Date: Mon, 11 Jan 2021 16:34:02 -0800 From: John Baldwin <jhb@FreeBSD.org> To: Konstantin Belousov <kib@FreeBSD.org>, src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 2e1c94aa1fd5 - main - Implement enforcing write XOR execute mapping policy. Message-ID: <8f0f88f5-2a4b-a11d-7b9c-892443184b15@FreeBSD.org> In-Reply-To: <202101112322.10BNMFFE035513@gitrepo.freebsd.org> References: <202101112322.10BNMFFE035513@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/11/21 3:22 PM, Konstantin Belousov wrote: > The branch main has been updated by kib: > > URL: https://cgit.FreeBSD.org/src/commit/?id=2e1c94aa1fd582fb8ae0522f0827be719ff5fb67 > > commit 2e1c94aa1fd582fb8ae0522f0827be719ff5fb67 > Author: Konstantin Belousov <kib@FreeBSD.org> > AuthorDate: 2021-01-08 22:40:04 +0000 > Commit: Konstantin Belousov <kib@FreeBSD.org> > CommitDate: 2021-01-11 23:15:43 +0000 > > Implement enforcing write XOR execute mapping policy. > > It is checked in vm_map_insert() and vm_map_protect() that PROT_WRITE | > PROT_EXEC are never specified together, if vm_map has MAP_WX flag set. > FreeBSD control flag allows specific binary to request WX exempt, and > there are per ABI boolean sysctls kern.elf{32,64}.allow_wx to enable/ > disable globally. > > Reviewed by: emaste, jhb > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D28050 Relnotes: yes (or maybe do an update to RELNOTES?) To be clear though, this doesn't set the default to enforcing W^X, it just adds a knob that can be set to enforce that on most binaries. My guess is that the plan is to get some testing/exposure of this on head (e.g. doing an exp-run with this set would probably be a good test?) and then flip the default to enable this restriction in the future? -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8f0f88f5-2a4b-a11d-7b9c-892443184b15>