1 /* $NetBSD: kern_pax.c,v 1.17 2007/09/21 19:14:12 dsl Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.17 2007/09/21 19:14:12 dsl Exp $"); 32 33 #include "opt_pax.h" 34 35 #include <sys/param.h> 36 #include <sys/proc.h> 37 #include <sys/exec_elf.h> 38 #include <sys/pax.h> 39 #include <sys/sysctl.h> 40 #include <sys/malloc.h> 41 #include <sys/fileassoc.h> 42 #include <sys/syslog.h> 43 #include <sys/vnode.h> 44 #include <sys/queue.h> 45 #include <sys/kauth.h> 46 47 #ifdef PAX_MPROTECT 48 static int pax_mprotect_enabled = 1; 49 static int pax_mprotect_global = PAX_MPROTECT; 50 51 specificdata_key_t pax_mprotect_key; 52 #endif 53 54 #ifdef PAX_SEGVGUARD 55 #ifndef PAX_SEGVGUARD_EXPIRY 56 #define PAX_SEGVGUARD_EXPIRY (2 * 60) 57 #endif 58 59 #ifndef PAX_SEGVGUARD_SUSPENSION 60 #define PAX_SEGVGUARD_SUSPENSION (10 * 60) 61 #endif 62 63 #ifndef PAX_SEGVGUARD_MAXCRASHES 64 #define PAX_SEGVGUARD_MAXCRASHES 5 65 #endif 66 67 static int pax_segvguard_enabled = 1; 68 static int pax_segvguard_global = PAX_SEGVGUARD; 69 static int pax_segvguard_expiry = PAX_SEGVGUARD_EXPIRY; 70 static int pax_segvguard_suspension = PAX_SEGVGUARD_SUSPENSION; 71 static int pax_segvguard_maxcrashes = PAX_SEGVGUARD_MAXCRASHES; 72 73 static fileassoc_t segvguard_id; 74 specificdata_key_t pax_segvguard_key; 75 76 struct pax_segvguard_uid_entry { 77 uid_t sue_uid; 78 size_t sue_ncrashes; 79 time_t sue_expiry; 80 time_t sue_suspended; 81 LIST_ENTRY(pax_segvguard_uid_entry) sue_list; 82 }; 83 84 struct pax_segvguard_entry { 85 LIST_HEAD(, pax_segvguard_uid_entry) segv_uids; 86 }; 87 88 static void pax_segvguard_cb(void *); 89 #endif /* PAX_SEGVGUARD */ 90 91 /* PaX internal setspecific flags */ 92 #define PAX_MPROTECT_EXPLICIT_ENABLE (void *)0x01 93 #define PAX_MPROTECT_EXPLICIT_DISABLE (void *)0x02 94 #define PAX_SEGVGUARD_EXPLICIT_ENABLE (void *)0x03 95 #define PAX_SEGVGUARD_EXPLICIT_DISABLE (void *)0x04 96 97 SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup") 98 { 99 const struct sysctlnode *rnode = NULL, *cnode; 100 101 sysctl_createv(clog, 0, NULL, &rnode, 102 CTLFLAG_PERMANENT, 103 CTLTYPE_NODE, "security", NULL, 104 NULL, 0, NULL, 0, 105 CTL_SECURITY, CTL_EOL); 106 107 sysctl_createv(clog, 0, &rnode, &rnode, 108 CTLFLAG_PERMANENT, 109 CTLTYPE_NODE, "pax", 110 SYSCTL_DESCR("PaX (exploit mitigation) features."), 111 NULL, 0, NULL, 0, 112 CTL_CREATE, CTL_EOL); 113 114 cnode = rnode; 115 116 #ifdef PAX_MPROTECT 117 sysctl_createv(clog, 0, &rnode, &rnode, 118 CTLFLAG_PERMANENT, 119 CTLTYPE_NODE, "mprotect", 120 SYSCTL_DESCR("mprotect(2) W^X restrictions."), 121 NULL, 0, NULL, 0, 122 CTL_CREATE, CTL_EOL); 123 sysctl_createv(clog, 0, &rnode, NULL, 124 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 125 CTLTYPE_INT, "enabled", 126 SYSCTL_DESCR("Restrictions enabled."), 127 NULL, 0, &pax_mprotect_enabled, 0, 128 CTL_CREATE, CTL_EOL); 129 sysctl_createv(clog, 0, &rnode, NULL, 130 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 131 CTLTYPE_INT, "global", 132 SYSCTL_DESCR("When enabled, unless explicitly " 133 "specified, apply restrictions to " 134 "all processes."), 135 NULL, 0, &pax_mprotect_global, 0, 136 CTL_CREATE, CTL_EOL); 137 #endif /* PAX_MPROTECT */ 138 139 rnode = cnode; 140 141 #ifdef PAX_SEGVGUARD 142 sysctl_createv(clog, 0, &rnode, &rnode, 143 CTLFLAG_PERMANENT, 144 CTLTYPE_NODE, "segvguard", 145 SYSCTL_DESCR("PaX segvguard."), 146 NULL, 0, NULL, 0, 147 CTL_CREATE, CTL_EOL); 148 sysctl_createv(clog, 