From 0a857551e1573bf3b4aaf3c95be44b577c130436 Mon Sep 17 00:00:00 2001 From: deraadt Date: Tue, 21 Feb 2023 14:31:07 +0000 Subject: [PATCH] for process kills due to execve from non-pinned syscall address, export a new AEXECVE bit to acct(4), and print it in lastcomm(8) ok bluhm --- sys/kern/kern_exec.c | 3 ++- sys/sys/acct.h | 17 +++++++++-------- usr.bin/lastcomm/lastcomm.1 | 10 ++++++++-- usr.bin/lastcomm/lastcomm.c | 3 ++- 4 files changed, 21 insertions(+), 12 deletions(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 01f92235e3b..5ee43baf74a 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.245 2023/02/17 18:08:32 deraadt Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.246 2023/02/21 14:31:07 deraadt Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -278,6 +278,7 @@ sys_execve(struct proc *p, void *v, register_t *retval) (pc >= vm->vm_execve_end || pc < vm->vm_execve)) { printf("%s(%d): execve %lx outside %lx-%lx\n", pr->ps_comm, pr->ps_pid, pc, vm->vm_execve, vm->vm_execve_end); + p->p_p->ps_acflag |= AEXECVE; sigabort(p); return (0); } diff --git a/sys/sys/acct.h b/sys/sys/acct.h index dce3283b12c..6a7f51ddf3b 100644 --- a/sys/sys/acct.h +++ b/sys/sys/acct.h @@ -1,4 +1,4 @@ -/* $OpenBSD: acct.h,v 1.12 2022/02/22 17:22:28 deraadt Exp $ */ +/* $OpenBSD: acct.h,v 1.13 2023/02/21 14:31:07 deraadt Exp $ */ /* $NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $ */ /*- @@ -59,13 +59,14 @@ struct acct { dev_t ac_tty; /* controlling tty, or -1 */ pid_t ac_pid; /* process id */ -#define AFORK 0x01 /* fork'd but not exec'd */ -#define AMAP 0x04 /* system call or stack mapping violation */ -#define ACORE 0x08 /* dumped core */ -#define AXSIG 0x10 /* killed by a signal */ -#define APLEDGE 0x20 /* killed due to pledge violation */ -#define ATRAP 0x40 /* memory access violation */ -#define AUNVEIL 0x80 /* unveil access violation */ +#define AFORK 0x00000001 /* fork'd but not exec'd */ +#define AMAP 0x00000004 /* system call or stack mapping violation */ +#define ACORE 0x00000008 /* dumped core */ +#define AXSIG 0x00000010 /* killed by a signal */ +#define APLEDGE 0x00000020 /* killed due to pledge violation */ +#define ATRAP 0x00000040 /* memory access violation */ +#define AUNVEIL 0x00000080 /* unveil access violation */ +#define AEXECVE 0x00000100 /* execve from wrong libc stub */ u_int32_t ac_flag; /* accounting flags */ }; diff --git a/usr.bin/lastcomm/lastcomm.1 b/usr.bin/lastcomm/lastcomm.1 index bd297d6d686..5fc0bb1dac9 100644 --- a/usr.bin/lastcomm/lastcomm.1 +++ b/usr.bin/lastcomm/lastcomm.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: lastcomm.1,v 1.24 2019/09/09 20:02:26 bluhm Exp $ +.\" $OpenBSD: lastcomm.1,v 1.25 2023/02/21 14:31:07 deraadt Exp $ .\" $NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $ .\" .\" Copyright (c) 1980, 1990, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)lastcomm.1 8.1 (Berkeley) 6/6/93 .\" -.Dd $Mdocdate: September 9 2019 $ +.Dd $Mdocdate: February 21 2023 $ .Dt LASTCOMM 1 .Os .Sh NAME @@ -105,6 +105,12 @@ The flags are encoded as follows: The command terminated with the generation of a .Pa core file. +.It Li E +The command terminated because it tried to +.Xr execve 2 +in violation of +.Xr pinsyscall 2 +policy. .It Li F The command ran after a fork, but without a following diff --git a/usr.bin/lastcomm/lastcomm.c b/usr.bin/lastcomm/lastcomm.c index 21106b6e1d9..23078738828 100644 --- a/usr.bin/lastcomm/lastcomm.c +++ b/usr.bin/lastcomm/lastcomm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lastcomm.c,v 1.32 2023/02/01 00:03:38 bluhm Exp $ */ +/* $OpenBSD: lastcomm.c,v 1.33 2023/02/21 14:31:07 deraadt Exp $ */ /* $NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $ */ /* @@ -177,6 +177,7 @@ flagbits(int f) BIT(APLEDGE, 'P'); BIT(ATRAP, 'T'); BIT(AUNVEIL, 'U'); + BIT(AEXECVE, 'E'); *p = '\0'; return (flags); } -- 2.20.1