summaryrefslogtreecommitdiff
path: root/sys/kern/kern_exec.c
AgeCommit message (Collapse)Author
2019-02-08Fix stack info leak in execve(2). There are 2x4 bytes of paddingAlexander Bluhm
in struct ps_strings. from NetBSD; OK deraadt@ guenther@ visa@
2018-10-30If we execute a #!shell binary, the shell is an integral part of theTheo de Raadt
binary so it should bypass unveil restrictions. This is similar (but different...) to how the ELF linker (ld.so) is loaded (after unveils get dropped). Discovered in doas, due to more accurate unveil semantics. ok guenther tedu beck
2018-08-05Decouple unveil from the pledge flags, by adding dedicated unveil flagsBob Beck
to the namei args. This fixes a bug where chmod would be allowed when with only READ. This also allows some further cleanup of some awkward things like PLEDGE_STAT that will follow Lots of assistence from semarie@ - thanks! ok semarie@
2018-07-20Remove a few leftovers from the days of emulation, which could result inTheo de Raadt
a bad/corrupt binary not returning ENOEXEC but some other error. ok guenther kettenis bluhm
2018-07-13Unveiling unveil(2).Bob Beck
This brings unveil into the tree, disabled by default - Currently this will return EPERM on all attempts to use it until we are fully certain it is ready for people to start using, but this now allows for others to do more tweaking and experimentation. Still needs to send the unveil's across forks and execs before fully enabling. Many thanks to robert@ and deraadt@ for extensive testing. ok deraadt@
2018-06-18Put file descriptors on shared data structures when they are completelyMartin Pieuchot
setup, take 3. LARVAL fd still exist, but they are no longer marked with a flag and no longer reachable via `fd_ofiles[]' or the global linked list. This allows us to simplifies a lot code grabbing new references to fds. All of this is now possible because dup2(2) refuses to clone LARVAL fds. Note that the `fdplock' could now be release in all open(2)-like syscalls, just like it is done in accept(2). With inputs from Mathieu Masson, visa@, guenther@ and art@ Previous version ok bluhm@, ok visa@, sthen@
2018-06-05Revert introduction of fdinsert(), a sanitify check triggers whenMartin Pieuchot
closing a LARVAL file. Found the hardway by sthen@.
2018-06-02Put file descriptors on shared data structures when they are completelyMartin Pieuchot
setup. LARVAL fd still exist, but they are no longer marked with a flag and no longer reachable via `fd_ofiles[]'. This allows us to simplifies a lot code grabbing new references to fds. All of this is now possible because dup2(2) refuses to clone LARVAL fds. Note that the `fdplock' could now be release in all open(2)-like syscalls, just like it is done in accept(2). With inputs from Mathieu -, visa@, guenther@ and art@ ok visa@, bluhm@
2018-04-28Clean up the parameters of VOP_LOCK() and VOP_UNLOCK(). It is alwaysVisa Hankala
curproc that does the locking or unlocking, so the proc parameter is pointless and can be dropped. OK mpi@, deraadt@
2018-04-27Move FREF() inside fd_getfile().Martin Pieuchot
ok visa@
2018-01-02Stop assuming <sys/file.h> will pull in fcntl.h when _KERNEL is defined.Philip Guenther
ok millert@ sthen@
2018-01-01free(9) sizes for sys_execve.Florian Obser
Convert the hand rolled loop to strlcpy which gives us the size for free(9). OK visa
2017-12-19Remove unused ps_stackgap from process structStefan Kempf
Nothing uses this field since Linux compat was removed. ok mpi@ deraadt@ guenther@
2017-12-12pledge()'s 2nd argument becomes char *execpromises, which becomes theTheo de Raadt
pledge for a new execve image immediately upon start. Also introduces "error" which makes violations return -1 ENOSYS instead of killing the program ("error" may not be handed to a setuid/setgid program, which may be missing/ignoring syscall return values and would continue with inconsistant state) Discussion with many florian has used this to improve the strictness of a daemon
2017-08-29Remove old deactivated pledge path code. A replacement mechanism isTheo de Raadt
being brewed. ok beck
2017-04-13Provide mips64 with kernel-facing TCB_{GET,SET} macros that store itPhilip Guenther
in struct mdproc. With that, all archs have those and the __HAVE_MD_TCB macro can be unifdef'ed as always defined. ok kettenis@ visa@ jsing@
2017-02-11Add a flags argument to falloc() that lets it optionally set thePhilip Guenther
close-on-exec flag on the newly allocated fd. Make falloc()'s return arguments non-optional: assert that they're not NULL. ok mpi@ millert@
2017-02-08Delete the obsolete fork/exec/exit emulation hooks.Philip Guenther
ok mpi@ dlg@
2017-01-21p_comm is the process's command and isn't per thread, so move it fromPhilip Guenther
struct proc to struct process. ok deraadt@ kettenis@
2016-10-22Delete dead copy of pr->ps_vmspace; uvmspace_exec() can change it anywayPhilip Guenther
ok kettenis@ jsing@
2016-09-03Reset PS_WXNEEDED in execve(2).Jeremie Courreges-Anglas
The new process should inherit wxneeded perms from the ELF executable only, not from the former process. Solution improved by guenther@, ok guenther@ deraadt@, ok tedu@ on a similar diff.
