enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.
For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with
annotations for symbol visibility. changes to one should be reflected
in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into
the kernel and build subr_tree.c itself now.
mild enthusiasm from many
ok guenther@
Add sysctl kern.allowkmem (default 0) which controls the ability to open
/dev/mem or /dev/kmem at securelevel > 0. Over 15 years we converted 99%
of utilities in the tree to operate on sysctl-nodes (either by themselves
or via code hiding in the guts of -lkvm).
pstat -d and -v & procmap are affected and continued use of them will
require kern.allowkmem=1 in /etc/sysctl.conf. acpidump (and it's
buddy sendbug) are affected, but we'll work out a solution soon.
There will be some impact in ports.
ok kettenis guenther
it also does proper traversal of the tree (ie, it does FOREACH)
which in turn uses MIN and NEXT operations to iterate over the whole
tree. theyre complicated and need code.
so for now this pulls in subr_tree.c from the kernel and builds it
as part of procmap. that allows for traversal of the RBT using the
same code that the kernel uses.
it is a bit ugly though because procmap updates the pointers between
items in the tree so they point at local copies instead of kernel
addresses. its made worse because RBT code has pointers between
rb_entry structs, not between the nodes.
im putting this in now to unbreak the tree. it can be polished after
coffee/naps.
The name cache walking code got adapted to the new name cache layout.
Along with the previous commit, procmap is now able to map a vnode
to a filename as long as it is in the name cache.
"nice stuff" deraadt@
Otherwise procmap interprets the uvm_vnode contents as a vnode,
yielding bogus values. This should cure the
"procmap: invalid address (ffffffffffffffff) == -1 vs. 656 @ ffffffffffffffff"
error messages that appear sporadically.
ok deraadt@
am_maxslot represents the total number of slots an amap can be extended
to. Since we do not extend amaps, this field as well as rounding the
number of slots to the next malloc bucket is not useful.
This also removes the corresponding output from procmap(1).
ok kettenis@
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis
prepping for a coming kernel change. we need to call sysctl for
all the procs to get their vmspace pointer, then we drop, then
we go grovelling. ok deraadt
specifically, rewrite them to permit some markup in the column headers,
and use "Ta" instead of literal tabs; mandoc does not currently match groff
100%, but a mandoc fix may be some time off, and we've gone enough releases
with poorly formatting column lists.
in some cases i have rewritten the lists as -tag, where -column made
little sense.
vmmap is designed to perform address space randomized allocations,
without letting fragmentation of the address space go through the roof.
Some highlights:
- kernel address space randomization
- proper implementation of guardpages
- roughly 10% system time reduction during kernel build
Tested by alot of people on tech@ and developers.
Theo's machines are still happy.
While it is a terribly cool idea, it's just awful and since noone has stepped
up to the plate to keep it up with the current vop state, retire it to the
attic.
ok krw@, deraadt@, guenther@, miod@.
comments from jmc@
This eliminates the large single namecache hash table, and implements
the name cache as a global lru of entires, and a redblack tree in each
vnode. It makes cache_purge actually purge the namecache entries associated
with a vnode when a vnode is recycled (very important for later on actually being
able to resize the vnode pool)
This commit does #if 0 out a bunch of procmap code that was
already broken before this change, but needs to be redone completely.
Tested by many, including in thib's nfs test setup.
ok oga@,art@,thib@,miod@
jmc
deraadt
otto
dlg
stefan
kettenis
doug
guenther
tedu
schwarze
dcoppa
miod
ariane
thib
beck
sobrado