During coredumps only a single thread should be active, check this
by checking that it is a single threaded process or that ps_single is set.
OK mpi@

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to

We only have one syscall table: inline sysent/SYS_MAXSYSCALL and
SYS_syscall as the nosys() function into the MD syscall entry
routines and the SYSCALL_DEBUG support. Adjust alpha's syscall
check to match the other archs. Also, make sysent const to get it
into .rodata.

With that, 'struct emul' is unused: delete it and all its references

ok millert@

show more ...

Delete the last emulation callbacks: we're Just ELF, so declare
exec_elf_fixup() and coredump_elf() in <sys/exec_elf.h> and call
them and the MD setregs() directly in kern_exec.c and kern_sig.c

Also

Delete the last emulation callbacks: we're Just ELF, so declare
exec_elf_fixup() and coredump_elf() in <sys/exec_elf.h> and call
them and the MD setregs() directly in kern_exec.c and kern_sig.c

Also delete e_name[] (only used by sysctl), e_errno (unused), and
e_syscallnames[] (only used by SYSCALL_DEBUG) and constipate
syscallnames to 'const char *const[]'

ok kettenis@

show more ...

Continue to delete emulation support: we only have one sigcode and
sigobject. Just use the existing globals for the former and use a
global for the latter.

ok jsg@ kettenis@

Continue to delete emulation support: since we're Just ELF, the size
of the auxinfo is fixed: provide ELF_AUX_WORDS in <sys/exec_elf.h>
as a replacement for emul->e_arglen

ok millert@

Start to delete emulation support: since we're Just ELF, make
copyargs() return 0/1 and merge elf_copyargs() into it. Rename
ep_emul_arg and ep_emul_argp to have clearer meaning and type and
elimina

Start to delete emulation support: since we're Just ELF, make
copyargs() return 0/1 and merge elf_copyargs() into it. Rename
ep_emul_arg and ep_emul_argp to have clearer meaning and type and
eliminate ep_emul_argsize as no longer necessary. Make sure
ep_auxinfo (nee ep_emul_argp) is initialized as powerpc64 always
uses it in setregs().

ok semarie@ deraadt@ kettenis@

show more ...

spelling

ok gnezdo@ semarie@ mpi@

Remove the workaround which identified Go executables, and permitted them
to do syscalls directly. Go executables now use shared libc like all other
dynamic binaries. This makes the "where are sysc

Remove the workaround which identified Go executables, and permitted them
to do syscalls directly. Go executables now use shared libc like all other
dynamic binaries. This makes the "where are syscalls done from" checker
strict for all binaries, and also opens the door to change the underlying
syscall ABI to the kernel in the future very easily (if we find cause).
ok jsing

show more ...

Revert the convertion of per-process thread into a SMR_TAILQ.

We did not reach a consensus about using SMR to unlock single_thread_set()
so there's no point in keeping this change.

Cache parent's pid as `ps_ppid' and use it instead of `ps_pptr->ps_pid'.
This allows us to unlock getppid(2).

ok mpi@

Convert the per-process thread list into a SMR_TAILQ.

Currently all iterations are done under KERNEL_LOCK() and therefor use
the *_LOCKED() variant.

From and ok claudio@

Add support for timeconting in userland.

This diff exposes parts of clock_gettime(2) and gettimeofday(2) to
userland via libc eliberating processes from the need for a context
switch everytime they

Add support for timeconting in userland.

This diff exposes parts of clock_gettime(2) and gettimeofday(2) to
userland via libc eliberating processes from the need for a context
switch everytime they want to count the passage of time.

If a timecounter clock can be exposed to userland than it needs to set
its tc_user member to a non-zero value. Tested with one or multiple
counters per architecture.

The timing data is shared through a pointer found in the new ELF
auxiliary vector AUX_openbsd_timekeep containing timehands information
that is frequently updated by the kernel.

Timing differences between the last kernel update and the current time
are adjusted in userland by the tc_get_timecount() function inside the
MD usertc.c file.

This permits a much more responsive environment, quite visible in
browsers, office programs and gaming (apparently one is are able to fly
in Minecraft now).

Tested by robert@, sthen@, naddy@, kmos@, phessler@, and many others!

OK from at least kettenis@, cheloha@, naddy@, sthen@

show more ...