2016-06-11Cleanup some systrace leftovers.Mark Kettenis
ok jca@, guenther@
2016-05-30Identify W^X labelled binaries at execve() time based upon WX_OPENBSD_WXNEEDEDTheo de Raadt
flag set by ld -zwxneeded. Such binaries are allowed to run only on wxallowed mountpoints. They do not report mmap/mprotect problems. Rate limit mmap/mprotect reports from other binaries. These semantics are chosen to encourage progress in the ports ecosystem, without overwhelming the developers who work in the area. ok sthen kettenis
2016-05-30backout to insert correct commit messageTheo de Raadt
2016-05-30*** empty log message ***Theo de Raadt
2016-05-23Place a cpu-dependent trap/illegal instruction over the remainder of theTheo de Raadt
sigtramp page, so that it will generate a nice kernel fault if touched. While here, move most of the sigtramps to the .rodata segment, because they are not executed in the kernel. Also some preparation for sliding the actual sigtramp forward (will need some gdb changes) ok mlarkin kettenis
2016-05-10SROP mitigation. sendsig() stores a (per-process ^ &sigcontext) cookieTheo de Raadt
inside the sigcontext. sigreturn(2) checks syscall entry was from the exact PC addr in the (per-process ASLR) sigtramp, verifies the cookie, and clears it to prevent sigcontext reuse. not yet tested on landisk, sparc, *88k, socppc. ok kettenis
2016-04-25boom goes the dynamiteTed Unangst
2016-03-19Remove the unused flags argument from VOP_UNLOCK().natano
torture tested on amd64, i386 and macppc ok beck mpi stefan "the change looks right" deraadt
2016-03-06No more compat emulations, so remove ktrace EMUL records and the baggagePhilip Guenther
for generating and parsing them. ok mpi@ naddy@ millert@ deraadt@
2015-12-05remove stale lint annotationsTed Unangst
2015-11-02move the pledgenote annotation from `struct proc' to `struct nameidata'Sebastien Marie
pledgenote is used for annotate the policy for a namei context. So make it tracking the nameidata. It is expected for the caller to explicitly define the policy. It is a kernel bug to not do so. ok deraadt@
2015-10-28move p_pledgenote setting next to NDINIT()Theo de Raadt
2015-10-25Fold "malloc" into "stdio" and -- recognizing that no program so far hasTheo de Raadt
used less than "stdio" -- include all the "self" operations. Instead of different defines, use regular PLEDGE_* in the "p_pledgenote" variable (which indicates the operation subtype a system call is performing). Many checks before easier to understand. p_pledgenote can often be passed directly to ktrace, so that kdump says: 15565 test CALL pledge(0xa9a3f804c51,0) 15565 test STRU pledge request="stdio" 15565 test RET pledge 0 15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>) 15565 test NAMI "/tmp/testfile" 15565 test PLDG open, "wpath", errno 1 Operation not permitted with help from semarie, ok guenther
2015-10-10I forgot execve would go through the namei codepath, so a program markedTheo de Raadt
"stdio rpath" this would fail to execve. pre-indicate exec actions to the namei checker to allow them through. ok semarie
2015-10-09Rename tame() to pledge(). This fairly interface has evolved to be moreTheo de Raadt
strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
2015-10-07Add the tame "exec" request. This allows processes which requestTheo de Raadt
"exec" to call execve(2), potentially fork(2) beforehands if they asked for "proc". Calling execve is what "shells" (ksh, tmux, etc) have as their primary purpose. But meantime, if such a shell has a nasty bug, we want to mitigate the process from opening a socket or calling 100+ other system calls. Unfortunately silver bullets are in short supply, so if our goal is to stay in a POSIX-y environment, we have to let shells call execve(). POSIX ate the world, so choices do we all have? Warning for many: silver bullets are even more rare in other OS ecosystems, so please accept this as a narrow lowering of the bar in a very raised environment. Commited from a machine running tame "proc exec" ksh, make, etc.
2015-10-02missing ) in COMPAT_LINUX blockTheo de Raadt
2015-10-02Add ktracing of argv and envp to execve(2), with envp not traced by defaultPhilip Guenther
ok tedu@ deraadt@
2015-09-28Track size of an opaque allocation to pass to free() laterTheo de Raadt
ok guenther tedu
2015-07-22memory leak in execve with systrace, plus some unreachable codeTheo de Raadt
spotted by Maxime Villard ok guenther millert
2015-07-20Add kbind, a syscall for ld.so to use to securely and efficiently updatePhilip Guenther
memory for lazy binding ok deraadt@
2015-03-14Remove some includes include-what-you-use claims don'tJonathan Gray
have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
2015-02-09Change the way stackgap_random is applied. Instead of applying it within theMiod Vallat
fixed stack area of the exec'd image, and risking hitting process limits, should we want to increase stackgap_random, the randomness is applied to the stack region in the process' vmspace.
2015-02-09Stop using USRSTACK as the edge of the stack, but rather use the vmspaceMiod Vallat
vm_minsaddr or vm_maxsaddr, depending upon the direction the stack goes in. This should have no effect on the existing behaviourrr. ok kettenis@ deraadt@
2015-02-07forbid execve() with argc == 0. prompted by a millert email.Ted Unangst
ok deraadt miod
2015-01-26Move the "stackgap" from the stack into its own page at a random address.Mark Kettenis
This allows us the unmap the initial part of the stack, such that it can't be used as a staging area for ROP (or other) attacks. ok guenther@, tedu@
2015-01-20Move ps_strings "after" the random stackgap. This makes its location aMark Kettenis
per-process value, and therefpore turns the VM_PSSTRINGS sysctl into a per-process one as well. This gets rid of a pointer to the bottom of the stack at a fixed location. Also clears the road for unmapping the stackgap. ok deraadt@
2015-01-15Map the sigcode page with MAP_INHERIT_COPY to make sure it isn't shared aterMark Kettenis
a fork. ok deraadt@
2015-01-15Map the sigcode page copy-on-write. This allows userland to put breakpointsMark Kettenis
in the signal trampoline. Solves some long-standing issues with debugging signal handlers in GDB. ok deraadt@