summaryrefslogtreecommitdiff
path: root/libexec
AgeCommit message (Collapse)Author
2023-02-18Lookup the start,len of the "execve" stub in libc.so, and tell the kernelTheo de Raadt
where it is with pinsyscall(). In non-static binaries, kernel execve(2) will now insist upon being called from that small region. Arriving from a different region smells like ROP methodology, and the process is killed.
2023-02-17Remove unused variables; ok millert@Miod Vallat
2023-02-10Explicitly mark the text LOAD as FLAGS(5), meaning RX, with a comment.Theo de Raadt
This is the default value of the linker, but I really like placing the comment "architecturally required data islands".
2023-02-02unify spacing for LOAD FLAGS linesTheo de Raadt
2023-02-02i386 and alpha ld.so also work with X-only text LOAD. There is noTheo de Raadt
hardware enforcement for this, but uvm can some of it's own tricks on occasion.
2023-01-31powerpc xonly for G5 is coming. ld.so can have xonly text.Theo de Raadt
ok gkoehler
2023-01-29Accumulate intermediate imutables locally before applyingGreg Steuck
OK deraadt
2023-01-29Unite all nitems copies in ld.so/util.hGreg Steuck
OK deraadt
2023-01-29powerpc64 xonly works; ld.so can be switched overTheo de Raadt
2023-01-20amd64 now has xonly support via the PKU feature. Marking ld.so exec-onlyTheo de Raadt
is no longer a NOP on those systems, let's do it.
2023-01-14Add missing void to function definitionTheo Buehler
2023-01-12Use proper sparc64 illtrap instruction as text sections filler, rather thanMiod Vallat
the x86 one.
2023-01-11be very paranoid like other architectures and force no-jump-tablesTheo de Raadt
came up in two seperate conversations with miod and kettenis
2023-01-11put LD_SCRIPT in the canonical locationTheo de Raadt
2023-01-11Add ld.so linker scripts on the remaining platforms.Miod Vallat
2023-01-11force-disable jump tables in ld.so building on sparc64, to ease theTheo de Raadt
exonly transition for people building through an upcoming commit series
2023-01-11the kernel on mips64 (octeon, loongson) is in good enough shape to runTheo de Raadt
--execute-only ld.so (meaning FLAGS (1) on the LOAD line for the text segment, in the ld.script). the linker, when using built-in linker scripts, is not ready yet for other libraries / binaries..
2023-01-11Add retguard to amd64 syscalls.Todd Mortimer
Since we got rid of padded syscalls we have enough registers to do this. ok deraadt@ ok kettenis@
2023-01-10hppa ld.so works with executable-only text (non-readable)Theo de Raadt
2023-01-09riscv64 ld.so is ready to be xonlyTheo de Raadt
ok kettenis
2023-01-09Rewrite the hppa assembly code to avoid reads from .text, by using theMark Kettenis
standard PIC magic. This makes the code similar to what we already use for rcrt0.o. This makes it ready for execute-only. Build C code using -fno-jump-tables to make it ready for execute-only. ok deraadt@, miod@
2023-01-09In preparation for upcoming execute-only support, change the magic branchMark Kettenis
instruction used by __canonicalize_funcptr_for_compare() from "bl" into "b". This allows __canonicalize_funcptr_for_compare() to execute the branch instead of decoding the instruction to find the address of _dl_bind(). This is the first step in the transition to a new ABI. Once an updated ld.so has been installed, we can change __canonicalize_funcptr_for_compare() (which lives in libgcc) and rebuild everything with a new libgcc. Only then we can actually make ld.so executable-only. ok deraadt@, miod@
2022-12-26spelling fixes; from paul tagliamonteJason McIntyre
2022-09-01Import snmpd_metrics.Martijn van Duren
This contains snmpd's mib.c (and friends) adjusted for libagentx. This standalone binary is to be used by snmpd to achieve privilege separation. If people need net-snmpd, but want some of the base snmpd metrics they can start this binary as a normal daemon and connect to net-snmpd's agentx socket. Tested, Feedback, and OK sthen@ Release build test, and OK tb@
2022-12-25Re-enable DT_MIPS_RLD_MAP_REL tag in ld.soVisa Hankala
The linker now produces correct values for DT_MIPS_RLD_MAP_REL tags. The DT_MIPS_RLD_MAP_REL offset is relative to the entry of the original dynamic tags array. Therefore look up the tag from exe_obj->load_dyn instead of exe_obj->Dyn.info to get the correct base address. OK kettenis@ deraadt@
2022-12-24Make .text (and .btext) execute-only on arm64.Mark Kettenis
ok deraadt@
2022-12-18cannot try the boot.data unmap until all the ld.script are commited, andTheo de Raadt
fixed to identify the region correctly.
