Date: Fri, 25 Oct 2013 17:15:57 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r257126 - in stable/9/sys: kern sys Message-ID: <201310251715.r9PHFvfG054225@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Fri Oct 25 17:15:57 2013 New Revision: 257126 URL: http://svnweb.freebsd.org/changeset/base/257126 Log: MFC r256504: Add a sysctl kern.disallow_high_osrel which disables executing the images compiled on the world with higher major version number than the high version number of the booted kernel. Default to disable. Modified: stable/9/sys/kern/kern_exec.c stable/9/sys/sys/param.h Directory Properties: stable/9/sys/ (props changed) stable/9/sys/sys/ (props changed) Modified: stable/9/sys/kern/kern_exec.c ============================================================================== --- stable/9/sys/kern/kern_exec.c Fri Oct 25 17:04:46 2013 (r257125) +++ stable/9/sys/kern/kern_exec.c Fri Oct 25 17:15:57 2013 (r257126) @@ -122,6 +122,11 @@ u_long ps_arg_cache_limit = PAGE_SIZE / SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, &ps_arg_cache_limit, 0, ""); +static int disallow_high_osrel; +SYSCTL_INT(_kern, OID_AUTO, disallow_high_osrel, CTLFLAG_RW, + &disallow_high_osrel, 0, + "Disallow execution of binaries built for higher version of the world"); + static int map_at_zero = 0; TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero); SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0, @@ -558,6 +563,15 @@ interpret: vn_fullpath(td, imgp->vp, &imgp->execpath, &imgp->freepath) != 0)) imgp->execpath = args->fname; + if (disallow_high_osrel && + P_OSREL_MAJOR(p->p_osrel) > P_OSREL_MAJOR(__FreeBSD_version)) { + error = ENOEXEC; + uprintf("Osrel %d for image %s too high\n", p->p_osrel, + imgp->execpath != NULL ? imgp->execpath : "<unresolved>"); + vn_lock(imgp->vp, LK_SHARED | LK_RETRY); + goto exec_fail_dealloc; + } + /* * Copy out strings (args and env) and initialize stack base */ Modified: stable/9/sys/sys/param.h ============================================================================== --- stable/9/sys/sys/param.h Fri Oct 25 17:04:46 2013 (r257125) +++ stable/9/sys/sys/param.h Fri Oct 25 17:15:57 2013 (r257126) @@ -80,6 +80,8 @@ #define P_OSREL_SIGWAIT 700000 #define P_OSREL_SIGSEGV 700004 #define P_OSREL_MAP_ANON 800104 + +#define P_OSREL_MAJOR(x) ((x) / 100000) #endif #ifndef LOCORE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310251715.r9PHFvfG054225>