/compat/ia32/ia32_sysvec.c @@ -29,6 +29,7 @@ __FBSDID("$FreeBSD$"); =20 #include "opt_compat.h" +#include "opt_pax.h" =20 #define __ELF_WORD_SIZE 32 =20 @@ -74,6 +75,10 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#ifdef PAX_ASLR +#include +#endif + CTASSERT(sizeof(struct ia32_mcontext) =3D=3D 640); CTASSERT(sizeof(struct ia32_ucontext) =3D=3D 704); CTASSERT(sizeof(struct ia32_sigframe) =3D=3D 800); @@ -139,6 +144,11 @@ struct sysentvec ia32_freebsd_sysvec =3D { .sv_shared_page_base =3D FREEBSD32_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf_ia32_sysvec, &ia32_freebsd_sysvec); =20 diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 4d27713..671ef83 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -2972,3 +2972,7 @@ options RANDOM_RWFILE # Read and write entropy cache =20 # Module to enable execution of application via emulators like QEMU options IMAGACT_BINMISC + +# Address Space Layout Randomization (ASLR) +options PAX_ASLR +options PAX_SYSCTLS diff --git a/sys/conf/files b/sys/conf/files index cc907c50..1e73c88 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -2907,6 +2907,9 @@ kern/kern_mtxpool.c standard kern/kern_mutex.c standard kern/kern_ntptime.c standard kern/kern_osd.c standard +kern/kern_pax.c optional pax_aslr +kern/kern_pax_aslr.c optional pax_aslr +kern/kern_pax_log.c optional pax_aslr kern/kern_physio.c standard kern/kern_pmc.c standard kern/kern_poll.c optional device_polling diff --git a/sys/conf/options b/sys/conf/options index 32fb4d4..6e81e4e 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -916,6 +916,12 @@ RACCT opt_global.h # Resource Limits RCTL opt_global.h =20 +# PaX - hardening options +PAX_ASLR opt_pax.h +PAX_ASLR_MAX_SEC opt_pax.h +PAX_MPROTECT opt_pax.h +PAX_SYSCTLS opt_pax.h + # Random number generator(s) RANDOM_YARROW opt_random.h RANDOM_FORTUNA opt_random.h diff --git a/sys/i386/i386/elf_machdep.c b/sys/i386/i386/elf_machdep.c index 034b4c4..9571252 100644 --- a/sys/i386/i386/elf_machdep.c +++ b/sys/i386/i386/elf_machdep.c @@ -26,6 +26,8 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include @@ -46,6 +48,10 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#ifdef PAX_ASLR +#include +#endif + struct sysentvec elf32_freebsd_sysvec =3D { .sv_size =3D SYS_MAXSYSCALL, .sv_table =3D sysent, @@ -81,6 +87,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_shared_page_base =3D SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); =20 diff --git a/sys/i386/ibcs2/ibcs2_sysvec.c b/sys/i386/ibcs2/ibcs2_sysvec.c index 5d007c7..1bb9d89 100644 --- a/sys/i386/ibcs2/ibcs2_sysvec.c +++ b/sys/i386/ibcs2/ibcs2_sysvec.c @@ -31,6 +31,8 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include @@ -50,6 +52,10 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#ifdef PAX_ASLR +#include +#endif + MODULE_VERSION(ibcs2, 1); =20 extern int bsd_to_ibcs2_errno[]; @@ -89,6 +95,11 @@ struct sysentvec ibcs2_svr3_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D NULL, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static int diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c index 0ad6791..403070c 100644 --- a/sys/i386/linux/linux_sysvec.c +++ b/sys/i386/linux/linux_sysvec.c @@ -29,6 +29,8 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include @@ -72,6 +74,10 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#ifdef PAX_ASLR +#include +#endif + MODULE_VERSION(linux, 1); =20 MALLOC_DEFINE(M_LINUX, "linux", "Linux mode structures"); @@ -974,6 +980,11 @@ struct sysentvec linux_sysvec =3D { .sv_shared_page_base =3D LINUX_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(aout_sysvec, &linux_sysvec); =20 @@ -1012,6 +1023,11 @@ struct sysentvec elf_linux_sysvec =3D { .sv_shared_page_base =3D LINUX_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec); =20 diff --git a/sys/ia64/ia64/elf_machdep.c b/sys/ia64/ia64/elf_machdep.c index 05cb641..e3d19c1 100644 --- a/sys/ia64/ia64/elf_machdep.c +++ b/sys/ia64/ia64/elf_machdep.c @@ -25,6 +25,8 @@ * $FreeBSD$ */ =20 +#include "opt_pax.h" + #include #include #include @@ -49,6 +51,10 @@ #include #include =20 +#ifdef PAX_ASLR +#include +#endif + Elf_Addr link_elf_get_gp(linker_file_t); =20 extern Elf_Addr fptr_storage[]; @@ -86,6 +92,12 @@ struct sysentvec elf64_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif + }; =20 static Elf64_Brandinfo freebsd_brand_info =3D { diff --git a/sys/kern/imgact_aout.c b/sys/kern/imgact_aout.c index 3ae78de..aac03f1 100644 --- a/sys/kern/imgact_aout.c +++ b/sys/kern/imgact_aout.c @@ -27,6 +27,8 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include @@ -62,6 +64,10 @@ __FBSDID("$FreeBSD$"); #include #endif =20 +#ifdef PAX_ASLR +#include +#endif + static int exec_aout_imgact(struct image_params *imgp); static int aout_fixup(register_t **stack_base, struct image_params *imgp); =20 @@ -99,6 +105,11 @@ struct sysentvec aout_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 #elif defined(__amd64__) @@ -143,6 +154,11 @@ struct sysentvec aout_sysvec =3D { .sv_set_syscall_retval =3D ia32_set_syscall_retval, .sv_fetch_syscall_args =3D ia32_fetch_syscall_args, .sv_syscallnames =3D freebsd32_syscallnames, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, /* XXXOP */ +#else + .sv_pax_aslr_init =3D NULL, +#endif }; #else #error "Port me" diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 591094e..d0e01d3 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$"); #include "opt_capsicum.h" #include "opt_compat.h" #include "opt_core.h" +#include "opt_pax.h" =20 #include #include @@ -48,6 +49,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -81,6 +83,10 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#if defined(PAX_ASLR) +#include +#endif + #define ELF_NOTE_ROUNDSIZE 4 #define OLD_EI_BRAND 8 =20 @@ -655,16 +661,16 @@ __elfN(load_file)(struct proc *p, const char *file, u= _long *addr, hdr =3D (const Elf_Ehdr *)imgp->image_header; if ((error =3D __elfN(check_header)(hdr)) !=3D 0) goto fail; - if (hdr->e_type =3D=3D ET_DYN) + if (hdr->e_type =3D=3D ET_DYN) { rbase =3D *addr; - else if (hdr->e_type =3D=3D ET_EXEC) + } else if (hdr->e_type =3D=3D ET_EXEC) { rbase =3D 0; - else { + } else { error =3D ENOEXEC; goto fail; } =20 - /* Only support headers that fit within first page for now */ + /* Only support headers that fit within first page for now */ if ((hdr->e_phoff > PAGE_SIZE) || (u_int)hdr->e_phentsize * hdr->e_phnum > PAGE_SIZE - hdr->e_phoff) { error =3D ENOEXEC; @@ -789,16 +795,7 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i= mgp) if (hdr->e_type =3D=3D ET_DYN) { if ((brand_info->flags & BI_CAN_EXEC_DYN) =3D=3D 0) return (ENOEXEC); - /* - * Honour the base load address from the dso if it is - * non-zero for some reason. - */ - if (baddr =3D=3D 0) - et_dyn_addr =3D ET_DYN_LOAD_ADDR; - else - et_dyn_addr =3D 0; - } else - et_dyn_addr =3D 0; + } sv =3D brand_info->sysvec; if (interp !=3D NULL && brand_info->interp_newpath !=3D NULL) newinterp =3D brand_info->interp_newpath; @@ -819,6 +816,25 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i= mgp) error =3D exec_new_vmspace(imgp, sv); imgp->proc->p_sysent =3D sv; =20 +#if defined(PAX_MPROTECT) || defined(PAX_ASLR) + pax_elf(imgp, 0); +#endif + + et_dyn_addr =3D 0; + if (hdr->e_type =3D=3D ET_DYN) { + /* + * Honour the base load address from the dso if it is + * non-zero for some reason. + */ + if (baddr =3D=3D 0) { + et_dyn_addr =3D ET_DYN_LOAD_ADDR; +#ifdef PAX_ASLR + if (pax_aslr_active(NULL, imgp->proc)) + et_dyn_addr +=3D imgp->proc->p_vmspace->vm_aslr_delta_exec; +#endif + } + } + vn_lock(imgp->vp, LK_EXCLUSIVE | LK_RETRY); if (error) return (error); diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index 141d438..9301b57 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -410,6 +410,7 @@ struct sysentvec null_sysvec =3D { .sv_fetch_syscall_args =3D null_fetch_syscall_args, .sv_syscallnames =3D NULL, .sv_schedtail =3D NULL, + .sv_pax_aslr_init =3D NULL, }; =20 /* diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 667715e..24caccc 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -30,6 +30,7 @@ __FBSDID("$FreeBSD$"); #include "opt_capsicum.h" #include "opt_hwpmc_hooks.h" #include "opt_ktrace.h" +#include "opt_pax.h" #include "opt_vm.h" =20 #include @@ -94,6 +95,10 @@ __FBSDID("$FreeBSD$"); dtrace_execexit_func_t dtrace_fasttrap_exec; #endif =20 +#if defined(PAX_ASLR) +#include +#endif + SDT_PROVIDER_DECLARE(proc); SDT_PROBE_DEFINE1(proc, kernel, , exec, "char *"); SDT_PROBE_DEFINE1(proc, kernel, , exec__failure, "int"); @@ -404,6 +409,7 @@ do_execve(td, args, mac_p) imgp->pagesizes =3D 0; imgp->pagesizeslen =3D 0; imgp->stack_prot =3D 0; + imgp->pax_flags =3D 0; =20 #ifdef MAC error =3D mac_execve_enter(imgp, mac_p); @@ -1064,6 +1070,10 @@ exec_new_vmspace(imgp, sv) map =3D &vmspace->vm_map; } =20 +#ifdef PAX_ASLR + pax_aslr_init(curthread, imgp); +#endif + /* Map a shared page */ obj =3D sv->sv_shared_page_obj; if (obj !