2022-12-16delete // debug comment chunks. If anyone wants to debug ld.so and runsTheo de Raadt
into a mimmutable related concern, you want to undo this revision to get this debug back. I do not consider this suitable for hiding behind a cpp macro.
2022-12-05Add linker script for hppa. The crucial bit is that hppa needs an extraMark Kettenis
segment for .plt/.got which needs to be placed correctly. ok deraadt@
2022-12-04ld.so: Disable DT_MIPS_RLD_MAP_RELVisa Hankala
The linker produces incorrect values for DT_MIPS_RLD_MAP_REL tags. Disable the handling of the tag in the dynamic loader. The linker will be fixed in a later commit when snapshots have the updated ld.so. Discussed with and OK kettenis@ deraadt@
2022-12-04The next step for mimmutable(). ld.so figures out what regions of memoryTheo de Raadt
of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
2022-11-25Add ld.so linker script for mips64Visa Hankala
Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. OK deraadt@
2022-11-14Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the alpha version
2022-11-14Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the i386 version
2022-11-14Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the version for sparc64, tested by pascal also
2022-11-14Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the version for powerpc, tested by pascal
2022-11-10Since the introduction of automatic immutable from the kernel, the munmap()Mark Kettenis
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order.
2022-11-09Now that dlopen() sets object->nodelete for RTLD_NODELETE, _dl_load_dep_libs()Theo de Raadt
can consider this same as the "booting" case, and instruct lower layers to do immutability. With this change in place, the not-yet-commited library-immutable diff leaves 1 page of libc (malloc related) and 6 non-RTLD_NODELETE libraries mutable in chrome. Everything else is immutable, except for the program's transient memory allocations & file mappings. This is an unexpected result.
2022-11-09dlopen() with RTLD_NODELETE should also set the object nodelete flag,Theo de Raadt
so the mapping layer will know it can use mimmutable()
2022-11-09Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for 32-bit arm, tested by phessler
2022-11-08In the new scheme, the main executable object needs to be markedTheo de Raadt
nodelete, so that _dl_relro() will immutable it's relro.
2022-11-08Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for riscv64, tested by jca
2022-11-08Instead of unmapping boot.text, and then a future allocation could land inTheo de Raadt
the gap, mmap a fresh MAP_FIXED MAP_ANON PROT_NONE and make it immutable for good measure ok guenther kettenis
2022-11-07Missed an ALIGN (which I will admit I do not understand, this is voodoo)Theo de Raadt
2022-11-07Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. Similar changes for other architectures coming after more testing. ok kettenis and guenther seemed to like it also
2022-11-07Use variable and shorter logic for NFS checkKlemens Nanni
No need to hardcode a parent path if we can reuse an existing variable for the specific path that is in being used. Negate the file system type in df(1) so the `|| exit 1' can be dropped in favour of the errexit option, as is done for everything else in there. Clarify the comment how this is intentionally NOT logged, i.e. the test happens before the error trap/syslog/logfile handling. OK millert
2022-11-07Set up logger(1) traps earlier to catch logfile setup failuresKlemens Nanni
If /usr is mounted read-only, kernel relinking fails silently without any log trace: # /usr/libexec/reorder_kernel /usr/libexec/reorder_kernel[35]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system This stderr line does not show up anywhere because init(8) redirects stdout and stderr to /dev/null, executes rc(8) which inherits it and thus executes reorder_kernel with both streams discarded. So install the error handler first, then try to set up a log file. Introduce ERRMSG to provide error messages to users, i.e. not say "see .../relink.log" when creating this file is what failed: # ksh ./reorder_kernel.sh ./reorder_kernel.sh[40]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system # tail -n1 /var/log/message # or xconsole(1) Nov 7 10:51:00 eru reorder_kernel.sh: failed OK tb
2022-11-07dtors were broken by trying to reuse DF_1_NODELETE to hint that thisTheo de Raadt
library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
2022-11-06TEXTREL binaries are loaded without immutable on un-writeable sections.Theo de Raadt
After text relocations are finished, these regions (in the binary) can become immutable. OPENBSD_MUTABLE section always overlaps writeable LOADs, so don't be afraid of that case, it's covered.
2022-11-06ld.so wants to make it's own RELRO immutable, which is obviously doneTheo de Raadt
right after it does mprotect PROT_READ.