>Now, just out of curiosity with regard to java: I get a "/bsd:
>java(46091): mprotect W^X violation" message when I use it on
>6.0-release (on a filesystem mounted with wxallowed), it's not linked
>with the wxneeded option, and it still works. How is that possible?
>Doesn't that contradict the release announcement ("We are pleased to
>announce the official release of OpenBSD 6.0. [...] W^X is now
>strictly enforced by default; a program can only violate it if the
>executable is marked with PT_OPENBSD_WXNEEDED and is located on a
>filesystem mounted with the wxallowed mount(8) option.)?
Glad you asked the question. Leading up 6.0 I was pretty sure we
could pull it off. As in, label all the bad executables. But soon
the ports guys exposed that the situation is a nest of vipers. Lots
of discussion about strategy. Then we tuned the policy so that
wxallowed on the fileysstem is required for W^X violations to proceed
silently, otherwise a report is issued for the first operation a
program does which violates W^X. You now you can judge the software
your system has installed. It still runs, on that a filesystem which
lets it. The ELF wxneeded flag silences the warning, as it was
designed.
As long as your /usr/local is a seperate partition, the rest of your
filesystems will be pure, rejecting W^X. So sshd or ntpd will be
killed if it attempts a W^X violationg operation. People who
hand-select "whole disk as /" lose again, but that is nothing new,
I've been preaching that message for almost 20 years.
Almost immediately after 6.0 unlocked, 6.0-current moved back to new
harsher semantics. That gives the ports guys the right model for
pushing harder with labelling executables. Progress sometimes takes
a few cycles.
