Commits · hardened/current/noexec · HardenedBSD / HardenedBSD

10 Mar, 2015 37 commits

HBSD LOG: improve the log, and add new line · 94cac32c
Oliver Pinter authored Mar 07, 2015
```
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
94cac32c
HBSD LOG: use the pax_log_internal_imgp in pax_elf.c · 047a2dcc
Oliver Pinter authored Mar 07, 2015
```
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
047a2dcc
HBSD LOG: improve and refactor the logging stuff · f5b3d773
Oliver Pinter authored Mar 07, 2015
```
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
f5b3d773
HBSD LOG: added 0x prefix to %b · 85a73f22
Oliver Pinter authored Mar 06, 2015
```
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
85a73f22
HBSD LOG: disable logical invertion and style · 26f9a637
Oliver Pinter authored Mar 06, 2015
```
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
26f9a637
HBSD LOG: simplify and rationalize the warning messages · 21bcab12
Oliver Pinter authored Mar 04, 2015
```
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
21bcab12
HBSD LOG: improve logging; do not print paxflags in pax_elf time · 0c047365
Oliver Pinter authored Mar 04, 2015
```
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
0c047365
HBSD LOG: improve pax state logging · 39067c48
Oliver Pinter authored Mar 04, 2015
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
39067c48

HBSD NOEXEC: no feed new line · 6798e568

Oliver Pinter authored Mar 04, 2015

github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

6798e568

HBSD NOEXEC: fix build and extend DDB to print out NOEXEC's status · af96768f
Oliver Pinter authored Mar 04, 2015
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
af96768f
HBSD NOEXEC: fix build after rebase · 01397256
Oliver Pinter authored Mar 04, 2015
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
01397256
HBSD NOEXEC: fix build, which breaked in dd5248b0 · 37bffa12
Oliver Pinter authored Dec 03, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
```
37bffa12

HBSD NOEXEC: unify some code · 6678286d

Oliver Pinter authored Dec 03, 2014

github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

6678286d

HBSD NOEXEC: get ride of PAX_PAGEEXEC and PAX_MPROTECT knob, and use PAX_NOEXEC instead · 0ef1da30
Oliver Pinter authored Dec 03, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
0ef1da30
HBSD NOEXEC: use the new API in sys_obreak · b8a64536
Oliver Pinter authored Dec 03, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
b8a64536
HBSD NOXEC: add pax_noexec_n{x,w}(...) function, to enforce constraints · 56ba0104
Oliver Pinter authored Dec 03, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
56ba0104
HBSD NOEXEC: add the ability to change maxprot in imgact's mapping functions · 2a90bc8d
Oliver Pinter authored Dec 02, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
2a90bc8d
HBSD NOEXEC: chage pax_{pageexec,mprotect} signature, to follow the previous change · a3c37faa
Oliver Pinter authored Dec 02, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
a3c37faa

HBSD NOEXEC: change prot type in sys_mmap and in sys_obreak to keep in sync... · 386c7e69

Oliver Pinter authored Dec 02, 2014

HBSD NOEXEC: change prot type in sys_mmap and in sys_obreak to keep in sync with other part of vm's code

