git: 2e1c94aa1fd5 - main - Implement enforcing write XOR execute mapping policy.
John Baldwin
jhb at FreeBSD.org
Tue Jan 12 00:34:04 UTC 2021
On 1/11/21 3:22 PM, Konstantin Belousov wrote:
> The branch main has been updated by kib:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=2e1c94aa1fd582fb8ae0522f0827be719ff5fb67
>
> commit 2e1c94aa1fd582fb8ae0522f0827be719ff5fb67
> Author: Konstantin Belousov <kib at FreeBSD.org>
> AuthorDate: 2021-01-08 22:40:04 +0000
> Commit: Konstantin Belousov <kib at FreeBSD.org>
> CommitDate: 2021-01-11 23:15:43 +0000
>
> Implement enforcing write XOR execute mapping policy.
>
> It is checked in vm_map_insert() and vm_map_protect() that PROT_WRITE |
> PROT_EXEC are never specified together, if vm_map has MAP_WX flag set.
> FreeBSD control flag allows specific binary to request WX exempt, and
> there are per ABI boolean sysctls kern.elf{32,64}.allow_wx to enable/
> disable globally.
>
> Reviewed by: emaste, jhb
> Sponsored by: The FreeBSD Foundation
> Differential Revision: https://reviews.freebsd.org/D28050
Relnotes: yes (or maybe do an update to RELNOTES?)
To be clear though, this doesn't set the default to enforcing W^X, it just
adds a knob that can be set to enforce that on most binaries. My guess is
that the plan is to get some testing/exposure of this on head (e.g. doing
an exp-run with this set would probably be a good test?) and then flip the
default to enable this restriction in the future?
--
John Baldwin
More information about the dev-commits-src-all
mailing list