for process kills due to execve from non-pinned syscall address, export

a new AEXECVE bit to acct(4), and print it in lastcomm(8)
ok bluhm

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 01f9223..5ee43ba 100644 (file)
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_exec.c,v 1.245 2023/02/17 18:08:32 deraadt Exp $ */
+/*     $OpenBSD: kern_exec.c,v 1.246 2023/02/21 14:31:07 deraadt Exp $ */
 /*     $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $  */
 
 /*-
@@ -278,6 +278,7 @@ sys_execve(struct proc *p, void *v, register_t *retval)
            (pc >= vm->vm_execve_end || pc < vm->vm_execve)) {
                printf("%s(%d): execve %lx outside %lx-%lx\n", pr->ps_comm,
                    pr->ps_pid, pc, vm->vm_execve, vm->vm_execve_end);
+               p->p_p->ps_acflag |= AEXECVE;
                sigabort(p);
                return (0);
        }

diff --git a/sys/sys/acct.h b/sys/sys/acct.h
index dce3283..6a7f51d 100644 (file)
--- a/sys/sys/acct.h
+++ b/sys/sys/acct.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: acct.h,v 1.12 2022/02/22 17:22:28 deraadt Exp $       */
+/*     $OpenBSD: acct.h,v 1.13 2023/02/21 14:31:07 deraadt Exp $       */
 /*     $NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $    */
 
 /*-
@@ -59,13 +59,14 @@ struct acct {
        dev_t     ac_tty;               /* controlling tty, or -1 */
        pid_t     ac_pid;               /* process id */
 
-#define        AFORK   0x01                    /* fork'd but not exec'd */
-#define        AMAP    0x04                    /* system call or stack mapping violation */
-#define        ACORE   0x08                    /* dumped core */
-#define        AXSIG   0x10                    /* killed by a signal */
-#define        APLEDGE 0x20                    /* killed due to pledge violation */
-#define        ATRAP   0x40                    /* memory access violation */
-#define        AUNVEIL 0x80                    /* unveil access violation */
+#define        AFORK   0x00000001              /* fork'd but not exec'd */
+#define        AMAP    0x00000004              /* system call or stack mapping violation */
+#define        ACORE   0x00000008              /* dumped core */
+#define        AXSIG   0x00000010              /* killed by a signal */
+#define        APLEDGE 0x00000020              /* killed due to pledge violation */
+#define        ATRAP   0x00000040              /* memory access violation */
+#define        AUNVEIL 0x00000080              /* unveil access violation */
+#define        AEXECVE 0x00000100              /* execve from wrong libc stub */
        u_int32_t ac_flag;              /* accounting flags */
 };
 

diff --git a/usr.bin/lastcomm/lastcomm.1 b/usr.bin/lastcomm/lastcomm.1
index bd297d6..5fc0bb1 100644 (file)
--- a/usr.bin/lastcomm/lastcomm.1
+++ b/usr.bin/lastcomm/lastcomm.1
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: lastcomm.1,v 1.24 2019/09/09 20:02:26 bluhm Exp $
+.\"    $OpenBSD: lastcomm.1,v 1.25 2023/02/21 14:31:07 deraadt Exp $
 .\"    $NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"    @(#)lastcomm.1  8.1 (Berkeley) 6/6/93
 .\"
-.Dd $Mdocdate: September 9 2019 $
+.Dd $Mdocdate: February 21 2023 $
 .Dt LASTCOMM 1
 .Os
 .Sh NAME
@@ -105,6 +105,12 @@ The flags are encoded as follows:
 The command terminated with the generation of a
 .Pa core
 file.
+.It Li E
+The command terminated because it tried to
+.Xr execve 2
+in violation of
+.Xr pinsyscall 2
+policy.
 .It Li F
 The command ran after
 a fork, but without a following

diff --git a/usr.bin/lastcomm/lastcomm.c b/usr.bin/lastcomm/lastcomm.c
index 21106b6..2307873 100644 (file)
--- a/usr.bin/lastcomm/lastcomm.c
+++ b/usr.bin/lastcomm/lastcomm.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: lastcomm.c,v 1.32 2023/02/01 00:03:38 bluhm Exp $     */
+/*     $OpenBSD: lastcomm.c,v 1.33 2023/02/21 14:31:07 deraadt Exp $   */
 /*     $NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $     */
 
 /*
@@ -177,6 +177,7 @@ flagbits(int f)
        BIT(APLEDGE, 'P');
        BIT(ATRAP, 'T');
        BIT(AUNVEIL, 'U');
+       BIT(AEXECVE, 'E');
        *p = '\0';
        return (flags);
 }