From 7fb87189462824a9fc16d2f279ee3951e00b428d Mon Sep 17 00:00:00 2001 From: deraadt Date: Sun, 6 Nov 2022 19:28:48 +0000 Subject: [PATCH] At present, mprotect(2) may reduce permissions on immutable pages marked PROT_READ | PROT_WRITE to the less permissive PROT_READ. This one-way operation is permitted for an introductory period to observe how software uses this mechanism. It may change to require explicit mutable region annotation with __attribute__((section(".openbsd.mutable"))) and explicit calls to mimmutable(). ^^^ Decided we'll do that for now, since we've only discovered one program trying to be clever so far (chrome is trying to do something smart, and mimmutable makes it even better) discussed with kettenis and robert --- lib/libc/sys/mimmutable.2 | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/lib/libc/sys/mimmutable.2 b/lib/libc/sys/mimmutable.2 index fe13dde429c..423efc6ec35 100644 --- a/lib/libc/sys/mimmutable.2 +++ b/lib/libc/sys/mimmutable.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mimmutable.2,v 1.1 2022/10/07 15:21:04 deraadt Exp $ +.\" $OpenBSD: mimmutable.2,v 1.2 2022/11/06 19:28:48 deraadt Exp $ .\" .\" Copyright (c) 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)mimmutable.2 8.1 (Berkeley) 6/9/93 .\" -.Dd $Mdocdate: October 7 2022 $ +.Dd $Mdocdate: November 6 2022 $ .Dt MIMMUTABLE 2 .Os .Sh NAME @@ -81,3 +81,17 @@ The .Fn mimmutable function first appeared in .Ox 7.3 . +.Sh CAVEATS +.Pp +At present, +.Xr mprotect 2 +may reduce permissions on immutable pages marked +.Dv PROT_READ | PROT_WRITE +to the less permissive +.Dv PROT_READ . +This one-way operation is permitted for an introductory period to observe how +software uses this mechanism. +It may change to require explicit mutable region annotation with +.Va __attribute__((section(".openbsd.mutable"))) +and explicit calls to +.Fn mimmutable . -- 2.20.1