The ELF NOTE parser would only inspect the first NOTE for 'OpenBSD'.
Furthermore the parser was unaware a NOTE could contain multiple
records. The scanner has been rewritten. Another bonus bug: if t

The ELF NOTE parser would only inspect the first NOTE for 'OpenBSD'.
Furthermore the parser was unaware a NOTE could contain multiple
records. The scanner has been rewritten. Another bonus bug: if the
binary was labelled as OPENBSD ABI, NOTE parsing was completely
skipped so WXNEEDED wasn't learned either...

Now that NOTEs are scanned correctly, search for the 'Go' NOTE. (During
this work found the Go linker produces slightly broken NOTEs - Go team
will probably fix that).

Work is happening for our Go dynamic-binaries to use libc syscall
stubs, but the change isn't ready. Go (and reportedly free-pascal
also?) binaries are the only dynamic programs which require syscalls
in the main-program. Since Go binaries are now identifiable, we can
disable syscalls in all other regular dynamic-main-programs, gaining
the strict enforcement we want. When the the Go-libc-stub change
arrives we'll delete the Go NOTE scan and treat Go binaries same as
regular binaries.

This change probably breaks free-pascal, a lower priority item to repair.

some discussion with jsing, ok kettenis

show more ...

typo

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisf

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

show more ...

When killing a process, the signal is handled by any thread that
does not block the signal. If all threads block the signal, we
delivered it to the main thread. This does not conform to POSIX.
If a

When killing a process, the signal is handled by any thread that
does not block the signal. If all threads block the signal, we
delivered it to the main thread. This does not conform to POSIX.
If any thread unblocks the signal, it should be delivered immediately
to this thread.
Mark such signals pending at the process instead of a single thread.
Then any thread can handle it later.
OK kettenis@ guenther@

show more ...

wxneeded binaries on wxallowed filesystems were refused execution. We have
encountered a wxneeded binary that attempts correct operation when started
on a nowxallowed filesystem (it tries mprotect w

wxneeded binaries on wxallowed filesystems were refused execution. We have
encountered a wxneeded binary that attempts correct operation when started
on a nowxallowed filesystem (it tries mprotect with RWX, notices ENOTSUP
and acts in a different way). So permit execution (but of course don't
allow W^X violating mappings)
ok sthen kettenis robert

show more ...

If mallocing the array program header fails, give up on coredumping
instead of panicing

ok deraadt@, tedu@, mpi@

#define ELFROUNDSIZE 4 /* XXX Should it be sizeof(Elf_Word)? */
Now that alpha is fixed, we can use sizeof().

Core files with >65535 sections have to use PN_XNUM and a section header
to pass the real count, with a minimal .shstrtab segment for consistency.
Also, add support for PN_XNUM to readelf.

problem r

Core files with >65535 sections have to use PN_XNUM and a section header
to pass the real count, with a minimal .shstrtab segment for consistency.
Also, add support for PN_XNUM to readelf.

problem reported and testing by claudio@
ok kettenis@

show more ...

Decouple unveil from the pledge flags, by adding dedicated unveil flags
to the namei args. This fixes a bug where chmod would be allowed when
with only READ. This also allows some further cleanup of

Decouple unveil from the pledge flags, by adding dedicated unveil flags
to the namei args. This fixes a bug where chmod would be allowed when
with only READ. This also allows some further cleanup of some awkward
things like PLEDGE_STAT that will follow
Lots of assistence from semarie@ - thanks!
ok semarie@

show more ...

Remove a few leftovers from the days of emulation, which could result in
a bad/corrupt binary not returning ENOEXEC but some other error.
ok guenther kettenis bluhm

Fail if a PT_LOAD segment has a memory size of 0. This prevents a panic
later on, and it makes no sense for a binary to have such a segment.

ok bluhm@, guenther@

Move from sendsig() to its callers the initsiginfo() calls and
instead of passing sendsig() the code+type+val, pass a siginfo_t*
to copy from. Eliminate the indirection through struct emul for
sends

Move from sendsig() to its callers the initsiginfo() calls and
instead of passing sendsig() the code+type+val, pass a siginfo_t*
to copy from. Eliminate the indirection through struct emul for
sendsig(); we no longer have a SunOS4-compat version of sendsig()

ok deraadt@

show more ...

Don't pull in <sys/file.h> just to get fcntl.h

ok deraadt@ krw@