summaryrefslogtreecommitdiff
path: root/libexec
AgeCommit message (Collapse)Author
2022-11-10Since the introduction of automatic immutable from the kernel, the munmap()Mark Kettenis
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order.
2022-11-09Now that dlopen() sets object->nodelete for RTLD_NODELETE, _dl_load_dep_libs()Theo de Raadt
can consider this same as the "booting" case, and instruct lower layers to do immutability. With this change in place, the not-yet-commited library-immutable diff leaves 1 page of libc (malloc related) and 6 non-RTLD_NODELETE libraries mutable in chrome. Everything else is immutable, except for the program's transient memory allocations & file mappings. This is an unexpected result.
2022-11-09dlopen() with RTLD_NODELETE should also set the object nodelete flag,Theo de Raadt
so the mapping layer will know it can use mimmutable()
2022-11-09Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for 32-bit arm, tested by phessler
2022-11-08In the new scheme, the main executable object needs to be markedTheo de Raadt
nodelete, so that _dl_relro() will immutable it's relro.
2022-11-08Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for riscv64, tested by jca
2022-11-08Instead of unmapping boot.text, and then a future allocation could land inTheo de Raadt
the gap, mmap a fresh MAP_FIXED MAP_ANON PROT_NONE and make it immutable for good measure ok guenther kettenis
2022-11-07Missed an ALIGN (which I will admit I do not understand, this is voodoo)Theo de Raadt
2022-11-07Since the introduction of automatic immutable from the kernel, the munmap()Theo de Raadt
of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. Similar changes for other architectures coming after more testing. ok kettenis and guenther seemed to like it also
2022-11-07Use variable and shorter logic for NFS checkKlemens Nanni
No need to hardcode a parent path if we can reuse an existing variable for the specific path that is in being used. Negate the file system type in df(1) so the `|| exit 1' can be dropped in favour of the errexit option, as is done for everything else in there. Clarify the comment how this is intentionally NOT logged, i.e. the test happens before the error trap/syslog/logfile handling. OK millert
2022-11-07Set up logger(1) traps earlier to catch logfile setup failuresKlemens Nanni
If /usr is mounted read-only, kernel relinking fails silently without any log trace: # /usr/libexec/reorder_kernel /usr/libexec/reorder_kernel[35]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system This stderr line does not show up anywhere because init(8) redirects stdout and stderr to /dev/null, executes rc(8) which inherits it and thus executes reorder_kernel with both streams discarded. So install the error handler first, then try to set up a log file. Introduce ERRMSG to provide error messages to users, i.e. not say "see .../relink.log" when creating this file is what failed: # ksh ./reorder_kernel.sh ./reorder_kernel.sh[40]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system # tail -n1 /var/log/message # or xconsole(1) Nov 7 10:51:00 eru reorder_kernel.sh: failed OK tb
2022-11-07dtors were broken by trying to reuse DF_1_NODELETE to hint that thisTheo de Raadt
library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
2022-11-06TEXTREL binaries are loaded without immutable on un-writeable sections.Theo de Raadt
After text relocations are finished, these regions (in the binary) can become immutable. OPENBSD_MUTABLE section always overlaps writeable LOADs, so don't be afraid of that case, it's covered.
2022-11-06ld.so wants to make it's own RELRO immutable, which is obviously doneTheo de Raadt
right after it does mprotect PROT_READ.
2022-11-06Library RELRO sections are excluded from the immutable list, because ld.soTheo de Raadt
tweaks them quite late. _dl_relro() is called when that work is done, and the final mprotect PROT_READ happens. Then we can make mark it immutable. ok kettenis
2022-11-06When loading startup libraries, pass DF_1_NODELETE to indicate these areTheo de Raadt
unloadable libraries. This allows us make consider making parts of those libraries immutable (in future commits) ok guenther kettenis
2022-11-05The /var/run/ld.so.hints file is mapped into memory. It is never replaced,Theo de Raadt
so the mapping can be immutable. ok kettenis
2022-11-05teach ld.so how to call the mimmutable() system callTheo de Raadt
ok kettenis
2022-10-28Implement support for DT_MIPS_RLD_MAP_REL.Mark Kettenis
ok deraadt@
2022-10-23add a little spacing and fix Nd;Jason McIntyre
2022-10-23sort Xr; remove '.' after Nd textJonathan Gray
2022-10-23new sentence, new lineJonathan Gray
2022-09-01Import snmpd_metrics.Martijn van Duren
This contains snmpd's mib.c (and friends) adjusted for libagentx. This standalone binary is to be used by snmpd to achieve privilege separation. If people need net-snmpd, but want some of the base snmpd metrics they can start this binary as a normal daemon and connect to net-snmpd's agentx socket. Tested, Feedback, and OK sthen@ Release build test, and OK tb@
2022-10-16don't use | operator where || was intendedJonathan Gray
ok gnezdo@ kn@ martijn@
2022-09-01Import snmpd_metrics.Martijn van Duren
This contains snmpd's mib.c (and friends) adjusted for libagentx. This standalone binary is to be used by snmpd to achieve privilege separation. If people need net-snmpd, but want some of the base snmpd metrics they can start this binary as a normal daemon and connect to net-snmpd's agentx socket. Tested, Feedback, and OK sthen@ Release build test, and OK tb@
2022-09-05Do not perform out-of-bounds arrray accesses for bogus relocation type values.Miod Vallat
2022-09-02Use a shorter system call invocation template for system calls in the rangeMiod Vallat
0-127, where immediate addressing can be used to load the system call number in r0, rather than performing a memory load using pc-relative addressing. No functional change, but rm(1) runs a couple cycles faster per file now.
