Abuse the wxallowed flag to decide whether we should enforce branch target

or not.  The idea is that since /usr/local has wxallowed by default this
will enable enforcement for base while leaving ports alone for now.  This
will help us transition to a state where ports are properly marked and
allow us to establish that base is really clean.

Also add an exception for chrome.  Chrome already appears to be clean on
arm64 and this exception can be easily modified for testing other ports.

This will screw over people that deliberately disable wxallowed on
/usr/local or who don't have a separate partition for /usr/local.  We
think that is an acceptable compromise for the next months.

ok robert@, deraadt@ (who came up with the idea)

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 5ee43ba..b705a52 100644 (file)
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_exec.c,v 1.246 2023/02/21 14:31:07 deraadt Exp $ */
+/*     $OpenBSD: kern_exec.c,v 1.247 2023/04/24 10:22:06 kettenis Exp $        */
 /*     $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $  */
 
 /*-
@@ -531,6 +531,18 @@ sys_execve(struct proc *p, void *v, register_t *retval)
        if (otvp)
                vrele(otvp);
 
+       /*
+        * XXX As a transition mechanism, we don't enforce branch
+        * target control floe integrety on partitions mounted with
+        * the wxallowed flag.
+        */
+       if (pr->ps_textvp->v_mount &&
+           (pr->ps_textvp->v_mount->mnt_flag & MNT_WXALLOWED))
+               pack.ep_flags |= EXEC_NOBTCFI;
+       /* XXX XXX But enable it for chrome. */
+       if (strcmp(p->p_p->ps_comm, "chrome") == 0)
+               pack.ep_flags &= ~EXEC_NOBTCFI;
+
        atomic_setbits_int(&pr->ps_flags, PS_EXEC);
        if (pr->ps_flags & PS_PPWAIT) {
                atomic_clearbits_int(&pr->ps_flags, PS_PPWAIT);