FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_pax.c
1 /* $NetBSD: kern_pax.c,v 1.8.2.2 2007/07/09 10:30:56 liamjfoy Exp $ */
2
3 /*-
4 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by Elad Efrat.
18 * 4. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "opt_pax.h"
34
35 #include <sys/param.h>
36 #include <sys/proc.h>
37 #include <sys/exec_elf.h>
38 #include <sys/pax.h>
39 #include <sys/sysctl.h>
40 #include <sys/malloc.h>
41 #include <sys/fileassoc.h>
42 #include <sys/syslog.h>
43 #include <sys/vnode.h>
44 #include <sys/queue.h>
45 #include <sys/kauth.h>
46
47 #ifdef PAX_MPROTECT
48 static int pax_mprotect_enabled = 1;
49 static int pax_mprotect_global = PAX_MPROTECT;
50
51 specificdata_key_t pax_mprotect_key;
52 #endif
53
54 #ifdef PAX_SEGVGUARD
55 #ifndef PAX_SEGVGUARD_EXPIRY
56 #define PAX_SEGVGUARD_EXPIRY (2 * 60)
57 #endif
58
59 #ifndef PAX_SEGVGUARD_SUSPENSION
60 #define PAX_SEGVGUARD_SUSPENSION (10 * 60)
61 #endif
62
63 #ifndef PAX_SEGVGUARD_MAXCRASHES
64 #define PAX_SEGVGUARD_MAXCRASHES 5
65 #endif
66
67 static int pax_segvguard_enabled = 1;
68 static int pax_segvguard_global = PAX_SEGVGUARD;
69 static int pax_segvguard_expiry = PAX_SEGVGUARD_EXPIRY;
70 static int pax_segvguard_suspension = PAX_SEGVGUARD_SUSPENSION;
71 static int pax_segvguard_maxcrashes = PAX_SEGVGUARD_MAXCRASHES;
72
73 static fileassoc_t segvguard_id;
74 specificdata_key_t pax_segvguard_key;
75
76 struct pax_segvguard_uid_entry {
77 uid_t sue_uid;
78 size_t sue_ncrashes;
79 time_t sue_expiry;
80 time_t sue_suspended;
81 LIST_ENTRY(pax_segvguard_uid_entry) sue_list;
82 };
83
84 struct pax_segvguard_entry {
85 LIST_HEAD(, pax_segvguard_uid_entry) segv_uids;
86 };
87 #endif /* PAX_SEGVGUARD */
88
89 /* PaX internal setspecific flags */
90 #define PAX_MPROTECT_EXPLICIT_ENABLE (void *)0x01
91 #define PAX_MPROTECT_EXPLICIT_DISABLE (void *)0x02
92 #define PAX_SEGVGUARD_EXPLICIT_ENABLE (void *)0x03
93 #define PAX_SEGVGUARD_EXPLICIT_DISABLE (void *)0x04
94
95 SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup")
96 {
97 const struct sysctlnode *rnode = NULL, *cnode;
98
99 sysctl_createv(clog, 0, NULL, &rnode,
100 CTLFLAG_PERMANENT,
101 CTLTYPE_NODE, "security", NULL,
102 NULL, 0, NULL, 0,
103 CTL_SECURITY, CTL_EOL);
104
105 sysctl_createv(clog, 0, &rnode, &rnode,
106 CTLFLAG_PERMANENT,
107 CTLTYPE_NODE, "pax",
108 SYSCTL_DESCR("PaX (exploit mitigation) features."),
109 NULL, 0, NULL, 0,
110 CTL_CREATE, CTL_EOL);
111
112 cnode = rnode;
113
114 #ifdef PAX_MPROTECT
115 sysctl_createv(clog, 0, &rnode, &rnode,
116 CTLFLAG_PERMANENT,
117 CTLTYPE_NODE, "mprotect",
118 SYSCTL_DESCR("mprotect(2) W^X restrictions."),
119 NULL, 0, NULL, 0,
120 CTL_CREATE, CTL_EOL);
121 sysctl_createv(clog, 0, &rnode, NULL,
122 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
123 CTLTYPE_INT, "enabled",
124 SYSCTL_DESCR("Restrictions enabled."),
125 NULL, 0, &pax_mprotect_enabled, 0,
126 CTL_CREATE, CTL_EOL);
127 sysctl_createv(clog, 0, &rnode, NULL,
128 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
129 CTLTYPE_INT, "global",
130 SYSCTL_DESCR("When enabled, unless explicitly "
131 "specified, apply restrictions to "
132 "all processes."),
133 NULL, 0, &pax_mprotect_global, 0,
134 CTL_CREATE, CTL_EOL);
135 #endif /* PAX_MPROTECT */
136
137 rnode = cnode;
138
139 #ifdef PAX_SEGVGUARD
140 sysctl_createv(clog, 0, &rnode, &rnode,
141 CTLFLAG_PERMANENT,
142 CTLTYPE_NODE, "segvguard",
143 SYSCTL_DESCR("PaX segvguard."),
144 NULL, 0, NULL, 0,
145 CTL_CREATE, CTL_EOL);