=3D NULL) { @@ -1107,6 +1117,9 @@ exec_new_vmspace(imgp, sv) */ vmspace->vm_ssize =3D sgrowsiz >> PAGE_SHIFT; vmspace->vm_maxsaddr =3D (char *)sv->sv_usrstack - ssiz; +#ifdef PAX_ASLR + vmspace->vm_maxsaddr -=3D vmspace->vm_aslr_delta_stack; +#endif =20 return (0); } @@ -1266,6 +1279,9 @@ exec_copyout_strings(imgp) szsigcode =3D *(p->p_sysent->sv_szsigcode); } destp =3D (uintptr_t)arginfo; +#ifdef PAX_ASLR + pax_aslr_stack(curthread, &destp); +#endif =20 /* * install sigcode diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index b3d9c24..3cd85d8 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -513,6 +513,11 @@ do_fork(struct thread *td, int flags, struct proc *p2,= struct thread *td2, } =20 /* + * XXXOP: this is the right place? + */ + p2->p_pax =3D p1->p_pax; + + /* * p_limit is copy-on-write. Bump its refcount. */ lim_fork(p1, p2); diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 47cd568..d9036bd 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$"); #include "opt_ddb.h" #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_pax.h" =20 #include #include @@ -74,6 +75,10 @@ __FBSDID("$FreeBSD$"); #endif /* INET6 */ #endif /* DDB */ =20 +#if defined(PAX_ASLR) +#include +#endif + #include =20 #define DEFAULT_HOSTUUID "00000000-0000-0000-0000-000000000000" @@ -117,6 +122,10 @@ struct prison prison0 =3D { }; MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF); =20 +#if defined(PAX_ASLR) +SYSINIT(pax, SI_SUB_PAX, SI_ORDER_MIDDLE, pax_init_prison, (void *) &priso= n0); +#endif + /* allprison, allprison_racct and lastprid are protected by allprison_lock= =2E */ struct sx allprison_lock; SX_SYSINIT(allprison_lock, &allprison_lock, "allprison"); @@ -1307,6 +1316,10 @@ kern_jail_set(struct thread *td, struct uio *optuio,= int flags) goto done_releroot; } =20 +#if defined(PAX_ASLR) + pax_init_prison(pr); +#endif + mtx_lock(&pr->pr_mtx); /* * New prisons do not yet have a reference, because we do not diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c new file mode 100644 index 0000000..1bd5ad0 --- /dev/null +++ b/sys/kern/kern_pax.c @@ -0,0 +1,214 @@ +/*- + * Copyright (c) 2006 Elad Efrat + * Copyright (c) 2013-2014, by Oliver Pinter + * Copyright (c) 2014, by Shawn Webb + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTI= ES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF US= E, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +__FBSDID("$FreeBSD$"); + +#include "opt_compat.h" +#include "opt_pax.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include +#include + +#include +#include +#include + +#include + +#include + +#include + +SYSCTL_NODE(_security, OID_AUTO, pax, CTLFLAG_RD, 0, + "PaX (exploit mitigation) features."); + +struct prison * +pax_get_prison(struct thread *td, struct proc *proc) +{ + + if (td !=3D NULL) { + if ((td->td_proc !=3D NULL) && (td->td_proc->p_ucred !=3D NULL)) + return (td->td_proc->p_ucred->cr_prison); + + return (NULL); + } + if ((proc =3D=3D NULL) || (proc->p_ucred =3D=3D NULL)) + return (NULL); + + return (proc->p_ucred->cr_prison); +} + +void +pax_elf(struct image_params *imgp, uint32_t mode) +{ + u_int flags =3D 0; + + if ((mode & MBI_ALLPAX) =3D=3D MBI_ALLPAX) + goto end; + + if (mode & MBI_FORCE_ASLR_ENABLED) + flags |=3D PAX_NOTE_ASLR; + else if (mode & MBI_FORCE_ASLR_DISABLED) + flags |=3D PAX_NOTE_NOASLR; + +end: + if (imgp !=3D NULL) { + imgp->pax_flags =3D flags; + if (imgp->proc !=3D NULL) { + PROC_LOCK(imgp->proc); + imgp->proc->p_pax =3D flags; + PROC_UNLOCK(imgp->proc); + } + } +} + + +/* + * print out PaX settings on boot time, and validate some of them + */ +void +pax_init(void) +{ +#if defined(PAX_ASLR) + const char *status_str[] =3D { + [0] =3D "disabled", + [1] =3D "opt-in", + [2] =3D "opt-out", + [3] =3D "force enabled", + [4] =3D "UNKNOWN -> changed to \"force enabled\"" + }; +#endif + +#ifdef PAX_ASLR + switch (pax_aslr_status) { + case 0: + case 1: + case 2: + case 3: + break; + default: + printf("[PAX ASLR] WARNING, invalid PAX settings in loader.conf!" + " (pax_aslr_status =3D %d)\n", pax_aslr_status); + pax_aslr_status =3D 3; + break; + } + printf("[PAX ASLR] status: %s\n", status_str[pax_aslr_status]); + printf("[PAX ASLR] mmap: %d bit\n", pax_aslr_mmap_len); + printf("[PAX ASLR] exec base: %d bit\n", pax_aslr_exec_len); + printf("[PAX ASLR] stack: %d bit\n", pax_aslr_stack_len); + +#ifdef COMPAT_FREEBSD32 + switch (pax_aslr_compat_status) { + case 0: + case 1: + case 2: + case 3: + break; + default: + printf("[PAX ASLR (compat)] WARNING, invalid PAX settings in loader.conf= ! " + "(pax_aslr_compat_status =3D %d)\n", pax_aslr_compat_status); + pax_aslr_compat_status =3D 3; + break; + } + printf("[PAX ASLR (compat)] status: %s\n", status_str[pax_aslr_compat_sta= tus]); + printf("[PAX ASLR (compat)] mmap: %d bit\n", pax_aslr_compat_mmap_len); + printf("[PAX ASLR (compat)] exec base: %d bit\n", pax_aslr_compat_exec_le= n); + printf("[PAX ASLR (compat)] stack: %d bit\n", pax_aslr_compat_stack_len); +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_ASLR */ + + printf("[PAX LOG] logging to system: %d\n", pax_log_log); + printf("[PAX LOG] logging to user: %d\n", pax_log_ulog); +} +SYSINIT(pax, SI_SUB_PAX, SI_ORDER_FIRST, pax_init, NULL); + +void +pax_init_prison(struct prison *pr) +{ + + if (pr =3D=3D NULL) + return; + + if (pr->pr_pax_set) + return; + + mtx_lock(&(pr->pr_mtx)); + + if (pax_aslr_debug) + uprintf("[PaX ASLR] %s: Setting prison %s ASLR variables\n", + __func__, pr->pr_name); + +#ifdef PAX_ASLR + pr->pr_pax_aslr_status =3D pax_aslr_status; + pr->pr_pax_aslr_debug =3D pax_aslr_debug; + pr->pr_pax_aslr_mmap_len =3D pax_aslr_mmap_len; + pr->pr_pax_aslr_stack_len =3D pax_aslr_stack_len; + pr->pr_pax_aslr_exec_len =3D pax_aslr_exec_len; + +#ifdef COMPAT_FREEBSD32 + pr->pr_pax_aslr_compat_status =3D pax_aslr_compat_status; + pr->pr_pax_aslr_compat_mmap_len =3D pax_aslr_compat_mmap_len; + pr->pr_pax_aslr_compat_stack_len =3D pax_aslr_compat_stack_len; + pr->pr_pax_aslr_compat_exec_len =3D pax_aslr_compat_exec_len; +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_ASLR */ + + pr->pr_pax_log_log =3D pax_log_log; + pr->pr_pax_log_ulog =3D pax_log_ulog; + + pr->pr_pax_set =3D 1; + + mtx_unlock(&(pr->pr_mtx)); +} diff --git a/sys/kern/kern_pax_aslr.c b/sys/kern/kern_pax_aslr.c new file mode 100644 index 0000000..4b5e8dd --- /dev/null +++ b/sys/kern/kern_pax_aslr.c @@ -0,0 +1,685 @@ +/*- + * Copyright (c) 2006 Elad Efrat + * Copyright (c) 2013-2014, by Oliver Pinter + * Copyright (c) 2014, by Shawn Webb + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTI= ES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF US= E, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +__FBSDID("$FreeBSD$"); + +#include "opt_compat.h" +#include "opt_pax.