From owner-freebsd-current@FreeBSD.ORG Mon Oct 1 15:11:37 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C1801065672; Mon, 1 Oct 2012 15:11:37 +0000 (UTC) (envelope-from onwahe@gmail.com) Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by mx1.freebsd.org (Postfix) with ESMTP id 93FC48FC12; Mon, 1 Oct 2012 15:11:36 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id hm2so3396275wib.1 for ; Mon, 01 Oct 2012 08:11:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Da9tSUFqpOeKavLTJEsihv98cOdL//ClQUW9DyzZ+NI=; b=vmUwKIANFAfvqbJ1JofF+sNqqK6jG5W+g3NRZ9AkkVxTvcosEuGDHY9ZwYaS4zYZd9 TdV98VuX9eH1V2LiWVGmzVBMa0JH3QYY+idOPod7NQ1oGrPLztMTC7Z3+1OYHq5rLbo1 WRf40nUUg6gCsXq5ExA/WXCikNM5Q857pl2Dowj1mNBPdj3WCTQmAiz/6SofIkV4/RUJ DaPhS0h53pEPLbOzdbN6XdvfwaMZ7F8ZZmLR/pp8T7r2KaYCoyDdjhyRG6RxfRgbbkCt WAKDHjF7rnMBSWKrdXjuv/z0OflTotxAW+Jokhe4FcqG1pm3giAQ5D1ea5op0xwqwgIM icpA== MIME-Version: 1.0 Received: by 10.216.214.209 with SMTP id c59mr7787892wep.214.1349104294638; Mon, 01 Oct 2012 08:11:34 -0700 (PDT) Received: by 10.194.54.104 with HTTP; Mon, 1 Oct 2012 08:11:34 -0700 (PDT) In-Reply-To: <201209071540.43013.jhb@freebsd.org> References: <201209071405.28831.jhb@freebsd.org> <20120907184120.GD33100@deviant.kiev.zoral.com.ua> <201209071540.43013.jhb@freebsd.org> Date: Mon, 1 Oct 2012 17:11:34 +0200 Message-ID: From: Svatopluk Kraus To: John Baldwin Content-Type: text/plain; charset=ISO-8859-1 Cc: Konstantin Belousov , freebsd-current@freebsd.org Subject: Re: [patch] mmap() MAP_TEXT implementation (to use for shared libraries) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 15:11:37 -0000 On Fri, Sep 7, 2012 at 9:40 PM, John Baldwin wrote: > On Friday, September 07, 2012 2:41:20 pm Konstantin Belousov wrote: >> > I think these would be rare? There's no good reason for anything to write to >> > a shared library that I can think of. install(1) does an atomic rename to swap >> > in the new libraries already. >> >> After a second thought, I do not like your proposal as well. +x is set for >> shebang scripts, and allowing PROT_EXEC to set VV_TEXT for them means >> that such scripts are subject for write denial. > > Yeah, that's fair. Also, I hunted around to find the description of MAP_TEXT > in Solaris 11. It seems from reading that that MAP_TEXT on Solaris isn't used > to prevent writes ala VV_TEXT. Instead, it is used as a hint that is > apparently used to use superpages for text. > > -- > John Baldwin Hi, I'd like to finish this thread somehow. For security sake, it looks that bounding VV_TEXT with MAP_TEXT is not good idea. Now, I see only two possibilities how to solve the shared libraries issue in general. 1. To have one more permission flag, first for files on which VV_TEXT can be set and second for files on which VV_TEXT may not be set. 2. To activate shared libraries in kernel. The whole situation is following. There are two basic kinds of binaries in system. The first ones only need to be activated, the second ones need to be interpreted by an interpreter which is activated already. While activation is a concern of kernel and should be done in kernel, an interpretation is a concern of an interpreter and as such is done in userland. Unfortunately, even so different in nature, both share x+ permission and can't be distinguished by it. The shared libraries issue is that even they can be activated only, they are interpreted by dynamic linker instead. As VV_TEXT is kernel flag and can be set safely by kernel only, there is no way how to protect them by the flag in this situation. Svata