implement new "prot_exec" tame(2) request:

- by default, a tamed-program don't have the possibility to use PROT_EXEC for mmap(2) or mprotect(2) - for that, use the request "prot_exec" (that could be dropped later) initial idea from deraadt@ and kettenis@ "make complete sense" beck@ ok deraadt@
author: semarie <semarie@openbsd.org> 2015-09-30 11:36:07 +0000
committer: semarie <semarie@openbsd.org> 2015-09-30 11:36:07 +0000
commit: f605d382ff82e8e1cee04abdc9b84060b714c5ac (patch)
tree: 72bee5f4b7a5b0d3b6a04c4b2d584497120b69e0
parent: sleep until all references to an interface have been released during detach. (diff)
download: wireguard-openbsd-f605d382ff82e8e1cee04abdc9b84060b714c5ac.tar.xz
wireguard-openbsd-f605d382ff82e8e1cee04abdc9b84060b714c5ac.zip
6 files changed, 60 insertions, 9 deletions
diff --git a/lib/libc/sys/tame.2 b/lib/libc/sys/tame.2
index 24f27e5047d..0d72a168318 100644
--- a/lib/libc/sys/tame.2
+++ b/lib/libc/sys/tame.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tame.2,v 1.29 2015/09/26 17:16:10 jmc Exp $
+.\" $OpenBSD: tame.2,v 1.30 2015/09/30 11:36:07 semarie Exp $
 .\"
 .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2015 $
+.Dd $Mdocdate: September 30 2015 $
 .Dt TAME 2
 .Os
 .Sh NAME
@@ -121,6 +121,11 @@ Read-only, for
 Setuid/setgid/sticky bits are ignored.
 The user or group cannot be changed on a file.
 .Pp
+.It Xr mmap 2
+.It Xr mprotect 2
+.Dv PROT_EXEC
+isn't allowed.
+.Pp
 .It Xr open 2
 May open
 .Pa /etc/localtime ,
@@ -387,7 +392,14 @@ Allows the following process relationship operations:
 .Xr kill 2 ,
 .Xr setgroups 2 ,
 .Xr setresgid 2 ,
-.Xr setresuid 2 ,
+.Xr setresuid 2 .
+.It Va "prot_exec"
+Allows the use of
+.Dv PROT_EXEC
+with
+.Xr mmap 2
+and
+.Xr mprotect 2 .
 .It Va "abort"
 Deliver an unblockable
 .Dv SIGABRT
diff --git a/regress/sys/kern/tame/generic/main.c b/regress/sys/kern/tame/generic/main.c
index adc19156c75..3d597c1187e 100644
--- a/regress/sys/kern/tame/generic/main.c
+++ b/regress/sys/kern/tame/generic/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.7 2015/09/28 15:40:18 semarie Exp $ */
+/*	$OpenBSD: main.c,v 1.8 2015/09/30 11:36:07 semarie Exp $ */
 /*
  * Copyright (c) 2015 Sebastien Marie <semarie@openbsd.org>
  *
@@ -15,6 +15,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <sys/mman.h>
 #include <sys/resource.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ -180,6 +181,25 @@ test_stat()
 	exit(EXIT_SUCCESS);
 }
 
+static void
+test_mmap()
+{
+	int fd;
+	void * data;
+
+	if ((fd = open("/dev/zero", O_RDONLY, 0)) == -1)
+		_exit(errno);
+
+	data = mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,
+	    MAP_FILE|MAP_SHARED, fd, 0);
+
+	if (data == MAP_FAILED)
+		_exit(errno);
+
+	munmap(data, 4096);
+	close(fd);
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -264,5 +284,9 @@ main(int argc, char *argv[])
 	/* test stat(2) */
 	start_test1(&ret, "stdio rpath", "/usr/share/man", test_stat);
 