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include +#include +#include + +#include + +#include + +FEATURE(aslr, "Address Space Layout Randomization."); + +int pax_aslr_status =3D PAX_ASLR_OPTOUT; +int pax_aslr_debug =3D 0; + +#ifdef PAX_ASLR_MAX_SEC +int pax_aslr_mmap_len =3D PAX_ASLR_DELTA_MMAP_MAX_LEN; +int pax_aslr_stack_len =3D PAX_ASLR_DELTA_STACK_MAX_LEN; +int pax_aslr_exec_len =3D PAX_ASLR_DELTA_EXEC_MAX_LEN; +#else +int pax_aslr_mmap_len =3D PAX_ASLR_DELTA_MMAP_DEF_LEN; +int pax_aslr_stack_len =3D PAX_ASLR_DELTA_STACK_DEF_LEN; +int pax_aslr_exec_len =3D PAX_ASLR_DELTA_EXEC_DEF_LEN; +#endif /* PAX_ASLR_MAX_SEC */ + +#ifdef COMPAT_FREEBSD32 +int pax_aslr_compat_status =3D PAX_ASLR_OPTOUT; +#ifdef PAX_ASLR_MAX_SEC +int pax_aslr_compat_mmap_len =3D PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN; +int pax_aslr_compat_stack_len =3D PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN; +int pax_aslr_compat_exec_len =3D PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN; +#else +int pax_aslr_compat_mmap_len =3D PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN; +int pax_aslr_compat_stack_len =3D PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN; +int pax_aslr_compat_exec_len =3D PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN; +#endif /* PAX_ASLR_MAX_SEC */ +#endif /* COMPAT_FREEBSD32 */ + +TUNABLE_INT("security.pax.aslr.status", &pax_aslr_status); +TUNABLE_INT("security.pax.aslr.mmap_len", &pax_aslr_mmap_len); +TUNABLE_INT("security.pax.aslr.debug", &pax_aslr_debug); +TUNABLE_INT("security.pax.aslr.stack_len", &pax_aslr_stack_len); +TUNABLE_INT("security.pax.aslr.exec_len", &pax_aslr_exec_len); +#ifdef COMPAT_FREEBSD32 +TUNABLE_INT("security.pax.aslr.compat.status", &pax_aslr_compat_status); +TUNABLE_INT("security.pax.aslr.compat.mmap", &pax_aslr_compat_mmap_len); +TUNABLE_INT("security.pax.aslr.compat.stack", &pax_aslr_compat_stack_len); +TUNABLE_INT("security.pax.aslr.compat.stack", &pax_aslr_compat_exec_len); +#endif + + +#ifdef PAX_SYSCTLS +/* + * sysctls and tunables + */ +static int sysctl_pax_aslr_debug(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_mmap(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_stack(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_exec(SYSCTL_HANDLER_ARGS); + +SYSCTL_DECL(_security_pax); + +SYSCTL_NODE(_security_pax, OID_AUTO, aslr, CTLFLAG_RD, 0, + "Address Space Layout Randomization."); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, status, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_status, "I", + "Restrictions status. " + "0 - disabled, " + "1 - opt-in, " + "2 - opt-out, " + "3 - force enabled"); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, debug, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_debug, "I", + "ASLR debug mode"); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, mmap_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_mmap, "I", + "Number of bits randomized for mmap(2) calls. " + "32 bit: [8,16] 64 bit: [16,32]"); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, stack_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_stack, "I", + "Number of bits randomized for the stack. " + "32 bit: [6,12] 64 bit: [12,21]"); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, exec_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_aslr_exec, "I", + "Number of bits randomized for the PIE exec base. " + "32 bit: [6,12] 64 bit: [12,21]"); + +static int +sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_status : pax_aslr_status; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || (req->newptr =3D=3D NULL)) + return (err); + + switch (val) { + case PAX_ASLR_DISABLED: + case PAX_ASLR_OPTIN: + case PAX_ASLR_OPTOUT: + case PAX_ASLR_FORCE_ENABLED: + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_status =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_status =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + break; + default: + return (EINVAL); + } + + return (0); +} + +static int +sysctl_pax_aslr_debug(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr=3DNULL; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_debug : pax_aslr_debug; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + switch (val) { + case 0: + case 1: + break; + default: + return (EINVAL); + + } + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_debug =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_debug =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_mmap(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr=3DNULL; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_mmap_len : pax_aslr_mmap_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_DELTA_MMAP_MIN_LEN || + val > PAX_ASLR_DELTA_MMAP_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_mmap_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_mmap_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_stack(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr=3DNULL; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_stack_len : pax_aslr_stack_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_DELTA_STACK_MIN_LEN || + val > PAX_ASLR_DELTA_STACK_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_stack_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_stack_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_exec(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr=3DNULL; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_exec_len : pax_aslr_exec_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || (req->newptr =3D=3D NULL)) + return (err); + + if (val < PAX_ASLR_DELTA_EXEC_MIN_LEN || + val > PAX_ASLR_DELTA_EXEC_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_exec_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_exec_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +/* + * COMPAT_FREEBSD32 and linuxulator.. + */ +#ifdef COMPAT_FREEBSD32 +static int sysctl_pax_aslr_compat_status(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_mmap(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_stack(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_exec(SYSCTL_HANDLER_ARGS); + +SYSCTL_NODE(_security_pax_aslr, OID_AUTO, compat, CTLFLAG_RD, 0, + "Setting for COMPAT_FREEBSD32 and linuxulator."); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, status, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_status, "I", + "Restrictions status. " + "0 - disabled, " + "1 - enabled, " + "2 - global enabled, " + "3 - force global enabled"); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, mmap_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_mmap, "I", + "Number of bits randomized for mmap(2) calls. " + "32 bit: [8,16]"); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, stack_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_stack, "I", + "Number of bits randomized for the stack. " + "32 bit: [6,12]"); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, exec_len, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_exec, "I", + "Number of bits randomized for the PIE exec base. " + "32 bit: [6,12]"); + +static int +sysctl_pax_aslr_compat_status(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + val =3D (pr !=3D NULL) ?pr->pr_pax_aslr_compat_status : pax_aslr_compat_s= tatus; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || (req->newptr =3D=3D NULL)) + return (err); + + switch (val) { + case PAX_ASLR_DISABLED: + case PAX_ASLR_OPTIN: + case PAX_ASLR_OPTOUT: + case PAX_ASLR_FORCE_ENABLED: + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_compat_status =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_compat_status =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + break; + default: + return (EINVAL); + } + + return (0); +} + +static int +sysctl_pax_aslr_compat_mmap(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_compat_mmap_len : pax_aslr_compa= t_mmap_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN || + val > PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_compat_mmap_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_compat_mmap_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_compat_stack(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_compat_stack_len : pax_aslr_comp= at_stack_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN || + val > PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_compat_stack_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_compat_stack_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +static int +sysctl_pax_aslr_compat_exec(SYSCTL_HANDLER_ARGS) +{ + struct prison *pr; + int err, val; + + pr =3D pax_get_prison(req->td, NULL); + + if (pr !=3D NULL) + val =3D pr->pr_pax_aslr_compat_exec_len; + else + val =3D pax_aslr_compat_exec_len; + + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN || + val > PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN) + return (EINVAL); + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_aslr_compat_exec_len =3D val; + + if (pr !=3D NULL) { + mtx_lock(&(pr->pr_mtx)); + pr->pr_pax_aslr_compat_exec_len =3D val; + mtx_unlock(&(pr->pr_mtx)); + } + + return (0); +} + +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_SYSCTLS */ + + +/* + * ASLR functions + */ +bool +pax_aslr_active(struct thread *td, struct proc *proc) +{ + int status; + struct prison *pr; + uint32_t flags; + + if ((td =3D=3D NULL) && (proc =3D=3D NULL)) + return (true); + + pr =3D pax_get_prison(td, proc); + + flags =3D (td !