W^X violations are no longer permitted by default. A kernel log message

is generated, and mprotect/mmap return ENOTSUP.  If the sysctl(8) flag
kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump
creation.

W^X violating programs can be permitted on a ffs/nfs filesystem-basis,
using the "wxallowed" mount option.  One day far in the future
upstream software developers will understand that W^X violations are a
tremendously risky practice and that style of programming will be
banished outright.  Until then, we recommend most users need to use the
wxallowed option on their /usr/local filesystem.  At least your other
filesystems don't permit such programs.

ok jca kettenis mlarkin natano

3 files changed, 37 insertions, 6 deletions

diff --git a/lib/libc/sys/mmap.2 b/lib/libc/sys/mmap.2
index eef128dbe47..f1be136300c 100644
--- a/lib/libc/sys/mmap.2
+++ b/lib/libc/sys/mmap.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: mmap.2,v 1.51 2014/07/10 19:00:23 matthew Exp $
+.\"	$OpenBSD: mmap.2,v 1.52 2016/05/27 19:45:04 deraadt Exp $
 .\"	$NetBSD: mmap.2,v 1.5 1995/06/24 10:48:59 cgd Exp $
 .\"
 .\" Copyright (c) 1991, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)mmap.2	8.1 (Berkeley) 6/4/93
 .\"
-.Dd $Mdocdate: July 10 2014 $
+.Dd $Mdocdate: May 27 2016 $
 .Dt MMAP 2
 .Os
 .Sh NAME
@@ -273,6 +273,16 @@ was specified and the
 parameter wasn't available.
 .Dv MAP_ANON
 was specified and insufficient memory was available.
+.It Bq Er ENOTSUP
+The accesses requested in the
+.Ar prot
+argument are not allowed.
+In particular,
+.Dv PROT_WRITE | PROT_EXEC
+mappings are not permitted in most binaries (see
+.Dv kern.wxabort
+in sysctl 3
+for more information).
 .El
 .Sh SEE ALSO
 .Xr madvise 2 ,
diff --git a/lib/libc/sys/mount.2 b/lib/libc/sys/mount.2
index b2a126a01db..b295b824989 100644
--- a/lib/libc/sys/mount.2
+++ b/lib/libc/sys/mount.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: mount.2,v 1.45 2015/11/23 10:01:45 jmc Exp $
+.\"	$OpenBSD: mount.2,v 1.46 2016/05/27 19:45:04 deraadt Exp $
 .\"	$NetBSD: mount.2,v 1.12 1996/02/29 23:47:48 jtc Exp $
 .\"
 .\" Copyright (c) 1980, 1989, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)mount.2	8.2 (Berkeley) 12/11/93
 .\"
-.Dd $Mdocdate: November 23 2015 $
+.Dd $Mdocdate: May 27 2016 $
 .Dt MOUNT 2
 .Os
 .Sh NAME
@@ -95,6 +95,17 @@ All I/O to the filesystem should be done asynchronously.
 Use soft dependencies.
 Applies to FFS filesystems only (see 'softdep' in
 .Xr mount 8 ) .
+.It MNT_WXALLOWED
+Processes that ask for memory to be made writeable plus executable
+using the
+.Xr mmap 2
+and
+.Xr mprotect 2
+system calls are killed by default.
+This option allows those processes to continue operation.
+The option is typically used on the
+.Pa /usr/local
+filesystem.
 .El
 .Pp
 The flag
diff --git a/lib/libc/sys/mprotect.2 b/lib/libc/sys/mprotect.2
index 48720ef3764..c26b628075b 100644
--- a/lib/libc/sys/mprotect.2
+++ b/lib/libc/sys/mprotect.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: mprotect.2,v 1.19 2014/07/02 22:22:35 matthew Exp $
+.\"	$OpenBSD: mprotect.2,v 1.20 2016/05/27 19:45:04 deraadt Exp $
 .\"	$NetBSD: mprotect.2,v 1.6 1995/10/12 15:41:08 jtc Exp $
 .\"
 .\" Copyright (c) 1991, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)mprotect.2	8.1 (Berkeley) 6/9/93
 .\"
-.Dd $Mdocdate: July 2 2014 $
+.Dd $Mdocdate: May 27 2016 $
 .Dt MPROTECT 2
 .Os
 .Sh NAME
@@ -96,6 +96,16 @@ The process has locked future pages with
 .Fn mlockall MCL_FUTURE ,
 a page being protected is not currently accessible,
 and making it accessible and locked would exceed process or system limits.
+.It Bq Er ENOTSUP
+The accesses requested in the
+.Ar prot
+argument are not allowed.
+In particular,
+.Dv PROT_WRITE | PROT_EXEC
+mappings are not permitted in most binaries (see
+.Dv kern.wxabort
+in sysctl 3
+for more information).
 .It Bq Er EINVAL
 The
 .Fa prot