From: deraadt <deraadt@openbsd.org>
Date: Sun, 6 Nov 2022 19:28:48 +0000 (+0000)
Subject: At present, mprotect(2) may reduce permissions on immutable pages marked
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=7fb87189462824a9fc16d2f279ee3951e00b428d;p=openbsd

At present, mprotect(2) may reduce permissions on immutable pages marked
PROT_READ | PROT_WRITE to the less permissive PROT_READ.  This one-way
operation is permitted for an introductory period to observe how software
uses this mechanism.  It may change to require explicit mutable region
annotation with __attribute__((section(".openbsd.mutable"))) and explicit
calls to mimmutable().
^^^ Decided we'll do that for now, since we've only discovered one program
trying to be clever so far (chrome is trying to do something smart, and
mimmutable makes it even better)
discussed with kettenis and robert
---

diff --git a/lib/libc/sys/mimmutable.2 b/lib/libc/sys/mimmutable.2
index fe13dde429c..423efc6ec35 100644
--- a/lib/libc/sys/mimmutable.2
+++ b/lib/libc/sys/mimmutable.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: mimmutable.2,v 1.1 2022/10/07 15:21:04 deraadt Exp $
+.\"	$OpenBSD: mimmutable.2,v 1.2 2022/11/06 19:28:48 deraadt Exp $
 .\"
 .\" Copyright (c) 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"	@(#)mimmutable.2	8.1 (Berkeley) 6/9/93
 .\"
-.Dd $Mdocdate: October 7 2022 $
+.Dd $Mdocdate: November 6 2022 $
 .Dt MIMMUTABLE 2
 .Os
 .Sh NAME
@@ -81,3 +81,17 @@ The
 .Fn mimmutable
 function first appeared in
 .Ox 7.3 .
+.Sh CAVEATS
+.Pp
+At present,
+.Xr mprotect 2
+may reduce permissions on immutable pages marked
+.Dv PROT_READ | PROT_WRITE
+to the less permissive
+.Dv PROT_READ .
+This one-way operation is permitted for an introductory period to observe how
+software uses this mechanism.
+It may change to require explicit mutable region annotation with
+.Va __attribute__((section(".openbsd.mutable")))
+and explicit calls to
+.Fn mimmutable .