Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Some changes, to reduce a bit my tech-kern@ patch:
details: https://anonhg.NetBSD.org/src/rev/e411f1c6717c
branches: trunk
changeset: 809846:e411f1c6717c
user: maxv <maxv%NetBSD.org@localhost>
date: Tue Aug 04 18:28:09 2015 +0000
description:
Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
diffstat:
sys/kern/exec_elf.c | 6 ++--
sys/kern/kern_pax.c | 73 ++++++++++++++++++++++++++--------------------------
sys/sys/pax.h | 12 ++++----
sys/uvm/uvm_mmap.c | 6 ++--
4 files changed, 49 insertions(+), 48 deletions(-)
diffs (288 lines):
diff -r 2621ab228889 -r e411f1c6717c sys/kern/exec_elf.c
--- a/sys/kern/exec_elf.c Tue Aug 04 12:44:04 2015 +0000
+++ b/sys/kern/exec_elf.c Tue Aug 04 18:28:09 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: exec_elf.c,v 1.73 2015/07/30 15:28:18 maxv Exp $ */
+/* $NetBSD: exec_elf.c,v 1.74 2015/08/04 18:28:09 maxv Exp $ */
/*-
* Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.73 2015/07/30 15:28:18 maxv Exp $");
+__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.74 2015/08/04 18:28:09 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_pax.h"
@@ -701,7 +701,7 @@
*
* Probe functions would normally see if the interpreter (if any)
* exists. Emulation packages may possibly replace the interpreter in
- * interp[] with a changed path (/emul/xxx/<path>).
+ * interp with a changed path (/emul/xxx/<path>).
*/
pos = ELFDEFNNAME(NO_ADDR);
if (epp->ep_esch->u.elf_probe_func) {
diff -r 2621ab228889 -r e411f1c6717c sys/kern/kern_pax.c
--- a/sys/kern/kern_pax.c Tue Aug 04 12:44:04 2015 +0000
+++ b/sys/kern/kern_pax.c Tue Aug 04 18:28:09 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_pax.c,v 1.30 2015/07/31 07:37:17 maxv Exp $ */
+/* $NetBSD: kern_pax.c,v 1.31 2015/08/04 18:28:09 maxv Exp $ */
/*
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.30 2015/07/31 07:37:17 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.31 2015/08/04 18:28:09 maxv Exp $");
#include "opt_pax.h"
@@ -141,7 +141,7 @@
};
static bool pax_segvguard_elf_flags_active(uint32_t);
-static void pax_segvguard_cb(void *);
+static void pax_segvguard_cleanup_cb(void *);
#endif /* PAX_SEGVGUARD */
SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup")
@@ -276,7 +276,7 @@
#ifdef PAX_SEGVGUARD
int error;
- error = fileassoc_register("segvguard", pax_segvguard_cb,
+ error = fileassoc_register("segvguard", pax_segvguard_cleanup_cb,
&segvguard_id);
if (error) {
panic("pax_init: segvguard_id: error=%d\n", error);
@@ -308,6 +308,15 @@
l->l_proc->p_pax = flags;
}
+#if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR)
+static inline bool
+pax_flags_active(uint32_t flags, uint32_t opt)
+{
+ if (!(flags & opt))
+ return false;
+ return true;
+}
+#endif /* PAX_MPROTECT || PAX_SEGVGUARD || PAX_ASLR */
#ifdef PAX_MPROTECT
static bool
@@ -332,7 +341,7 @@
uint32_t flags;
flags = l->l_proc->p_pax;
- if (!(flags & P_PAX_MPROTECT))
+ if (!pax_flags_active(flags, P_PAX_MPROTECT))
return;
if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) {
@@ -365,10 +374,7 @@
bool
pax_aslr_active(struct lwp *l)
{
- uint32_t flags = l->l_proc->p_pax;
- if (!(flags & P_PAX_ASLR))
- return false;
- return true;
+ return pax_flags_active(l->l_proc->p_pax, P_PAX_ASLR);
}
void
@@ -382,7 +388,7 @@
}
void
-pax_aslr(struct lwp *l, vaddr_t *addr, vaddr_t orig_addr, int f)
+pax_aslr_mmap(struct lwp *l, vaddr_t *addr, vaddr_t orig_addr, int f)
{
if (!pax_aslr_active(l))
return;
@@ -404,17 +410,18 @@
void
pax_aslr_stack(struct lwp *l, struct exec_package *epp, u_long *max_stack_size)
{
- if (pax_aslr_active(l)) {
- u_long d = PAX_ASLR_DELTA(cprng_fast32(),
- PAX_ASLR_DELTA_STACK_LSB,
- PAX_ASLR_DELTA_STACK_LEN);
- PAX_DPRINTF("stack 0x%lx d=0x%lx 0x%lx",
- epp->ep_minsaddr, d, epp->ep_minsaddr - d);
- epp->ep_minsaddr -= d;
- *max_stack_size -= d;
- if (epp->ep_ssize > *max_stack_size)
- epp->ep_ssize = *max_stack_size;
- }