github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

386c7e69

HBSD NOEXEC: enable PAX_PAGEEXEC and PAX_MPROTECT in HARDENEDBSD kernel config · 2946ac8e
Oliver Pinter authored Dec 02, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
```
2946ac8e
HBSD NOEXEC: restrict sys_obreak with PAGEEXEC and MPROTECT · f5b0fb39
Oliver Pinter authored Nov 30, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
f5b0fb39
HBSD NOEXEC: use maxprot variable in vm_map_insert · 68848050
Oliver Pinter authored Nov 30, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
68848050
HBSD NOEXEC: fix typo in pax_mprotect(...) and in pax_elf(...) · ebda6fa5
Oliver Pinter authored Nov 30, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
```
ebda6fa5
HBSD NOEXEC: add new flags to validation · 84696f96
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
84696f96
HBSD NOEXEC: fix build if PAX_MPROTECT not set · f5b1ed0a
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
f5b1ed0a
HBSD NOEXEC: add KTR debug messages · 07416b21
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
07416b21
HBSD NOEXEC: change pax_{pageexec,segvguard} parameter type · 1f0a5fc3
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
1f0a5fc3
HBSD NOEXEC: hook in pax_{pageexec,mprotect} · c5c401f6
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
c5c401f6
HBSD NOEXEC: remove old basic version of mprotect hardening · a7bb424e
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
a7bb424e
HBSD NOEXEC: implement pax_mprotect_enforce(...) · 87edae54
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
87edae54
HBSD NOEXEC: implement pax_{pageexec,mprotect} · 23e9d778
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
23e9d778
HBSD NOEXEC: prepare default status · ae7aa9f0
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
ae7aa9f0
HBSD PAGEEXEC: added initial framwork · 4e994d39
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
4e994d39
HBSD MPROTECT: added PAX_PAGEEXEC option · 614c920a
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
614c920a
HBSD MPROTECT: rename hardenedbsd/hbsd_pax_mprotect.c -> hardenedbsd/hbsd_pax_noexec.c · 4c3dde0e
Oliver Pinter authored Nov 29, 2014
```
github-issue: #37

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
4c3dde0e
HBSD: enable PAX_MPROTECT in OP-HBSD kernel config · 76fc7142
Oliver Pinter authored Nov 29, 2014
```
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
```
76fc7142

PAX MPROTECT: added initial glues · aa35d55b

Oliver Pinter authored Nov 29, 2014

[...]
20:31 <_op_> pax mprotect-nel PROT_MAY{READ,WRITE,EXEC} mennyire tori a mar meglevo implementaciokat?
20:31 <_op_> Az megvan, hogy a nem letezo flagekre az mmap hibat ad vissza, de gyakorlatban ez mennyi alkalmazas kb?
20:32 <pipacs> a MAY* flageket a kernel tartja nyilvan, userland nem befolyasolja
20:32 <pipacs> kb mint a MAXPROT bsd alatt asszem
[...]
20:33 <pipacs> az mprotect elvesz par MAY* flaget a W^X megvalositasa erdekeben (mmap idoben), amitol kesobbi mprotect-ek mar nem engednek W-X atmenetet egyik iranyban sem
20:33 <pipacs> minden program elhasal ezen ami futasidoben akarna kodot generalni
20:33 <_op_> igen, maxprotta kell atforditani bsd-k alatt, csak a _MAY*-ot latom celszerunek kivezetni userland-be, ha mar te ugy csinaltad, es legyen mar ilyen szinten kompatibilis a ketto
20:33 <pipacs> mondom, a MAY* flageket nem latja/befolyasolja a userland
20:34 <pipacs> bar anno volt ra otlet hogy jo lenne ha tudna kontrollalni egy app de ehhez kozossegi konszenzus kene hiszen posix api-rol van szo
20:34 <pipacs> azota se lett belole semmi :)
20:34 <_op_> akkor a draftban meg ez van benne
20:35 <pipacs> ehelyett paxban a kernel probal okoskodni pl. TEXTREL meg RELRO ugyben
20:35 <pipacs> ja hat az a doksi azert eleg regi mar, valtoztak azota a dolgok
20:36 <_op_> az alapjan kezdtem el indulni es kb megvan, hogy hogy lehet attolni a rendszeren az uj flageket, csak gondoltam elotte rakerdezek, hogy mennyire esszeru
20:36 <pipacs> en azt mondom hogy ha MPROTECT-et akartok csinalni, akkor csak ovatosan, mert sokan fognak rinyalmi miatta ;)
[...]
20:36 <_op_> nincs az a vilag, hogy az attoljuk rajtuk
20:36 <pipacs> desktopon az osszes bongeszo a jit enginek miatt, java, ffi, stb
20:37 <pipacs> szerveren java/v8 jatszik leginkabb
20:37 <_op_> akkor emutramp-ot is meg kell csinalni ffi miatt
20:37 <pipacs> ja meg az opengl csoda libek ;)
20:38 <_op_> multkor lattam valamit kint twitteren toletek, hogy az nvidia alkotott valamit az ugyben
20:38 <pipacs> igen, az lenne a masik szukseges lepes ha minel kevesebb programon akartok kivetelt (marmint tiltani az MPROTECT-et)
20:38 <pipacs> spender volt az, vmi user irt egy gentoo forumra hogy az nvidia nyar ota lehetove teszi a runtime codegen tiltast
20:38 <_op_> errol van valami doksi, hogy milyen kodokat kell emulalni, vagy nezzem meg nalatok?
20:38 <pipacs> azt persze nem irtak le a jokepesseguek hogy ez mivel jar (gyanitom lassulassal)
20:39 <pipacs> pax ketfele kodszekvenciat emulal alapvetoen: gcc nested function trampoline (ebbol van par verzio, de nem veszes), es ujabban libffi trampoline-t is
20:39 <pipacs> esetleg ha fbsd meg a vermen tolja a sigreturn kodot, akkor azt is emulalni kell nektek (vagy megirni rendesen mint linux alatt, ahol a vdso-ba van kitolva)
20:40 <_op_> vermen van, jobban mondva vdso helyett csak egy shared page-en
20:40 <pipacs> nvidia doksirol nem tudok, asszem a changelogban van ket sor erejeig megemlitve csak
20:40 <_op_> ami a verem tejen van, viszont szeparalhato
20:41 <pipacs> az is jo, a lenyeg hogy nem legyen irhato memoria userlandbol
[...]

github-issue: #37

Discussed-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

aa35d55b

06 Mar, 2015 3 commits
- Merge remote-tracking branch 'freebsd/master' into hardened/current/master · cf48aca8
  Oliver Pinter + authored Mar 06, 2015
  
  cf48aca8
- Update the ELFOSABI_* constants. · 58f62559
  ed authored Mar 06, 2015
```
Two new operating systems have been added in the meantime.
ELFOSABI_FENIXOS that uses value 16 (published in the latest draft) and
ELFOSABI_CLOUDABI that uses value 17 (to be published in the next draft).
```
  58f62559
- Fix style. · 66f825e5
  br authored Mar 06, 2015
  
  66f825e5