=3D NULL) ? td->td_proc->p_pax : proc->p_pax; + if (((flags & 0xaaaaaaaa) & ((flags & 0x55555555) << 1)) !=3D 0) { + pax_log_aslr(pr, __func__, "inconsistent paxflags: %x\n", flags); + pax_ulog_aslr(pr, NULL, "inconsistent paxflags: %x\n", flags); + return (true); + } + + if (pr !=3D NULL) + status =3D pr->pr_pax_aslr_status; + else + status =3D pax_aslr_status; + + switch (status) { + case PAX_ASLR_DISABLED: + return (false); + case PAX_ASLR_FORCE_ENABLED: + return (true); + case PAX_ASLR_OPTIN: + if ((flags & PAX_NOTE_ASLR) =3D=3D 0) { + pax_log_aslr(pr, __func__, + "ASLR is opt-in, and executable does not have ASLR enabled\n"); + pax_ulog_aslr(pr, NULL, + "ASLR is opt-in, and executable does not have ASLR enabled\n"); + return (false); + } + break; + case PAX_ASLR_OPTOUT: + if ((flags & PAX_NOTE_NOASLR) !=3D 0) { + pax_log_aslr(pr, __func__, + "ASLR is opt-out, and executable explicitly disabled ASLR\n"); + pax_ulog_aslr(pr, NULL, + "ASLR is opt-out, and executable explicitly disabled ASLR\n"); + return (false); + } + break; + default: + return (true); + } + + return (true); +} + +void +_pax_aslr_init(struct vmspace *vm, struct prison *pr) +{ + if (vm =3D=3D NULL) + panic("[PaX ASLR] %s: vm =3D=3D NULL", __func__); + + vm->vm_aslr_delta_mmap =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_MMAP_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_mmap_len : + pax_aslr_mmap_len); + vm->vm_aslr_delta_stack =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_STACK_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_stack_len : + pax_aslr_stack_len); + vm->vm_aslr_delta_stack =3D ALIGN(vm->vm_aslr_delta_stack); + vm->vm_aslr_delta_exec =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_EXEC_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_exec_len : + pax_aslr_exec_len); + + if ((pr !=3D NULL) && pr->pr_pax_aslr_debug) { + pax_log_aslr(pr, __func__, "vm_aslr_delta_mmap=3D%p\n", + (void *) vm->vm_aslr_delta_mmap); + pax_log_aslr(pr, __func__, "vm_aslr_delta_stack=3D%p\n", + (void *) vm->vm_aslr_delta_stack); + pax_log_aslr(pr, __func__, "vm_aslr_delta_exec=3D%p\n", + (void *) vm->vm_aslr_delta_exec); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_mmap=3D%p\n", + (void *) vm->vm_aslr_delta_mmap); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_stack=3D%p\n", + (void *) vm->vm_aslr_delta_stack); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_exec=3D%p\n", + (void *) vm->vm_aslr_delta_exec); + } +} + +#ifdef COMPAT_FREEBSD32 +void +_pax_aslr_init32(struct vmspace *vm, struct prison *pr) +{ + if (vm =3D=3D NULL) + panic("[PaX ASLR] %s: vm =3D=3D NULL", __func__); + + vm->vm_aslr_delta_mmap =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_COMPAT_DELTA_MMAP_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_compat_mmap_len : + pax_aslr_compat_mmap_len); + vm->vm_aslr_delta_stack =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_COMPAT_DELTA_STACK_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_compat_stack_len : + pax_aslr_compat_stack_len); + vm->vm_aslr_delta_stack =3D ALIGN(vm->vm_aslr_delta_stack); + vm->vm_aslr_delta_exec =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_EXEC_LSB, (pr !=3D NULL) ? + pr->pr_pax_aslr_compat_exec_len : + pax_aslr_compat_exec_len); + + if ((pr !=3D NULL) && pr->pr_pax_aslr_debug) { + pax_log_aslr(pr, __func__, "vm_aslr_delta_mmap=3D%p\n", + (void *) vm->vm_aslr_delta_mmap); + pax_log_aslr(pr, __func__, "vm_aslr_delta_stack=3D%p\n", + (void *) vm->vm_aslr_delta_stack); + pax_log_aslr(pr, __func__, "vm_aslr_delta_exec=3D%p\n", + (void *) vm->vm_aslr_delta_exec); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_mmap=3D%p\n", + (void *) vm->vm_aslr_delta_mmap); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_stack=3D%p\n", + (void *) vm->vm_aslr_delta_stack); + pax_ulog_aslr(pr, NULL, "vm_aslr_delta_exec=3D%p\n", + (void *) vm->vm_aslr_delta_exec); + } +} +#endif + +void +pax_aslr_init(struct thread *td, struct image_params *imgp) +{ + struct prison *pr; + struct vmspace *vm; + + pr =3D pax_get_prison(td, NULL); + + if (imgp =3D=3D NULL) + panic("[PaX ASLR] %s: imgp =3D=3D NULL", __func__); + + if (!pax_aslr_active(td, NULL)) + return; + + vm =3D imgp->proc->p_vmspace; + + if (imgp->sysent->sv_pax_aslr_init !=3D NULL) + imgp->sysent->sv_pax_aslr_init(vm, pr); +} + +void +pax_aslr_mmap(struct thread *td, vm_offset_t *addr, vm_offset_t orig_addr,= int flags) +{ + struct prison *pr; + + if (!pax_aslr_active(td, NULL)) + return; + + orig_addr =3D *addr; + + pr =3D pax_get_prison(td, NULL); + + if (!(flags & MAP_FIXED) && ((orig_addr =3D=3D 0) || !(flags & MAP_ANON))= ) { + pax_log_aslr(pr, __func__, "applying to %p orig_addr=3D%p flags=3D%x\n", + (void *)*addr, (void *)orig_addr, flags); + + if (!(td->td_proc->p_vmspace->vm_map.flags & MAP_ENTRY_GROWS_DOWN)) + *addr +=3D td->td_proc->p_vmspace->vm_aslr_delta_mmap; + else + *addr -=3D td->td_proc->p_vmspace->vm_aslr_delta_mmap; + pax_log_aslr(pr, __func__, "result %p\n", (void *)*addr); + } else { + pax_log_aslr(pr, __func__, "not applying to %p orig_addr=3D%p flags=3D%x= \n", + (void *)*addr, (void *)orig_addr, flags); + } +} + +void +pax_aslr_stack(struct thread *td, uintptr_t *addr) +{ + struct prison *pr; + uintptr_t orig_addr; + + if (!pax_aslr_active(td, NULL)) + return; + + pr =3D pax_get_prison(td, NULL); + + orig_addr =3D *addr; + *addr -=3D td->td_proc->p_vmspace->vm_aslr_delta_stack; + pax_log_aslr(pr, __func__, "orig_addr=3D%p, new_addr=3D%p\n", + (void *)orig_addr, (void *)*addr); + pax_ulog_aslr(pr, NULL, "orig_addr=3D%p, new_addr=3D%p\n", + (void *)orig_addr, (void *)*addr); +} diff --git a/sys/kern/kern_pax_log.c b/sys/kern/kern_pax_log.c new file mode 100644 index 0000000..943ac81 --- /dev/null +++ b/sys/kern/kern_pax_log.c @@ -0,0 +1,188 @@ +/*- + * Copyright (c) 2014, by Oliver Pinter + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURP= OSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENT= IAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STR= ICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY W= AY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#define __PAX_LOG_TEMPLATE(SUBJECT, name) \ +void \ +pax_log_##name(struct prison *pr, const char *caller_name, const char* fmt= , ...)\ +{ \ + struct sbuf *sb; \ + va_list args; \ + \ + if ((pr !=3D NULL) && (pr->pr_pax_log_log =3D=3D 0)) \ + return; \ + \ + sb =3D sbuf_new_auto(); \ + if (sb =3D=3D NULL) \ + panic("%s: Could not allocate memory", __func__); \ + sbuf_printf(sb, "[PAX "#SUBJECT"] "); \ + if (caller_name !=3D NULL) \ + sbuf_printf(sb, "%s: ", caller_name); \ + va_start(args, fmt); \ + sbuf_vprintf(sb, fmt, args); \ + va_end(args); \ + if (sbuf_finish(sb) !=3D 0) \ + panic("%s: Could not generate message", __func__); \ + \ + printf("%s", sbuf_data(sb)); \ + sbuf_delete(sb); \ +} \ + \ +void \ +pax_ulog_##name(struct prison *pr, const char *caller_name, const char* fm= t, ...)\ +{ \ + struct sbuf *sb; \ + va_list args; \ + \ + if ((pr !=3D NULL) && (pr->pr_pax_log_ulog =3D=3D 0)) \ + return; \ + \ + sb =3D sbuf_new_auto(); \ + if (sb =3D=3D NULL) \ + panic("%s: Could not allocate memory", __func__); \ + sbuf_printf(sb, "[PAX "#SUBJECT"] "); \ + if (caller_name !=3D NULL) \ + sbuf_printf(sb, "%s: ", caller_name); \ + va_start(args, fmt); \ + sbuf_vprintf(sb, fmt, args); \ + va_end(args); \ + if (sbuf_finish(sb) !=3D 0) \ + panic("%s: Could not generate message", __func__); \ + \ + uprintf("%s", sbuf_data(sb)); \ + sbuf_delete(sb); \ +} + + +static int sysctl_pax_log_log(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_log_ulog(SYSCTL_HANDLER_ARGS); + +int pax_log_log =3D PAX_LOG_LOG; +int pax_log_ulog =3D PAX_LOG_ULOG; + +SYSCTL_DECL(_security_pax); + +SYSCTL_NODE(_security_pax, OID_AUTO, log, CTLFLAG_RD, 0, + "PAX related logging facility."); + +SYSCTL_PROC(_security_pax_log, OID_AUTO, log, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_log_log, "I", + "log to syslog " + "0 - disabled, " + "1 - enabled "); +TUNABLE_INT("security.pax.log.log", &pax_log_log); + +SYSCTL_PROC(_security_pax_log, OID_AUTO, ulog, + CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE, + NULL, 0, sysctl_pax_log_ulog, "I", + "log to user terminal" + "0 - disabled, " + "1 - enabled "); +TUNABLE_INT("security.pax.log.ulog", &pax_log_ulog); + +static int +sysctl_pax_log_log(SYSCTL_HANDLER_ARGS) +{ + int err; + int val; + struct prison *pr=3DNULL; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_log_log : pax_log_log; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + switch (val) { + case 0: + case 1: + break; + default: + return (EINVAL); + + } + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_log_log =3D val; + if (pr !