0, &rnode, NULL, 149 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 150 CTLTYPE_INT, "enabled", 151 SYSCTL_DESCR("segvguard enabled."), 152 NULL, 0, &pax_segvguard_enabled, 0, 153 CTL_CREATE, CTL_EOL); 154 sysctl_createv(clog, 0, &rnode, NULL, 155 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 156 CTLTYPE_INT, "global", 157 SYSCTL_DESCR("segvguard all programs."), 158 NULL, 0, &pax_segvguard_global, 0, 159 CTL_CREATE, CTL_EOL); 160 sysctl_createv(clog, 0, &rnode, NULL, 161 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 162 CTLTYPE_INT, "expiry_timeout", 163 SYSCTL_DESCR("Entry expiry timeout (in seconds)."), 164 NULL, 0, &pax_segvguard_expiry, 0, 165 CTL_CREATE, CTL_EOL); 166 sysctl_createv(clog, 0, &rnode, NULL, 167 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 168 CTLTYPE_INT, "suspend_timeout", 169 SYSCTL_DESCR("Entry suspension timeout (in seconds)."), 170 NULL, 0, &pax_segvguard_suspension, 0, 171 CTL_CREATE, CTL_EOL); 172 sysctl_createv(clog, 0, &rnode, NULL, 173 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 174 CTLTYPE_INT, "max_crashes", 175 SYSCTL_DESCR("Max number of crashes before expiry."), 176 NULL, 0, &pax_segvguard_maxcrashes, 0, 177 CTL_CREATE, CTL_EOL); 178 #endif /* PAX_SEGVGUARD */ 179 } 180 181 /* 182 * Initialize PaX. 183 */ 184 void 185 pax_init(void) 186 { 187 #ifdef PAX_SEGVGUARD 188 int error; 189 #endif /* PAX_SEGVGUARD */ 190 191 #ifdef PAX_MPROTECT 192 proc_specific_key_create(&pax_mprotect_key, NULL); 193 #endif /* PAX_MPROTECT */ 194 195 #ifdef PAX_SEGVGUARD 196 error = fileassoc_register("segvguard", pax_segvguard_cb, 197 &segvguard_id); 198 if (error) { 199 panic("pax_init: segvguard_id: error=%d\n", error); 200 } 201 proc_specific_key_create(&pax_segvguard_key, NULL); 202 #endif /* PAX_SEGVGUARD */ 203 } 204 205 void 206 pax_adjust(struct lwp *l, uint32_t f) 207 { 208 #ifdef PAX_MPROTECT 209 if (pax_mprotect_enabled) { 210 if (f & ELF_NOTE_PAX_MPROTECT) 211 proc_setspecific(l->l_proc, pax_mprotect_key, 212 PAX_MPROTECT_EXPLICIT_ENABLE); 213 if (f & ELF_NOTE_PAX_NOMPROTECT) 214 proc_setspecific(l->l_proc, pax_mprotect_key, 215 PAX_MPROTECT_EXPLICIT_DISABLE); 216 } 217 #endif /* PAX_MPROTECT */ 218 219 #ifdef PAX_SEGVGUARD 220 if (pax_segvguard_enabled) { 221 if (f & ELF_NOTE_PAX_GUARD) 222 proc_setspecific(l->l_proc, pax_segvguard_key, 223 PAX_SEGVGUARD_EXPLICIT_ENABLE); 224 if (f & ELF_NOTE_PAX_NOGUARD) 225 proc_setspecific(l->l_proc, pax_segvguard_key, 226 PAX_SEGVGUARD_EXPLICIT_DISABLE); 227 } 228 #endif /* PAX_SEGVGUARD */ 229 } 230 231 #ifdef PAX_MPROTECT 232 void 233 pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot) 234 { 235 void *t; 236 237 if (!pax_mprotect_enabled) 238 return; 239 240 t = proc_getspecific(l->l_proc, pax_mprotect_key); 241 if ((pax_mprotect_global && t == PAX_MPROTECT_EXPLICIT_DISABLE) || 242 (!pax_mprotect_global && t != PAX_MPROTECT_EXPLICIT_ENABLE)) 243 return; 244 245 if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) { 246 *prot &= ~VM_PROT_EXECUTE; 247 *maxprot &= ~VM_PROT_EXECUTE; 248 } else { 249 *prot &= ~VM_PROT_WRITE; 250 *maxprot &= ~VM_PROT_WRITE; 251 } 252 } 253 #endif /* PAX_MPROTECT */ 254 255 #ifdef PAX_SEGVGUARD 256 static void 257 pax_segvguard_cb(void *v) 258 { 259 struct pax_segvguard_entry *p; 260 struct pax_segvguard_uid_entry *up; 261 262 if (v == NULL) 263 return; 264 265 p = v; 266 while ((up = LIST_FIRST(&p->segv_uids)) != NULL) { 267 LIST_REMOVE(up, sue_list); 268 free(up, M_TEMP); 269 } 270 271 free(v, M_TEMP); 272 } 273 274 /* 275 * Called when a process of image vp generated a segfault. 