2022-09-01Hook up snmpd_metricsMartijn van Duren
OK tb@, sthen@
2022-09-01Import snmpd_metrics.Martijn van Duren
This contains snmpd's mib.c (and friends) adjusted for libagentx. This standalone binary is to be used by snmpd to achieve privilege separation. If people need net-snmpd, but want some of the base snmpd metrics they can start this binary as a normal daemon and connect to net-snmpd's agentx socket. Tested, Feedback, and OK sthen@ Release build test, and OK tb@
2022-08-29use ansi volatile keyword, not __volatile__Jonathan Gray
ok miod@ guenther@
2022-08-20Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@Stuart Henderson
2022-07-29Mention that ttyflags needs to be run to update per-device flags.Todd C. Miller
Also includes some minor cleanup inspired by the NetBSD version. OK jmc@ sthen@
2022-06-14Document search orderKlemens Nanni
Explain when and how LD_LIBRARY_PATH, DT_RUNPATH and DT_RPATH are used. Input OK guenther
2022-05-24Address the clang 13 "changed binding to STB_WEAK" warning on arm (32bit):Philip Guenther
* add _?ENTRY_NB to arm/asm.h * make sure ld.so's arm asm bits see the same includes as libc * switch libc's arm bits to the generic DEFS.h * switch arm ASM bits from ENTRY to ENTRY_NB as necessary ok kettenis@ miod@
2022-05-13If $KERNEL_DIR.tgz exists, reorder_kernel updates the destination forStuart Henderson
logged stdout output, but forgot to handle stderr. Fix that so that the error log includes stderr output in that case (otherwise the log is usually empty). From Lauri Tirkkonen, plus comment adjusted. ok tb
2022-05-10Prevent out-of-bounds array access with binaries that use unsupportedMark Kettenis
relocations. ok guenther@
2022-05-01Prevent out-of-bounds array access with binaries that use unsupportedMark Kettenis
relocations. ok guenther@
2022-03-31man pages: add missing commas between subordinate and main clausesChristian Weisgerber
jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
2022-03-31'e' is no longer an optional element for ober_scanf_elements.Martijn van Duren
This caused the last attribute to be dropped. Reported by Allan Streib (astreib <at> fastmail <dot> fm) Reminded by Raf Czlonka (rczlonka <at> gmail <dot> com) OK tb@ claudio@
2022-02-22disable further calls to unveil(2)Ricardo Mestre
pointed out by brynet@
2022-02-21unveil(2) "/dev" read-only instead of using chroot(2)/chdir(2). after callingRicardo Mestre
the latter the program then also calls stat(2) and therefore it never actually worked correctly since they were added almost 20 years now. while here remove an implementation detail from the manpage which covered the chroot part. pointed out by and ok deraadt@
2022-01-31Nothing depends on archdep.h pulling in other #includes anymore,Philip Guenther
so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" matches the others and it's hard to see how it will fail
2022-01-31Inline RELOC_* into boot_md.c and simplify the code based on whatPhilip Guenther
we can verify at build time. Track dt_pltgot as an Elf_Addr instead of an Elf_Addr* to eliminat casts on both setting and using. Set RELATIVE_RELOC so the ld.so Makefile can verify that it has just the relocation types we expect. Nothing depends on archdep.h pulling in other #includes anymore, so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" Tested with full build.
2022-01-28Update comment: struct link_map is defined in <link_elf.h>Philip Guenther
noted by miod
2022-01-18Avoid pulling sys/param.h, by using _ALIGN instead.Theo de Raadt
sys/time.h now gets NBBY and howmany() also ok guenther
2022-01-17Stop supporting a GOT with only one reserved entry in static PIEPhilip Guenther
and ld.so itself: support for that in dynamic objects was removed in 2010. Inline RELOC_GOT() into boot_md.c and clean up the result like boot.c, snag just the three DT_MIPS_* tags needed, and delete the error case which is verified at build time. ok visa@
2022-01-17Nothing depends on archdep.h pulling in other #includes anymore,Philip Guenther
so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" these are the ones I tested; kettenis@ was on board with the concept
2022-01-16Nothing depends on archdep.h pulling in other #includes anymore,Philip Guenther
so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" ok jca@
2022-01-16Nothing depends on archdep.h pulling in other #includes anymore,Philip Guenther
so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" ok kettenis@
2022-01-16Nothing depends on archdep.h pulling in other #includes anymore,Philip Guenther
so delete the #includes and hide the RELOC_* functions that are only used by lib/csu behind "#ifdef RCRT0" ok aoyama@