146 sysctl_createv(clog, 0, &rnode, NULL,
147 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
148 CTLTYPE_INT, "enabled",
149 SYSCTL_DESCR("segvguard enabled."),
150 NULL, 0, &pax_segvguard_enabled, 0,
151 CTL_CREATE, CTL_EOL);
152 sysctl_createv(clog, 0, &rnode, NULL,
153 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
154 CTLTYPE_INT, "global",
155 SYSCTL_DESCR("segvguard all programs."),
156 NULL, 0, &pax_segvguard_global, 0,
157 CTL_CREATE, CTL_EOL);
158 sysctl_createv(clog, 0, &rnode, NULL,
159 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
160 CTLTYPE_INT, "expiry_timeout",
161 SYSCTL_DESCR("Entry expiry timeout (in seconds)."),
162 NULL, 0, &pax_segvguard_expiry, 0,
163 CTL_CREATE, CTL_EOL);
164 sysctl_createv(clog, 0, &rnode, NULL,
165 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
166 CTLTYPE_INT, "suspend_timeout",
167 SYSCTL_DESCR("Entry suspension timeout (in seconds)."),
168 NULL, 0, &pax_segvguard_suspension, 0,
169 CTL_CREATE, CTL_EOL);
170 sysctl_createv(clog, 0, &rnode, NULL,
171 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
172 CTLTYPE_INT, "max_crashes",
173 SYSCTL_DESCR("Max number of crashes before expiry."),
174 NULL, 0, &pax_segvguard_maxcrashes, 0,
175 CTL_CREATE, CTL_EOL);
176 #endif /* PAX_SEGVGUARD */
177 }
178
179 /*
180 * Initialize PaX.
181 */
182 void
183 pax_init(void)
184 {
185 #ifdef PAX_MPROTECT
186 proc_specific_key_create(&pax_mprotect_key, NULL);
187 #endif /* PAX_MPROTECT */
188
189 #ifdef PAX_SEGVGUARD
190 segvguard_id = fileassoc_register("segvguard", pax_segvguard_cb);
191 proc_specific_key_create(&pax_segvguard_key, NULL);
192 #endif /* PAX_SEGVGUARD */
193 }
194
195 void
196 pax_adjust(struct lwp *l, uint32_t f)
197 {
198 #ifdef PAX_MPROTECT
199 if (pax_mprotect_enabled) {
200 if (f & ELF_NOTE_PAX_MPROTECT)
201 proc_setspecific(l->l_proc, pax_mprotect_key,
202 PAX_MPROTECT_EXPLICIT_ENABLE);
203 if (f & ELF_NOTE_PAX_NOMPROTECT)
204 proc_setspecific(l->l_proc, pax_mprotect_key,
205 PAX_MPROTECT_EXPLICIT_DISABLE);
206 }
207 #endif /* PAX_MPROTECT */
208
209 #ifdef PAX_SEGVGUARD
210 if (pax_segvguard_enabled) {
211 if (f & ELF_NOTE_PAX_GUARD)
212 proc_setspecific(l->l_proc, pax_segvguard_key,
213 PAX_SEGVGUARD_EXPLICIT_ENABLE);
214 if (f & ELF_NOTE_PAX_NOGUARD)
215 proc_setspecific(l->l_proc, pax_segvguard_key,
216 PAX_SEGVGUARD_EXPLICIT_DISABLE);
217 }
218 #endif /* PAX_SEGVGUARD */
219 }
220
221 #ifdef PAX_MPROTECT
222 void
223 pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot)
224 {
225 void *t;
226
227 if (!pax_mprotect_enabled)
228 return;
229
230 t = proc_getspecific(l->l_proc, pax_mprotect_key);
231 if ((pax_mprotect_global && t == PAX_MPROTECT_EXPLICIT_DISABLE) ||
232 (!pax_mprotect_global && t != PAX_MPROTECT_EXPLICIT_ENABLE))
233 return;
234
235 if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) {
236 *prot &= ~VM_PROT_EXECUTE;
237 *maxprot &= ~VM_PROT_EXECUTE;
238 } else {
239 *prot &= ~VM_PROT_WRITE;
240 *maxprot &= ~VM_PROT_WRITE;
241 }
242 }
243 #endif /* PAX_MPROTECT */
244
245 #ifdef PAX_SEGVGUARD
246 void
247 pax_segvguard_cb(void *v, int what)
248 {
249 struct pax_segvguard_entry *p;
250 struct pax_segvguard_uid_entry *up;
251
252 if (v == NULL)
253 return;
254
255 if (what == FILEASSOC_CLEANUP_FILE) {
256 p = v;
257 while ((up = LIST_FIRST(&p->segv_uids)) != NULL) {
258 LIST_REMOVE(up, sue_list);
259 free(up, M_TEMP);
260 }
261 }
262
263 free(v, M_TEMP);
264 }
265
266 /*
267 * Called when a process of image vp generated a segfault.
