Age | Commit message (Collapse) | Author |
|
ok miod@ millert@
|
|
Reported by Peter J. Philipp. OK deraadt@
|
|
right, deraadt@
|
|
where it is with pinsyscall(). In non-static binaries, kernel execve(2)
will now insist upon being called from that small region. Arriving from
a different region smells like ROP methodology, and the process is killed.
|
|
|
|
This is the default value of the linker, but I really like placing the
comment "architecturally required data islands".
|
|
|
|
hardware enforcement for this, but uvm can some of it's own tricks
on occasion.
|
|
ok gkoehler
|
|
OK deraadt
|
|
OK deraadt
|
|
|
|
is no longer a NOP on those systems, let's do it.
|
|
|
|
the x86 one.
|
|
came up in two seperate conversations with miod and kettenis
|
|
|
|
|
|
exonly transition for people building through an upcoming commit series
|
|
--execute-only ld.so (meaning FLAGS (1) on the LOAD line for the text
segment, in the ld.script). the linker, when using built-in linker scripts,
is not ready yet for other libraries / binaries..
|
|
Since we got rid of padded syscalls we have enough registers to do this.
ok deraadt@ ok kettenis@
|
|
|
|
ok kettenis
|
|
standard PIC magic. This makes the code similar to what we already use
for rcrt0.o. This makes it ready for execute-only.
Build C code using -fno-jump-tables to make it ready for execute-only.
ok deraadt@, miod@
|
|
instruction used by __canonicalize_funcptr_for_compare() from "bl" into "b".
This allows __canonicalize_funcptr_for_compare() to execute the branch
instead of decoding the instruction to find the address of _dl_bind().
This is the first step in the transition to a new ABI. Once an updated
ld.so has been installed, we can change __canonicalize_funcptr_for_compare()
(which lives in libgcc) and rebuild everything with a new libgcc. Only
then we can actually make ld.so executable-only.
ok deraadt@, miod@
|
|
|
|
This contains snmpd's mib.c (and friends) adjusted for libagentx.
This standalone binary is to be used by snmpd to achieve privilege
separation.
If people need net-snmpd, but want some of the base snmpd metrics they can
start this binary as a normal daemon and connect to net-snmpd's agentx
socket.
Tested, Feedback, and OK sthen@
Release build test, and OK tb@
|
|
The linker now produces correct values for DT_MIPS_RLD_MAP_REL tags.
The DT_MIPS_RLD_MAP_REL offset is relative to the entry of the original
dynamic tags array. Therefore look up the tag from exe_obj->load_dyn
instead of exe_obj->Dyn.info to get the correct base address.
OK kettenis@ deraadt@
|
|
ok deraadt@
|
|
fixed to identify the region correctly.
|
|
into a mimmutable related concern, you want to undo this revision to get
this debug back. I do not consider this suitable for hiding behind a
cpp macro.
|
|
segment for .plt/.got which needs to be placed correctly.
ok deraadt@
|
|
The linker produces incorrect values for DT_MIPS_RLD_MAP_REL tags.
Disable the handling of the tag in the dynamic loader. The linker
will be fixed in a later commit when snapshots have the updated ld.so.
Discussed with and OK kettenis@ deraadt@
|
|
of startup shared library mappings can be made immutable, and also does
this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this
diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections.
Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports
ok kettenis, much help from others.
|
|
Since the introduction of automatic immutable from the kernel, the munmap()
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
OK deraadt@
|
|
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
ok kettenis and guenther seemed to like it also
This one is for powerpc64 and a modified version of the diff deraadt@ mailed
out to make sure the LOADs are in increasing address order.
this is the alpha version
|
|
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
ok kettenis and guenther seemed to like it also
This one is for powerpc64 and a modified version of the diff deraadt@ mailed
out to make sure the LOADs are in increasing address order.
this is the i386 version
|
|
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
ok kettenis and guenther seemed to like it also
This one is for powerpc64 and a modified version of the diff deraadt@ mailed
out to make sure the LOADs are in increasing address order.
this is the version for sparc64, tested by pascal also
|
|
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
ok kettenis and guenther seemed to like it also
This one is for powerpc64 and a modified version of the diff deraadt@ mailed
out to make sure the LOADs are in increasing address order.
this is the version for powerpc, tested by pascal
|
|
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
ok kettenis and guenther seemed to like it also
This one is for powerpc64 and a modified version of the diff deraadt@ mailed
out to make sure the LOADs are in increasing address order.
|
|
can consider this same as the "booting" case, and instruct lower layers to
do immutability. With this change in place, the not-yet-commited
library-immutable diff leaves 1 page of libc (malloc related) and 6
non-RTLD_NODELETE libraries mutable in chrome.
Everything else is immutable, except for the program's transient memory
allocations & file mappings. This is an unexpected result.
|
|
so the mapping layer will know it can use mimmutable()
|
|
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
ok kettenis and guenther seemed to like it also
This one is for 32-bit arm, tested by phessler
|
|
nodelete, so that _dl_relro() will immutable it's relro.
|
|
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
ok kettenis and guenther seemed to like it also
This one is for riscv64, tested by jca
|
|
the gap, mmap a fresh MAP_FIXED MAP_ANON PROT_NONE and make it immutable
for good measure
ok guenther kettenis
|
|
|
|
of ld.so boot.text region is now (silently) failing because the region is
contained within the text LOAD, which is immutable. So create a new btext
LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects
in there. This LOAD must also be page-aligned so it doesn't skip unmapping
some of the object region, previously it was hilariously unaligned.
Similar changes for other architectures coming after more testing.
ok kettenis and guenther seemed to like it also
|
|
No need to hardcode a parent path if we can reuse an existing variable for
the specific path that is in being used.
Negate the file system type in df(1) so the `|| exit 1' can be dropped
in favour of the errexit option, as is done for everything else in there.
Clarify the comment how this is intentionally NOT logged, i.e. the test
happens before the error trap/syslog/logfile handling.
OK millert
|
|
If /usr is mounted read-only, kernel relinking fails silently without any
log trace:
# /usr/libexec/reorder_kernel
/usr/libexec/reorder_kernel[35]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system
This stderr line does not show up anywhere because init(8) redirects stdout
and stderr to /dev/null, executes rc(8) which inherits it and thus executes
reorder_kernel with both streams discarded.
So install the error handler first, then try to set up a log file.
Introduce ERRMSG to provide error messages to users, i.e. not say
"see .../relink.log" when creating this file is what failed:
# ksh ./reorder_kernel.sh
./reorder_kernel.sh[40]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system
# tail -n1 /var/log/message # or xconsole(1)
Nov 7 10:51:00 eru reorder_kernel.sh: failed
OK tb
|