276 */ 277 int 278 pax_segvguard(struct lwp *l, struct vnode *vp, const char *name, 279 bool crashed) 280 { 281 struct pax_segvguard_entry *p; 282 struct pax_segvguard_uid_entry *up; 283 struct timeval tv; 284 uid_t uid; 285 void *t; 286 bool have_uid; 287 288 if (!pax_segvguard_enabled) 289 return (0); 290 291 t = proc_getspecific(l->l_proc, pax_segvguard_key); 292 if ((pax_segvguard_global && t == PAX_SEGVGUARD_EXPLICIT_DISABLE) || 293 (!pax_segvguard_global && t != PAX_SEGVGUARD_EXPLICIT_ENABLE)) 294 return (0); 295 296 if (vp == NULL) 297 return (EFAULT); 298 299 /* Check if we already monitor the file. */ 300 p = fileassoc_lookup(vp, segvguard_id); 301 302 /* Fast-path if starting a program we don't know. */ 303 if (p == NULL && !crashed) 304 return (0); 305 306 microtime(&tv); 307 308 /* 309 * If a program we don't know crashed, we need to create a new entry 310 * for it. 311 */ 312 if (p == NULL) { 313 p = malloc(sizeof(*p), M_TEMP, M_WAITOK); 314 fileassoc_add(vp, segvguard_id, p); 315 LIST_INIT(&p->segv_uids); 316 317 /* 318 * Initialize a new entry with "crashes so far" of 1. 319 * The expiry time is when we purge the entry if it didn't 320 * reach the limit. 321 */ 322 up = malloc(sizeof(*up), M_TEMP, M_WAITOK); 323 up->sue_uid = kauth_cred_getuid(l->l_cred); 324 up->sue_ncrashes = 1; 325 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 326 up->sue_suspended = 0; 327 328 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); 329 330 return (0); 331 } 332 333 /* 334 * A program we "know" either executed or crashed again. 335 * See if it's a culprit we're familiar with. 336 */ 337 uid = kauth_cred_getuid(l->l_cred); 338 have_uid = false; 339 LIST_FOREACH(up, &p->segv_uids, sue_list) { 340 if (up->sue_uid == uid) { 341 have_uid = true; 342 break; 343 } 344 } 345 346 /* 347 * It's someone else. Add an entry for him if we crashed. 348 */ 349 if (!have_uid) { 350 if (crashed) { 351 up = malloc(sizeof(*up), M_TEMP, M_WAITOK); 352 up->sue_uid = uid; 353 up->sue_ncrashes = 1; 354 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 355 up->sue_suspended = 0; 356 357 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); 358 } 359 360 return (0); 361 } 362 363 if (crashed) { 364 /* Check if timer on previous crashes expired first. */ 365 if (up->sue_expiry < tv.tv_sec) { 366 log(LOG_INFO, "PaX Segvguard: [%s] Suspension" 367 " expired.\n", name ? name : "unknown"); 368 369 up->sue_ncrashes = 1; 370 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 371 up->sue_suspended = 0; 372 373 return (0); 374 } 375 376 up->sue_ncrashes++; 377 378 if (up->sue_ncrashes >= pax_segvguard_maxcrashes) { 379 log(LOG_ALERT, "PaX Segvguard: [%s] Suspending " 380 "execution for %d seconds after %zu crashes.\n", 381 name ? name : "unknown", pax_segvguard_suspension, 382 up->sue_ncrashes); 383 384 /* Suspend this program for a while. */ 385 up->sue_suspended = tv.tv_sec + pax_segvguard_suspension; 386 up->sue_ncrashes = 0; 387 up->sue_expiry = 0; 388 } 389 } else { 390 /* Are we supposed to be suspended? */ 391 if (up->sue_suspended > tv.tv_sec) { 392 log(LOG_ALERT, "PaX Segvguard: [%s] Preventing " 393 "execution due to repeated segfaults.\n", name ? 394 name : "unknown"); 395 396 return (EPERM); 397 } 398 } 399 400 return (0); 401 } 402 #endif /* PAX_SEGVGUARD */ 403