From: kettenis Date: Mon, 24 Apr 2023 10:22:06 +0000 (+0000) Subject: Abuse the wxallowed flag to decide whether we should enforce branch target X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=08af7499ad5eeb62accf102fea9ce8cb0555e357;p=openbsd Abuse the wxallowed flag to decide whether we should enforce branch target or not. The idea is that since /usr/local has wxallowed by default this will enable enforcement for base while leaving ports alone for now. This will help us transition to a state where ports are properly marked and allow us to establish that base is really clean. Also add an exception for chrome. Chrome already appears to be clean on arm64 and this exception can be easily modified for testing other ports. This will screw over people that deliberately disable wxallowed on /usr/local or who don't have a separate partition for /usr/local. We think that is an acceptable compromise for the next months. ok robert@, deraadt@ (who came up with the idea) --- diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 5ee43baf74a..b705a52e491 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.246 2023/02/21 14:31:07 deraadt Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.247 2023/04/24 10:22:06 kettenis Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -531,6 +531,18 @@ sys_execve(struct proc *p, void *v, register_t *retval) if (otvp) vrele(otvp); + /* + * XXX As a transition mechanism, we don't enforce branch + * target control floe integrety on partitions mounted with + * the wxallowed flag. + */ + if (pr->ps_textvp->v_mount && + (pr->ps_textvp->v_mount->mnt_flag & MNT_WXALLOWED)) + pack.ep_flags |= EXEC_NOBTCFI; + /* XXX XXX But enable it for chrome. */ + if (strcmp(p->p_p->ps_comm, "chrome") == 0) + pack.ep_flags &= ~EXEC_NOBTCFI; + atomic_setbits_int(&pr->ps_flags, PS_EXEC); if (pr->ps_flags & PS_PPWAIT) { atomic_clearbits_int(&pr->ps_flags, PS_PPWAIT);