=3D NULL) + pr->pr_pax_log_log =3D val; + + return (0); +} + +static int +sysctl_pax_log_ulog(SYSCTL_HANDLER_ARGS) +{ + int err; + int val; + struct prison *pr=3DNULL; + + pr =3D pax_get_prison(req->td, NULL); + + if ((pr !=3D NULL) && !(pr->pr_pax_set)) + pax_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_log_ulog : pax_log_ulog; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + switch (val) { + case 0: + case 1: + break; + default: + return (EINVAL); + + } + + if ((pr =3D=3D NULL) || (pr =3D=3D &prison0)) + pax_log_ulog =3D val; + if (pr !=3D NULL) + pr->pr_pax_log_ulog =3D val; + + return (0); +} + + +__PAX_LOG_TEMPLATE(ASLR, aslr) diff --git a/sys/mips/mips/elf_machdep.c b/sys/mips/mips/elf_machdep.c index d374713..f95ba35 100644 --- a/sys/mips/mips/elf_machdep.c +++ b/sys/mips/mips/elf_machdep.c @@ -28,6 +28,8 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include @@ -49,6 +51,10 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#ifdef PAX_ASLR +#include +#endif + #ifdef __mips_n64 struct sysentvec elf64_freebsd_sysvec =3D { .sv_size =3D SYS_MAXSYSCALL, @@ -83,6 +89,11 @@ struct sysentvec elf64_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static Elf64_Brandinfo freebsd_brand_info =3D { @@ -139,6 +150,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static Elf32_Brandinfo freebsd_brand_info =3D { diff --git a/sys/mips/mips/freebsd32_machdep.c b/sys/mips/mips/freebsd32_ma= chdep.c index dfdf70f..103ad84 100644 --- a/sys/mips/mips/freebsd32_machdep.c +++ b/sys/mips/mips/freebsd32_machdep.c @@ -31,6 +31,7 @@ */ =20 #include "opt_compat.h" +#include "opt_pax.h" =20 #define __ELF_WORD_SIZE 32 =20 @@ -66,6 +67,10 @@ #include #include =20 +#ifdef PAX_ASLR +#include +#endif + static void freebsd32_exec_setregs(struct thread *, struct image_params *,= u_long); static int get_mcontext32(struct thread *, mcontext32_t *, int); static int set_mcontext32(struct thread *, const mcontext32_t *); @@ -106,6 +111,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D freebsd32_syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); =20 diff --git a/sys/powerpc/powerpc/elf32_machdep.c b/sys/powerpc/powerpc/elf3= 2_machdep.c index dbe58df..229fe97 100644 --- a/sys/powerpc/powerpc/elf32_machdep.c +++ b/sys/powerpc/powerpc/elf32_machdep.c @@ -25,6 +25,8 @@ * $FreeBSD$ */ =20 +#include "opt_pax.h" + #include #include #include @@ -52,6 +54,10 @@ #include #include =20 +#ifdef PAX_ASLR +#include +#endif + #ifdef __powerpc64__ #include #include @@ -107,6 +113,11 @@ struct sysentvec elf32_freebsd_sysvec =3D { .sv_shared_page_base =3D FREEBSD32_SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init32, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); =20 diff --git a/sys/powerpc/powerpc/elf64_machdep.c b/sys/powerpc/powerpc/elf6= 4_machdep.c index 0c41a8d..095f37b0 100644 --- a/sys/powerpc/powerpc/elf64_machdep.c +++ b/sys/powerpc/powerpc/elf64_machdep.c @@ -25,6 +25,8 @@ * $FreeBSD$ */ =20 +#include "opt_pax.h" + #include #include #include @@ -48,6 +50,10 @@ #include #include =20 +#ifdef PAX_ASLR +#include +#endif + struct sysentvec elf64_freebsd_sysvec =3D { .sv_size =3D SYS_MAXSYSCALL, .sv_table =3D sysent, @@ -83,6 +89,11 @@ struct sysentvec elf64_freebsd_sysvec =3D { .sv_shared_page_base =3D SHAREDPAGE, .sv_shared_page_len =3D PAGE_SIZE, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec); =20 diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/= mac_bsdextended/mac_bsdextended.c index ccbc525..520168d 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -47,6 +47,8 @@ * firewall-like rules regarding users and file system objects. */ =20 +#include "opt_pax.h" + #include #include #include @@ -56,14 +58,20 @@ #include #include #include +#include #include #include #include #include #include #include +#include #include =20 +#ifdef PAX_ASLR +#include +#endif + #include #include #include @@ -117,7 +125,6 @@ SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstma= tch_enabled, static int ugidfw_rule_valid(struct mac_bsdextended_rule *rule) { - if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) !=3D MBS_ALL_FLAGS) return (EINVAL); if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) !=3D MBS_ALL_FLAGS) @@ -129,8 +136,13 @@ ugidfw_rule_valid(struct mac_bsdextended_rule *rule) if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) && (rule->mbr_object.mbo_type | MBO_ALL_TYPE) !=3D MBO_ALL_TYPE) return (EINVAL); +#ifdef PAX_ASLR + if ((rule->mbr_pax | MBI_ALLPAX) !=3D MBI_ALLPAX) + return (EINVAL); +#endif if ((rule->mbr_mode | MBI_ALLPERM) !=3D MBI_ALLPERM) return (EINVAL); + return (0); } =20 @@ -227,7 +239,7 @@ ugidfw_destroy(struct mac_policy_conf *mpc) =20 static int ugidfw_rulecheck(struct mac_bsdextended_rule *rule, - struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode) + struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode,= struct image_params *imgp) { int mac_granted, match, priv_granted; int i; @@ -305,6 +317,10 @@ ugidfw_rulecheck(struct mac_bsdextended_rule *rule, match =3D (bcmp(&(vp->v_mount->mnt_stat.f_fsid), &(rule->mbr_object.mbo_fsid), sizeof(rule->mbr_object.mbo_fsid)) =3D=3D 0); +#if defined(PAX_ASLR) + if (match && rule->mbr_object.mbo_inode) + match =3D (vap->va_fileid =3D=3D rule->mbr_object.mbo_inode); +#endif if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED) match =3D !match; if (!match) @@ -413,6 +429,11 @@ ugidfw_rulecheck(struct mac_bsdextended_rule *rule, return (EACCES); } =20 +#ifdef PAX_ASLR + if (imgp !=3D NULL) + pax_elf(imgp, rule->mbr_pax); +#endif + /* * If the rule matched, permits access, and first match is enabled, * return success. @@ -425,7 +446,7 @@ ugidfw_rulecheck(struct mac_bsdextended_rule *rule, =20 int ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, - int acc_mode) + int acc_mode, struct image_params *imgp) { int error, i; =20 @@ -441,7 +462,7 @@ ugidfw_check(struct ucred *cred, struct vnode *vp, stru= ct vattr *vap, if (rules[i] =3D=3D NULL) continue; error =3D ugidfw_rulecheck(rules[i], cred, - vp, vap, acc_mode); + vp, vap, acc_mode, imgp); if (error =3D=3D EJUSTRETURN) break; if (error) { @@ -454,7 +475,7 @@ ugidfw_check(struct ucred *cred, struct vnode *vp, stru= ct vattr *vap, } =20 int -ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) +ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode, struct= image_params *imgp) { int error; struct vattr vap; @@ -464,7 +485,7 @@ ugidfw_check_vp(struct ucred *cred, struct vnode *vp, i= nt acc_mode) error =3D VOP_GETATTR(vp, &vap, cred); if (error) return (error); - return (ugidfw_check(cred, vp, &vap, acc_mode)); + return (ugidfw_check(cred, vp, &vap, acc_mode, imgp)); } =20 int diff --git a/sys/security/mac_bsdextended/mac_bsdextended.h b/sys/security/= mac_bsdextended/mac_bsdextended.h index c09abc0..c3cbf28 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.h +++ b/sys/security/mac_bsdextended/mac_bsdextended.h @@ -51,6 +51,9 @@ #define MBI_ADMIN 010000 #define MBI_STAT 020000 #define MBI_APPEND 040000 +#define MBI_FORCE_ASLR_ENABLED 0x01 +#define MBI_FORCE_ASLR_DISABLED 0x02 +#define MBI_ALLPAX (MBI_FORCE_ASLR_ENABLED | MBI_FORCE_ASLR_DISABLED) #define MBI_ALLPERM (MBI_EXEC | MBI_WRITE | MBI_READ | MBI_ADMIN | \ MBI_STAT | MBI_APPEND) =20 @@ -78,6 +81,7 @@ struct mac_bsdextended_subject { #define MBO_UID_SUBJECT 0x00000020 /* uid must match subject */ #define MBO_GID_SUBJECT 0x00000040 /* gid must match subject */ #define MBO_TYPE_DEFINED 0x00000080 /* object type should be matched */ +#define MBO_PAXPATH_DEFINED 0x00000100 /* TODO: paxpath should be matched = */ =20 #define MBO_ALL_FLAGS (MBO_UID_DEFINED | MBO_GID_DEFINED | MBO_FSID_DEFINE= D | \ MBO_SUID | MBO_SGID | MBO_UID_SUBJECT | MBO_GID_SUBJECT | \ @@ -103,12 +107,15 @@ struct mac_bsdextended_object { gid_t mbo_gid_max; struct fsid mbo_fsid; int mbo_type; + ino_t mbo_inode; + char mbo_paxpath[MAXPATHLEN]; }; =20 struct mac_bsdextended_rule { struct mac_bsdextended_subject mbr_subject; struct mac_bsdextended_object mbr_object; mode_t mbr_mode; /* maximum access */ + uint32_t mbr_pax; }; =20 #endif /* _SYS_SECURITY_MAC_BSDEXTENDED_H */ diff --git a/sys/security/mac_bsdextended/ugidfw_internal.h b/sys/security/= mac_bsdextended/ugidfw_internal.h index 5597fd1..18c74dc 100644 --- a/sys/security/mac_bsdextended/ugidfw_internal.h +++ b/sys/security/mac_bsdextended/ugidfw_internal.h @@ -36,8 +36,9 @@ */ int ugidfw_accmode2mbi(accmode_t accmode); int ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, - int acc_mode); -int ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode); + int acc_mode, struct image_params *imgp); +int ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode, + struct image_params *imgp); =20 /* * System access control checks. diff --git a/sys/security/mac_bsdextended/ugidfw_system.c b/sys/security/ma= c_bsdextended/ugidfw_system.c index 49e4f1d..2829a00 100644 --- a/sys/security/mac_bsdextended/ugidfw_system.c +++ b/sys/security/mac_bsdextended/ugidfw_system.c @@ -66,7 +66,7 @@ ugidfw_system_check_acct(struct ucred *cred, struct vnode= *vp, { =20 if (vp !