268 */
269 int
270 pax_segvguard(struct lwp *l, struct vnode *vp, const char *name,
271 boolean_t crashed)
272 {
273 struct pax_segvguard_entry *p;
274 struct pax_segvguard_uid_entry *up;
275 struct timeval tv;
276 uid_t uid;
277 void *t;
278 boolean_t have_uid;
279
280 if (!pax_segvguard_enabled)
281 return (0);
282
283 t = proc_getspecific(l->l_proc, pax_segvguard_key);
284 if ((pax_segvguard_global && t == PAX_SEGVGUARD_EXPLICIT_DISABLE) ||
285 (!pax_segvguard_global && t != PAX_SEGVGUARD_EXPLICIT_ENABLE))
286 return (0);
287
288 if (segvguard_id == FILEASSOC_INVAL || vp == NULL)
289 return (EFAULT);
290
291 /* Check if we already monitor the file. */
292 p = fileassoc_lookup(vp, segvguard_id);
293
294 /* Fast-path if starting a program we don't know. */
295 if (p == NULL && !crashed)
296 return (0);
297
298 microtime(&tv);
299
300 /*
301 * If a program we don't know crashed, we need to create a new entry
302 * for it.
303 */
304 if (p == NULL) {
305 p = malloc(sizeof(*p), M_TEMP, M_WAITOK);
306 if (fileassoc_add(vp, segvguard_id, p) != 0) {
307 fileassoc_table_add(vp->v_mount, 16);
308 fileassoc_add(vp, segvguard_id, p);
309 }
310 LIST_INIT(&p->segv_uids);
311
312 /*
313 * Initialize a new entry with "crashes so far" of 1.
314 * The expiry time is when we purge the entry if it didn't
315 * reach the limit.
316 */
317 up = malloc(sizeof(*up), M_TEMP, M_WAITOK);
318 up->sue_uid = kauth_cred_getuid(l->l_cred);
319 up->sue_ncrashes = 1;
320 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
321 up->sue_suspended = 0;
322
323 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list);
324
325 return (0);
326 }
327
328 /*
329 * A program we "know" either executed or crashed again.
330 * See if it's a culprit we're familiar with.
331 */
332 uid = kauth_cred_getuid(l->l_cred);
333 have_uid = FALSE;
334 LIST_FOREACH(up, &p->segv_uids, sue_list) {
335 if (up->sue_uid == uid) {
336 have_uid = TRUE;
337 break;
338 }
339 }
340
341 /*
342 * It's someone else. Add an entry for him if we crashed.
343 */
344 if (!have_uid) {
345 if (crashed) {
346 up = malloc(sizeof(*up), M_TEMP, M_WAITOK);
347 up->sue_uid = uid;
348 up->sue_ncrashes = 1;
349 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
350 up->sue_suspended = 0;
351
352 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list);
353 }
354
355 return (0);
356 }
357
358 if (crashed) {
359 /* Check if timer on previous crashes expired first. */
360 if (up->sue_expiry < tv.tv_sec) {
361 log(LOG_INFO, "PaX Segvguard: [%s] Suspension"
362 " expired.\n", name ? name : "unknown");
363
364 up->sue_ncrashes = 1;
365 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
366 up->sue_suspended = 0;
367
368 return (0);
369 }
370
371 up->sue_ncrashes++;
372
373 if (up->sue_ncrashes >= pax_segvguard_maxcrashes) {
374 log(LOG_ALERT, "PaX Segvguard: [%s] Suspending "
375 "execution for %d seconds after %zu crashes.\n",
376 name ? name : "unknown", pax_segvguard_suspension,
377 up->sue_ncrashes);
378
379 /* Suspend this program for a while. */
380 up->sue_suspended = tv.tv_sec + pax_segvguard_suspension;
381 up->sue_ncrashes = 0;
382 up->sue_expiry = 0;
383 }
384 } else {
385 /* Are we supposed to be suspended? */
386 if (up->sue_suspended > tv.tv_sec) {
387 log(LOG_ALERT, "PaX Segvguard: [%s] Preventing "
388 "execution due to repeated segfaults.\n", name ?
389 name : "unknown");
390
391 return (EPERM);
392 }
393 }
394
395 return (0);
396 }
397 #endif /* PAX_SEGVGUARD */
Cache object: dd19d4cde56526de07964c60bff9c5e2
|