+ if (!pax_aslr_active(l))
+ return;
+
+ u_long d = PAX_ASLR_DELTA(cprng_fast32(),
+ PAX_ASLR_DELTA_STACK_LSB,
+ PAX_ASLR_DELTA_STACK_LEN);
+ PAX_DPRINTF("stack 0x%lx d=0x%lx 0x%lx",
+ epp->ep_minsaddr, d, epp->ep_minsaddr - d);
+ epp->ep_minsaddr -= d;
+ *max_stack_size -= d;
+ if (epp->ep_ssize > *max_stack_size)
+ epp->ep_ssize = *max_stack_size;
}
#endif /* PAX_ASLR */
@@ -436,7 +443,7 @@
}
static void
-pax_segvguard_cb(void *v)
+pax_segvguard_cleanup_cb(void *v)
{
struct pax_segvguard_entry *p = v;
struct pax_segvguard_uid_entry *up;
@@ -466,18 +473,18 @@
bool have_uid;
flags = l->l_proc->p_pax;
- if (!(flags & P_PAX_GUARD))
+ if (!pax_flags_active(flags, P_PAX_GUARD))
return 0;
if (vp == NULL)
- return (EFAULT);
+ return EFAULT;
/* Check if we already monitor the file. */
p = fileassoc_lookup(vp, segvguard_id);
/* Fast-path if starting a program we don't know. */
if (p == NULL && !crashed)
- return (0);
+ return 0;
microtime(&tv);
@@ -500,10 +507,8 @@
up->sue_ncrashes = 1;
up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
up->sue_suspended = 0;
-
LIST_INSERT_HEAD(&p->segv_uids, up, sue_list);
-
- return (0);
+ return 0;
}
/*
@@ -529,10 +534,9 @@
up->sue_ncrashes = 1;
up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
up->sue_suspended = 0;
-
LIST_INSERT_HEAD(&p->segv_uids, up, sue_list);
}
- return (0);
+ return 0;
}
if (crashed) {
@@ -540,12 +544,10 @@
if (up->sue_expiry < tv.tv_sec) {
log(LOG_INFO, "PaX Segvguard: [%s] Suspension"
" expired.\n", name ? name : "unknown");
-
up->sue_ncrashes = 1;
up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
up->sue_suspended = 0;
-
- return (0);
+ return 0;
}
up->sue_ncrashes++;
@@ -567,11 +569,10 @@
log(LOG_ALERT, "PaX Segvguard: [%s] Preventing "
"execution due to repeated segfaults.\n", name ?
name : "unknown");
-
- return (EPERM);
+ return EPERM;
}
}
- return (0);
+ return 0;
}
#endif /* PAX_SEGVGUARD */
diff -r 2621ab228889 -r e411f1c6717c sys/sys/pax.h
--- a/sys/sys/pax.h Tue Aug 04 12:44:04 2015 +0000
+++ b/sys/sys/pax.h Tue Aug 04 18:28:09 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pax.h,v 1.13 2015/07/31 07:37:17 maxv Exp $ */
+/* $NetBSD: pax.h,v 1.14 2015/08/04 18:28:10 maxv Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
@@ -32,6 +32,10 @@
#include <uvm/uvm_extern.h>
+#define P_PAX_ASLR 0x01 /* Enable ASLR */
+#define P_PAX_MPROTECT 0x02 /* Enable Mprotect */
+#define P_PAX_GUARD 0x04 /* Enable Segvguard */
+
struct lwp;
struct exec_package;
struct vmspace;
@@ -43,10 +47,6 @@
#ifndef PAX_ASLR_DELTA_EXEC_LEN
#define PAX_ASLR_DELTA_EXEC_LEN 12
#endif
-
-#define P_PAX_ASLR 0x01 /* Enable ASLR */
-#define P_PAX_MPROTECT 0x02 /* Enable Mprotect */
-#define P_PAX_GUARD 0x04 /* Enable Segvguard */
#endif /* PAX_ASLR */
void pax_init(void);
@@ -61,6 +61,6 @@
bool pax_aslr_active(struct lwp *);
void pax_aslr_init_vm(struct lwp *, struct vmspace *);
void pax_aslr_stack(struct lwp *, struct exec_package *, u_long *);
-void pax_aslr(struct lwp *, vaddr_t *, vaddr_t, int);
+void pax_aslr_mmap(struct lwp *, vaddr_t *, vaddr_t, int);
#endif /* !_SYS_PAX_H_ */
diff -r 2621ab228889 -r e411f1c6717c sys/uvm/uvm_mmap.c
--- a/sys/uvm/uvm_mmap.c Tue Aug 04 12:44:04 2015 +0000
+++ b/sys/uvm/uvm_mmap.c Tue Aug 04 18:28:09 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_mmap.c,v 1.152 2015/03/01 13:43:51 mlelstv Exp $ */
+/* $NetBSD: uvm_mmap.c,v 1.153 2015/08/04 18:28:10 maxv Exp $ */
/*
* Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -46,7 +46,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_mmap.c,v 1.152 2015/03/01 13:43:51 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_mmap.c,v 1.153 2015/08/04 18:28:10 maxv Exp $");
#include "opt_compat_netbsd.h"
#include "opt_pax.h"
@@ -422,7 +422,7 @@
#endif /* PAX_MPROTECT */
#ifdef PAX_ASLR
- pax_aslr(l, &addr, orig_addr, flags);
+ pax_aslr_mmap(l, &addr, orig_addr, flags);
#endif /* PAX_ASLR */
/*
Home |
Main Index |
Thread Index |
Old Index