=3D NULL) - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); else return (0); } @@ -77,7 +77,7 @@ ugidfw_system_check_auditctl(struct ucred *cred, struct v= node *vp, { =20 if (vp !=3D NULL) - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); else return (0); } @@ -87,5 +87,5 @@ ugidfw_system_check_swapon(struct ucred *cred, struct vno= de *vp, struct label *vplabel) { =20 - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } diff --git a/sys/security/mac_bsdextended/ugidfw_vnode.c b/sys/security/mac= _bsdextended/ugidfw_vnode.c index 8ec2d48..2065e6e 100644 --- a/sys/security/mac_bsdextended/ugidfw_vnode.c +++ b/sys/security/mac_bsdextended/ugidfw_vnode.c @@ -65,7 +65,7 @@ ugidfw_vnode_check_access(struct ucred *cred, struct vnod= e *vp, struct label *vplabel, accmode_t accmode) { =20 - return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode))); + return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode), NULL)); } =20 int @@ -73,7 +73,7 @@ ugidfw_vnode_check_chdir(struct ucred *cred, struct vnode= *dvp, struct label *dvplabel) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); + return (ugidfw_check_vp(cred, dvp, MBI_EXEC, NULL)); } =20 int @@ -81,7 +81,7 @@ ugidfw_vnode_check_chroot(struct ucred *cred, struct vnod= e *dvp, struct label *dvplabel) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); + return (ugidfw_check_vp(cred, dvp, MBI_EXEC, NULL)); } =20 int @@ -89,7 +89,7 @@ ugidfw_check_create_vnode(struct ucred *cred, struct vnod= e *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_WRITE)); + return (ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL)); } =20 int @@ -97,7 +97,7 @@ ugidfw_vnode_check_deleteacl(struct ucred *cred, struct v= node *vp, struct label *vplabel, acl_type_t type) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -105,7 +105,7 @@ ugidfw_vnode_check_deleteextattr(struct ucred *cred, st= ruct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { =20 - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } =20 int @@ -114,7 +114,7 @@ ugidfw_vnode_check_exec(struct ucred *cred, struct vnod= e *vp, struct label *execlabel) { =20 - return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC)); + return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC, imgp)); } =20 int @@ -122,7 +122,7 @@ ugidfw_vnode_check_getacl(struct ucred *cred, struct vn= ode *vp, struct label *vplabel, acl_type_t type) { =20 - return (ugidfw_check_vp(cred, vp, MBI_STAT)); + return (ugidfw_check_vp(cred, vp, MBI_STAT, NULL)); } =20 int @@ -130,7 +130,7 @@ ugidfw_vnode_check_getextattr(struct ucred *cred, struc= t vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { =20 - return (ugidfw_check_vp(cred, vp, MBI_READ)); + return (ugidfw_check_vp(cred, vp, MBI_READ, NULL)); } =20 int @@ -140,10 +140,10 @@ ugidfw_vnode_check_link(struct ucred *cred, struct vn= ode *dvp, { int error; =20 - error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL); if (error) return (error); - error =3D ugidfw_check_vp(cred, vp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, vp, MBI_WRITE, NULL); if (error) return (error); return (0); @@ -154,7 +154,7 @@ ugidfw_vnode_check_listextattr(struct ucred *cred, stru= ct vnode *vp, struct label *vplabel, int attrnamespace) { =20 - return (ugidfw_check_vp(cred, vp, MBI_READ)); + return (ugidfw_check_vp(cred, vp, MBI_READ, NULL)); } =20 int @@ -162,7 +162,7 @@ ugidfw_vnode_check_lookup(struct ucred *cred, struct vn= ode *dvp, struct label *dvplabel, struct componentname *cnp) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); + return (ugidfw_check_vp(cred, dvp, MBI_EXEC, NULL)); } =20 int @@ -170,7 +170,7 @@ ugidfw_vnode_check_open(struct ucred *cred, struct vnod= e *vp, struct label *vplabel, accmode_t accmode) { =20 - return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode))); + return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode), NULL)); } =20 int @@ -178,7 +178,7 @@ ugidfw_vnode_check_readdir(struct ucred *cred, struct v= node *dvp, struct label *dvplabel) { =20 - return (ugidfw_check_vp(cred, dvp, MBI_READ)); + return (ugidfw_check_vp(cred, dvp, MBI_READ, NULL)); } =20 int @@ -186,7 +186,7 @@ ugidfw_vnode_check_readdlink(struct ucred *cred, struct= vnode *vp, struct label *vplabel) { =20 - return (ugidfw_check_vp(cred, vp, MBI_READ)); + return (ugidfw_check_vp(cred, vp, MBI_READ, NULL)); } =20 int @@ -196,10 +196,10 @@ ugidfw_vnode_check_rename_from(struct ucred *cred, st= ruct vnode *dvp, { int error; =20 - error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL); if (error) return (error); - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } =20 int @@ -209,11 +209,11 @@ ugidfw_vnode_check_rename_to(struct ucred *cred, stru= ct vnode *dvp, { int error; =20 - error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL); if (error) return (error); if (vp !=3D NULL) - error =3D ugidfw_check_vp(cred, vp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, vp, MBI_WRITE, NULL); return (error); } =20 @@ -222,7 +222,7 @@ ugidfw_vnode_check_revoke(struct ucred *cred, struct vn= ode *vp, struct label *vplabel) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -230,7 +230,7 @@ ugidfw_check_setacl_vnode(struct ucred *cred, struct vn= ode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -238,7 +238,7 @@ ugidfw_vnode_check_setextattr(struct ucred *cred, struc= t vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { =20 - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } =20 int @@ -246,7 +246,7 @@ ugidfw_vnode_check_setflags(struct ucred *cred, struct = vnode *vp, struct label *vplabel, u_long flags) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -254,7 +254,7 @@ ugidfw_vnode_check_setmode(struct ucred *cred, struct v= node *vp, struct label *vplabel, mode_t mode) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -262,7 +262,7 @@ ugidfw_vnode_check_setowner(struct ucred *cred, struct = vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -270,7 +270,7 @@ ugidfw_vnode_check_setutimes(struct ucred *cred, struct= vnode *vp, struct label *vplabel, struct timespec atime, struct timespec utime) { =20 - return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); + return (ugidfw_check_vp(cred, vp, MBI_ADMIN, NULL)); } =20 int @@ -278,7 +278,7 @@ ugidfw_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { =20 - return (ugidfw_check_vp(active_cred, vp, MBI_STAT)); + return (ugidfw_check_vp(active_cred, vp, MBI_STAT, NULL)); } =20 int @@ -288,8 +288,8 @@ ugidfw_vnode_check_unlink(struct ucred *cred, struct vn= ode *dvp, { int error; =20 - error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE); + error =3D ugidfw_check_vp(cred, dvp, MBI_WRITE, NULL); if (error) return (error); - return (ugidfw_check_vp(cred, vp, MBI_WRITE)); + return (ugidfw_check_vp(cred, vp, MBI_WRITE, NULL)); } diff --git a/sys/sparc64/sparc64/elf_machdep.c b/sys/sparc64/sparc64/elf_ma= chdep.c index 4d55717..e0eba33 100644 --- a/sys/sparc64/sparc64/elf_machdep.c +++ b/sys/sparc64/sparc64/elf_machdep.c @@ -34,6 +34,8 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include @@ -52,6 +54,10 @@ __FBSDID("$FreeBSD$"); =20 #include =20 +#ifdef PAX_ASLR +#include +#endif + #include "linker_if.h" =20 static struct sysentvec elf64_freebsd_sysvec =3D { @@ -87,6 +93,11 @@ static struct sysentvec