+	/* mmap */
+	start_test1(&ret, "rpath malloc prot_exec", "/dev/zero", test_mmap);
+	start_test1(&ret, "rpath malloc", "/dev/zero", test_mmap);
+
 	return (ret);
 }
diff --git a/regress/sys/kern/tame/generic/tests.out b/regress/sys/kern/tame/generic/tests.out
index 3b55f50f421..deb3e6c4f04 100644
--- a/regress/sys/kern/tame/generic/tests.out
+++ b/regress/sys/kern/tame/generic/tests.out
@@ -1,4 +1,4 @@
-#	$OpenBSD: tests.out,v 1.6 2015/09/28 15:40:18 semarie Exp $
+#	$OpenBSD: tests.out,v 1.7 2015/09/30 11:36:07 semarie Exp $
 test(test_nop): tame=("",NULL) status=0 exit=0
 test(test_inet): tame=("",NULL) status=9 signal=9 tamed_syscall=97
 test(test_inet): tame=("abort",NULL) status=134 signal=6 coredump=present tamed_syscall=97
@@ -97,3 +97,5 @@ test(test_stat): tame=("stdio rpath",{"/usr/share/man",NULL})
  stat("/"): realpath="/" errno=2
  stat("/usr/bin/gzip"): realpath=failed(2) errno=2
  status=0 exit=0
+test(test_mmap): tame=("rpath malloc prot_exec",{"/dev/zero",NULL}) status=0 exit=0
+test(test_mmap): tame=("rpath malloc",{"/dev/zero",NULL}) status=9 signal=9 tamed_syscall=197
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index c432f48d98b..5a3b17f99d1 100644
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_tame.c,v 1.44 2015/09/29 14:41:27 deraadt Exp $	*/
+/*	$OpenBSD: kern_tame.c,v 1.45 2015/09/30 11:36:07 semarie Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -226,7 +226,8 @@ static const struct {
 	{ "proc",		TAME_PROC },
 	{ "cpath",		TAME_CPATH },
 	{ "abort",		TAME_ABORT },
-	{ "fattr",		TAME_FATTR }
+	{ "fattr",		TAME_FATTR },
+	{ "prot_exec",		TAME_PROTEXEC },
 };
 
 int
diff --git a/sys/sys/tame.h b/sys/sys/tame.h
index f0c886f0ea2..4f3b82edc1a 100644
--- a/sys/sys/tame.h
+++ b/sys/sys/tame.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tame.h,v 1.7 2015/09/11 15:29:47 deraadt Exp $	*/
+/*	$OpenBSD: tame.h,v 1.8 2015/09/30 11:36:07 semarie Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -39,6 +39,7 @@
 #define TAME_PROC	0x00001000	/* fork, waitpid, etc */
 #define TAME_CPATH	0x00002000	/* allow creat, mkdir, path creations */
 #define TAME_FATTR	0x00004000	/* allow explicit file st_* mods */
+#define TAME_PROTEXEC	0x00008000	/* allow use of PROT_EXEC */
 
 #define TAME_ABORT	0x08000000	/* SIGABRT instead of SIGKILL */
 
diff --git a/sys/uvm/uvm_mmap.c b/sys/uvm/uvm_mmap.c
index 23e369172f3..00145afead8 100644
--- a/sys/uvm/uvm_mmap.c
+++ b/sys/uvm/uvm_mmap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_mmap.c,v 1.118 2015/09/28 18:36:08 tedu Exp $	*/
+/*	$OpenBSD: uvm_mmap.c,v 1.119 2015/09/30 11:36:07 semarie Exp $	*/
 /*	$NetBSD: uvm_mmap.c,v 1.49 2001/02/18 21:19:08 chs Exp $	*/
 
 /*
@@ -65,6 +65,7 @@
 #include <sys/stat.h>
 #include <sys/specdev.h>
 #include <sys/stdint.h>
+#include <sys/tame.h>
 #include <sys/unistd.h>		/* for KBIND* */
 #include <sys/user.h>
 
@@ -364,6 +365,11 @@ sys_mmap(struct proc *p, void *v, register_t *retval)
 	if (size == 0)
 		return (EINVAL);
 
+	if ((p->p_p->ps_flags & PS_TAMED) &&
+	    !(p->p_p->ps_tame & TAME_PROTEXEC) &&
+	    (prot & PROT_EXEC))
+		return (tame_fail(p, EPERM, TAME_PROTEXEC));
+
 	/* align file position and save offset.  adjust size. */
 	ALIGN_ADDR(pos, size, pageoff);
 
@@ -662,6 +668,11 @@ sys_mprotect(struct proc *p, void *v, register_t *retval)
 	if ((prot & PROT_MASK) != prot)
 		return (EINVAL);
 
+	if ((p->p_p->ps_flags & PS_TAMED) &&
+	    !(p->p_p->ps_tame & TAME_PROTEXEC) &&
+	    (prot & PROT_EXEC))
+		return (tame_fail(p, EPERM, TAME_PROTEXEC));
+
 	/*
 	 * align the address to a page boundary, and adjust the size accordingly
 	 */
author	semarie <semarie@openbsd.org>	2015-09-30 11:36:07 +0000
committer	semarie <semarie@openbsd.org>	2015-09-30 11:36:07 +0000
commit	f605d382ff82e8e1cee04abdc9b84060b714c5ac (patch)
tree	72bee5f4b7a5b0d3b6a04c4b2d584497120b69e0
parent	sleep until all references to an interface have been released during detach. (diff)
download	wireguard-openbsd-f605d382ff82e8e1cee04abdc9b84060b714c5ac.tar.xz wireguard-openbsd-f605d382ff82e8e1cee04abdc9b84060b714c5ac.zip