elf64_freebsd_sysvec =3D { .sv_fetch_syscall_args =3D cpu_fetch_syscall_args, .sv_syscallnames =3D syscallnames, .sv_schedtail =3D NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init =3D _pax_aslr_init, +#else + .sv_pax_aslr_init =3D NULL, +#endif }; =20 static Elf64_Brandinfo freebsd_brand_info =3D { diff --git a/sys/sys/imgact.h b/sys/sys/imgact.h index 17cfcc2..15c2c4f 100644 --- a/sys/sys/imgact.h +++ b/sys/sys/imgact.h @@ -78,6 +78,7 @@ struct image_params { unsigned long pagesizes; int pagesizeslen; vm_prot_t stack_prot; + int pax_flags; }; =20 #ifdef _KERNEL diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 59d791c..699b21c 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -184,6 +184,19 @@ struct prison { char pr_hostname[MAXHOSTNAMELEN]; /* (p) jail hostname */ char pr_domainname[MAXHOSTNAMELEN]; /* (p) jail domainname */ char pr_hostuuid[HOSTUUIDLEN]; /* (p) jail hostuuid */ + /* Lock only needed for pax_* if pr_pax_set =3D=3D 0 */ + int pr_pax_set; /* (p) PaX settings initialized */ + int pr_pax_aslr_status; /* (p) PaX ASLR enabled */ + int pr_pax_aslr_debug; /* (p) PaX ASLR debug */ + int pr_pax_aslr_mmap_len; /* (p) Number of bits randomized with mmap */ + int pr_pax_aslr_stack_len; /* (p) Number of bits randomized with stack= */ + int pr_pax_aslr_exec_len; /* (p) Number of bits randomized with the ex= ecbase */ + int pr_pax_aslr_compat_status; /* (p) PaX ASLR enabled (compat32) */ + int pr_pax_aslr_compat_mmap_len; /* (p) Number of bits randomized with = mmap (compat32) */ + int pr_pax_aslr_compat_stack_len; /* (p) Number of bits randomized with= stack (compat32) */ + int pr_pax_aslr_compat_exec_len; /* (p) Number of bits randomized with = the execbase (compat32) */ + int pr_pax_log_log; /* (p) XXX */ + int pr_pax_log_ulog; /* (p) XXX */ }; =20 struct prison_racct { diff --git a/sys/sys/kernel.h b/sys/sys/kernel.h index 3c5258a..aedb52e 100644 --- a/sys/sys/kernel.h +++ b/sys/sys/kernel.h @@ -102,6 +102,7 @@ enum sysinit_sub_id { SI_SUB_WITNESS =3D 0x1A80000, /* witness initialization */ SI_SUB_MTX_POOL_DYNAMIC =3D 0x1AC0000, /* dynamic mutex pool */ SI_SUB_LOCK =3D 0x1B00000, /* various locks */ + SI_SUB_PAX =3D 0x1B50000, /* pax setup */ SI_SUB_EVENTHANDLER =3D 0x1C00000, /* eventhandler init */ SI_SUB_VNET_PRELINK =3D 0x1E00000, /* vnet init before modules */ SI_SUB_KLD =3D 0x2000000, /* KLD and module setup */ diff --git a/sys/sys/pax.h b/sys/sys/pax.h new file mode 100644 index 0000000..a0f2bf6 --- /dev/null +++ b/sys/sys/pax.h @@ -0,0 +1,226 @@ +/*- + * Copyright (c) 2006 Elad Efrat + * Copyright (c) 2013-2014, by Oliver Pinter + * Copyright (c) 2014, by Shawn Webb + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTI= ES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF US= E, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef __SYS_PAX_H +#define __SYS_PAX_H + +struct image_params; +struct prison; +struct thread; +struct vnode; +struct vmspace; +struct vm_offset_t; + +/* + * used in sysctl handler + */ +#define PAX_ASLR_DISABLED 0 +#define PAX_ASLR_OPTIN 1 +#define PAX_ASLR_OPTOUT 2 +#define PAX_ASLR_FORCE_ENABLED 3 + +#ifndef PAX_ASLR_DELTA +#define PAX_ASLR_DELTA(delta, lsb, len) \ + (((delta) & ((1UL << (len)) - 1)) << (lsb)) +#endif /* PAX_ASLR_DELTA */ + +#ifdef PAX_ASLR +/* + * generic ASLR values + * + * MMAP | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 8 bit | 16 bit | + * +-------+--------+--------+ + * | DEF | 8 bit | 21 bit | + * +-------+--------+--------+ + * | MAX | 16 bit | 32 bit | + * +-------+--------+--------+ + * + * STACK | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 6 bit | 12 bit | + * +-------+--------+--------+ + * | DEF | 6 bit | 16 bit | + * +-------+--------+--------+ + * | MAX | 10 bit | 21 bit | + * +-------+--------+--------+ + * + * EXEC | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 6 bit | 12 bit | + * +-------+--------+--------+ + * | DEF | 6 bit | 21 bit | + * +-------+--------+--------+ + * | MAX | 10 bit | 21 bit | + * +-------+--------+--------+ + * + */ +#ifndef PAX_ASLR_DELTA_MMAP_LSB +#define PAX_ASLR_DELTA_MMAP_LSB PAGE_SHIFT +#endif /* PAX_ASLR_DELTA_MMAP_LSB */ + +#ifndef PAX_ASLR_DELTA_MMAP_MIN_LEN +#define PAX_ASLR_DELTA_MMAP_MIN_LEN ((sizeof(void *) * NBBY) / 4) +#endif /* PAX_ASLR_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_MMAP_MAX_LEN +#define PAX_ASLR_DELTA_MMAP_MAX_LEN ((sizeof(void *) * NBBY) / 2) +#endif /* PAX_ASLR_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_STACK_LSB +#define PAX_ASLR_DELTA_STACK_LSB 3 +#endif /* PAX_ASLR_DELTA_STACK_LSB */ + +#ifndef PAX_ASLR_DELTA_STACK_MIN_LEN +#define PAX_ASLR_DELTA_STACK_MIN_LEN ((sizeof(void *) * NBBY) / 5) +#endif /* PAX_ASLR_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_STACK_MAX_LEN +#define PAX_ASLR_DELTA_STACK_MAX_LEN ((sizeof(void *) * NBBY) / 3) +#endif /* PAX_ASLR_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_EXEC_LSB +#define PAX_ASLR_DELTA_EXEC_LSB PAGE_SHIFT +#endif /* PAX_ASLR_DELTA_EXEC_LSB */ + +#ifndef PAX_ASLR_DELTA_EXEC_MIN_LEN +#define PAX_ASLR_DELTA_EXEC_MIN_LEN ((sizeof(void *) * NBBY) / 5) +#endif /* PAX_ASLR_DELTA_EXEC_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_EXEC_MAX_LEN +#define PAX_ASLR_DELTA_EXEC_MAX_LEN ((sizeof(void *) * NBBY) / 3) +#endif /* PAX_ASLR_DELTA_EXEC_MAX_LEN */ + +/* + * ASLR default values for native host + */ +#ifdef __amd64__ +#ifndef PAX_ASLR_DELTA_MMAP_DEF_LEN +#define PAX_ASLR_DELTA_MMAP_DEF_LEN 21 +#endif /* PAX_ASLR_DELTA_MMAP_DEF_LEN */ +#ifndef PAX_ASLR_DELTA_STACK_DEF_LEN +#define PAX_ASLR_DELTA_STACK_DEF_LEN 16 +#endif /* PAX_ASLR_DELTA_STACK_DEF_LEN */ +#ifndef PAX_ASLR_DELTA_EXEC_DEF_LEN +#define PAX_ASLR_DELTA_EXEC_DEF_LEN 21 +#endif /* PAX_ASLR_DELTA_EXEC_DEF_LEN */ +#else +#ifndef PAX_ASLR_DELTA_MMAP_DEF_LEN +#define PAX_ASLR_DELTA_MMAP_DEF_LEN PAX_ASLR_DELTA_MMAP_MIN_LEN +#endif /* PAX_ASLR_DELTA_MMAP_DEF_LEN */ +#ifndef PAX_ASLR_DELTA_STACK_DEF_LEN +#define PAX_ASLR_DELTA_STACK_DEF_LEN PAX_ASLR_DELTA_STACK_MIN_LEN +#endif /* PAX_ASLR_DELTA_STACK_DEF_LEN */ +#ifndef PAX_ASLR_DELTA_EXEC_DEF_LEN +#define PAX_ASLR_DELTA_EXEC_DEF_LEN PAX_ASLR_DELTA_EXEC_MIN_LEN +#endif /* PAX_ASLR_DELTA_EXEC_DEF_LEN */ +#endif /* __amd64__ */ + +/* + * ASLR values for COMPAT_FREEBSD32 and COMPAT_LINUX + */ +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_LSB +#define PAX_ASLR_COMPAT_DELTA_MMAP_LSB PAGE_SHIFT +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_LSB */ + +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN ((sizeof(int) * NBBY) / 4) +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN ((sizeof(int) * NBBY) / 2) +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_LSB +#define PAX_ASLR_COMPAT_DELTA_STACK_LSB 3 +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_LSB */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN ((sizeof(int) * NBBY) / 5) +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN ((sizeof(int) * NBBY) / 3) +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN ((sizeof(int) * NBBY) / 5) +#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN ((sizeof(int) * NBBY) / 3) +#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN */ + +extern int pax_aslr_status; +extern int pax_aslr_debug; + +extern int pax_aslr_mmap_len; +extern int pax_aslr_stack_len; +extern int pax_aslr_exec_len; +#ifdef COMPAT_FREEBSD32 +extern int pax_aslr_compat_status; +extern int pax_aslr_compat_mmap_len; +extern int pax_aslr_compat_stack_len; +extern int pax_aslr_compat_exec_len; +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_ASLR */ + +extern int pax_log_log; +extern int pax_log_ulog; + +#define ELF_NOTE_TYPE_PAX_TAG 3 +#define PAX_NOTE_MPROTECT 0x01 +#define PAX_NOTE_NOMPROTECT 0x02 +#define PAX_NOTE_GUARD 0x04 +#define PAX_NOTE_NOGUARD 0x08 +#define PAX_NOTE_ASLR 0x10 +#define PAX_NOTE_NOASLR 0x20 + +#define PAX_LOG_LOG 0 +#define PAX_LOG_ULOG 0 + +void pax_init(void); +void pax_init_prison(struct prison *pr); +bool pax_aslr_active(struct thread *td, struct proc *proc); +void _pax_aslr_init(struct vmspace *vm, struct prison *pr); +void _pax_aslr_init32(struct vmspace *vm, struct prison *pr); +void pax_aslr_init(struct thread *td, struct image_params *imgp); +void pax_aslr_mmap(struct thread *td, vm_offset_t *addr,=20 + vm_offset_t orig_addr, int flags); +void pax_aslr_stack(struct thread *td, uintptr_t *addr); +struct prison *pax_get_prison(struct thread *td, struct proc *proc); +void pax_elf(struct image_params *, uint32_t); + +void pax_log_aslr(struct prison *pr, const char *func, const char *fmt, ..= =2E); +void pax_ulog_aslr(struct prison *pr, const char *func, const char *fmt, .= =2E.); + +#endif /* __SYS_PAX_H */ diff --git a/sys/sys/proc.h b/sys/sys/proc.h index fbd064c..558d7bf 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -539,6 +539,7 @@ struct proc { u_int p_stops; /* (c) Stop event bitmask. */ u_int p_stype; /* (c) Stop event type. */ char p_step; /* (c) Process is stopped. */ + u_int p_pax; /* (b) PaX is enabled to this process */ u_char p_pfsflags; /* (c) Procfs flags. */ struct nlminfo *p_nlminfo; /* (?) Only used by/for lockd. */ struct kaioinfo *p_aioinfo; /* (y) ASYNC I/O info. */ diff --git a/sys/sys/sysent.h b/sys/sys/sysent.h index c49db41..cfbcdc0 100644 --- a/sys/sys/sysent.h +++ b/sys/sys/sysent.h @@ -77,9 +77,11 @@ struct sysent { /* system call table */ #define SY_THR_INCR 0x8 =20 struct image_params; +struct prison; struct __sigset; struct syscall_args; struct trapframe; +struct vmspace; struct vnode; =20 struct sysentvec { @@ -130,6 +132,7 @@ struct sysentvec { uint32_t sv_timekeep_gen; void *sv_shared_page_obj; void (*sv_schedtail)(struct thread *); + void (*sv_pax_aslr_init)(struct vmspace *vm, struct prison *pr); }; =20 #define SV_ILP32 0x000100 diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index d8ba33f..4ba8106 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -65,6 +65,8 @@ #include __FBSDID("$FreeBSD$"); =20 +#include "opt_pax.h" + #include #include #include @@ -292,6 +294,12 @@ vmspace_alloc(vm_offset_t min, vm_offset_t max, pmap_p= init_t pinit) vm->vm_taddr =3D 0; vm->vm_daddr =3D 0; vm->vm_maxsaddr =3D 0; +#ifdef PAX_ASLR + vm->vm_aslr_delta_mmap =3D 0; + vm->vm_aslr_delta_stack =3D 0; + vm->vm_aslr_delta_exec =3D 0; +#endif + return (vm); } =20 diff --git a/sys/vm/vm_map.h b/sys/vm/vm_map.h index 8cced05..e8e9ffe 100644 --- a/sys/vm/vm_map.h +++ b/sys/vm/vm_map.h @@ -241,6 +241,9 @@ struct vmspace { caddr_t vm_taddr; /* (c) user virtual address of text */ caddr_t vm_daddr; /* (c) user virtual address of data */ caddr_t vm_maxsaddr; /* user VA at max stack growth */ + vm_size_t vm_aslr_delta_mmap; /* mmap() random delta for ASLR */ + vm_size_t vm_aslr_delta_stack; /* stack random delta for ASLR */ + vm_size_t vm_aslr_delta_exec; /* exec base random delta for ASLR */ volatile int vm_refcnt; /* number of references */ /* * Keep the PMAP last, so that CPU-specific variations of that diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c index a524839..fd8876e 100644 --- a/sys/vm/vm_mmap.c +++ b/sys/vm/vm_mmap.c @@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$"); =20 #include "opt_compat.h" #include "opt_hwpmc_hooks.h" +#include "opt_pax.h" =20 #include #include @@ -91,6 +92,10 @@ __FBSDID("$FreeBSD$"); #include #endif =20 +#ifdef PAX_ASLR +#include +#endif + int old_mlock =3D 0; SYSCTL_INT(_vm, OID_AUTO, old_mlock, CTLFLAG_RW | CTLFLAG_TUN, &old_mlock,= 0, "Do not apply RLIMIT_MEMLOCK on mlockall"); @@ -203,6 +208,9 @@ sys_mmap(td, uap) struct file *fp; struct vnode *vp; vm_offset_t addr; +#ifdef PAX_ASLR + vm_offset_t orig_addr; +#endif vm_size_t size, pageoff; vm_prot_t cap_maxprot, prot, maxprot; void *handle; @@ -213,6 +221,9 @@ sys_mmap(td, uap) cap_rights_t rights; =20 addr =3D (vm_offset_t) uap->addr; +#ifdef PAX_ASLR + orig_addr =3D addr; +#endif size =3D uap->len; prot =3D uap->prot & VM_PROT_ALL; flags =3D uap->flags; @@ -416,6 +427,9 @@ sys_mmap(td, uap) map: td->td_fpop =3D fp; maxprot &=3D cap_maxprot; +#ifdef PAX_ASLR + pax_aslr_mmap(td, &addr, orig_addr, flags); +#endif error =3D vm_mmap(&vms->vm_map, &addr, size, prot, maxprot, flags, handle_type, handle, pos); td->td_fpop =3D NULL; diff --git a/tools/build/options/WITHOUT_PIE b/tools/build/options/WITHOUT_= PIE new file mode 100644 index 0000000..82019ce --- /dev/null +++ b/tools/build/options/WITHOUT_PIE @@ -0,0 +1 @@ +Enable building of Position-Independent Executables (PIEs). diff --git a/usr.sbin/ugidfw/ugidfw.c b/usr.sbin/ugidfw/ugidfw.c index 977922a..515df16 100644 --- a/usr.sbin/ugidfw/ugidfw.c +++ b/usr.sbin/ugidfw/ugidfw.c @@ -46,6 +46,8 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#define UGIDFW_BUFSIZ (BUFSIZ*2) + void add_rule(int argc, char *argv[]); void list_rules(void); void remove_rule(int argc, char *argv[]); @@ -71,22 +73,22 @@ usage(void) void add_rule(int argc, char *argv[]) { - char errstr[BUFSIZ], charstr[BUFSIZ]; + char errstr[UGIDFW_BUFSIZ], charstr[UGIDFW_BUFSIZ]; struct mac_bsdextended_rule rule; int error, rulenum; =20 - error =3D bsde_parse_rule(argc, argv, &rule, BUFSIZ, errstr); + error =3D bsde_parse_rule(argc, argv, &rule, UGIDFW_BUFSIZ, errstr); if (error) { warnx("%s", errstr); return; } =20 - error =3D bsde_add_rule(&rulenum, &rule, BUFSIZ, errstr); + error =3D bsde_add_rule(&rulenum, &rule, UGIDFW_BUFSIZ, errstr); if (error) { warnx("%s", errstr); return; } - if (bsde_rule_to_string(&rule, charstr, BUFSIZ) =3D=3D -1) + if (bsde_rule_to_string(&rule, charstr, UGIDFW_BUFSIZ) =3D=3D -1) warnx("Added rule, but unable to print string."); else printf("%d %s\n", rulenum, charstr); @@ -95,25 +97,25 @@ add_rule(int argc, char *argv[]) void list_rules(void) { - char errstr[BUFSIZ], charstr[BUFSIZ]; + char errstr[UGIDFW_BUFSIZ], charstr[UGIDFW_BUFSIZ]; struct mac_bsdextended_rule rule; int error, i, rule_count, rule_slots; =20 - rule_slots =3D bsde_get_rule_slots(BUFSIZ, errstr); + rule_slots =3D bsde_get_rule_slots(UGIDFW_BUFSIZ, errstr); if (rule_slots =3D=3D -1) { warnx("unable to get rule slots; mac_bsdextended.ko " "may not be loaded"); errx(1, "bsde_get_rule_slots: %s", errstr); } =20 - rule_count =3D bsde_get_rule_count(BUFSIZ, errstr); + rule_count =3D bsde_get_rule_count(UGIDFW_BUFSIZ, errstr); if (rule_count =3D=3D -1) errx(1, "bsde_get_rule_count: %s", errstr); =20 printf("%d slots, %d rules\n", rule_slots, rule_count); =20 for (i =3D 0; i < rule_slots; i++) { - error =3D bsde_get_rule(i, &rule, BUFSIZ, errstr); + error =3D bsde_get_rule(i, &rule, UGIDFW_BUFSIZ, errstr); switch (error) { case -2: continue; @@ -124,7 +126,7 @@ list_rules(void) break; } =20 - if (bsde_rule_to_string(&rule, charstr, BUFSIZ) =3D=3D -1) + if (bsde_rule_to_string(&rule, charstr, UGIDFW_BUFSIZ) =3D=3D -1) warnx("unable to translate rule %d to string", i); else printf("%d %s\n", i, charstr); @@ -134,7 +136,7 @@ list_rules(void) void set_rule(int argc, char *argv[]) { - char errstr[BUFSIZ]; + char errstr[UGIDFW_BUFSIZ]; struct mac_bsdextended_rule rule; long value; int error, rulenum; @@ -152,13 +154,13 @@ set_rule(int argc, char *argv[]) =20 rulenum =3D value; =20 - error =3D bsde_parse_rule(argc - 1, argv + 1, &rule, BUFSIZ, errstr); + error =3D bsde_parse_rule(argc - 1, argv + 1, &rule, UGIDFW_BUFSIZ, errst= r); if (error) { warnx("%s", errstr); return; } =20 - error =3D bsde_set_rule(rulenum, &rule, BUFSIZ, errstr); + error =3D bsde_set_rule(rulenum, &rule, UGIDFW_BUFSIZ, errstr); if (error) { warnx("%s", errstr); return; @@ -168,7 +170,7 @@ set_rule(int argc, char *argv[]) void remove_rule(int argc, char *argv[]) { - char errstr[BUFSIZ]; + char errstr[UGIDFW_BUFSIZ]; long value; int error, rulenum; char *endp; @@ -185,7 +187,7 @@ remove_rule(int argc, char *argv[]) =20 rulenum =3D value; =20 - error =3D bsde_delete_rule(rulenum, BUFSIZ, errstr); + error =3D bsde_delete_rule(rulenum, UGIDFW_BUFSIZ, errstr); if (error) warnx("%s", errstr); } --61jdw2sOBCFtR2d/-- --S1BNGpv0yoYahz37 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJTrKxfAAoJEGqEZY9SRW7uHkMP/3ej6m2k7bpVH9gnN3Lz+OrT xXWuqbizi2V+WvoFEQHYT6i+X/mBqiZxTs6Z3LhhrEquDyecWwyIhvCNIRTcX0Jc f8lwPUC1BzPLnTtia0c94gLqxv3SJwHLBodO7slJLFfK6rny9QIVUvhOCqQO7uyM 4l09Y9jSz2oY/e4gY1aC45DivUTrWl0ZuPcsRnwQb60rbnZuY45zOMQfwWKaTiA9 vZ0HiHJtg2twTFWF4YZS1Pao/yv6SnWZOg2Vz7Z/uL3dDNeOfAOgf0CTnV64mOHd Qpk+GIqHghorVyMWfJK9wdZeaGjna+EXX18TBPLbYjPVxNzjOlfN+Bq/FEPT4EfB hwgsFrlRsmaRi7nUyk/UG84Yc9t1R7m9uXl5Q6ppSAA4uS+1DMJ/SmkotPDAAR9f ocnwkVa2lavV0TdBipX1VIebOcyBbF00XropW3YWhesIwZ+/MJrCvzKpB10qXb4U wPuHryr413f10iOeh+ODZBrFgAmj7b/GXB/IiymQC4Itg0sxlUm2bllS6RiSzdm8 +9t7xa2VvRHHdPULH1B/rrCS8+IH7q+kpDACPNCOOMzZILTQ9nDoEXhTS75KsJzJ QVVARtZ7+zeeuSmUXmZtDPcJbmEEQMlpWZ4hMf9O/SFLZWVFhDDoNwTHQHjHXORi 2HZz4RXtle77klp8oigy =EiJx -----END PGP SIGNATURE----- --S1BNGpv0yoYahz37--