svn commit: r256504 - in head/sys: kern sys

Mon, 14 Oct 2013 23:39:37 -0700 

Author: kib
Date: Tue Oct 15 06:38:40 2013
New Revision: 256504
URL: http://svnweb.freebsd.org/changeset/base/256504

Log:
  Add a sysctl kern.disallow_high_osrel which disables executing the
  images compiled on the world with higher major version number than the
  high version number of the booted kernel.  Default to disable.
  
  Sponsored by: The FreeBSD Foundation
  Discussed with:       bapt
  MFC after:    1 week

Modified:
  head/sys/kern/kern_exec.c
  head/sys/sys/param.h

Modified: head/sys/kern/kern_exec.c
==============================================================================
--- head/sys/kern/kern_exec.c   Tue Oct 15 06:35:22 2013        (r256503)
+++ head/sys/kern/kern_exec.c   Tue Oct 15 06:38:40 2013        (r256504)
@@ -123,6 +123,11 @@ u_long ps_arg_cache_limit = PAGE_SIZE / 
 SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, 
     &ps_arg_cache_limit, 0, "");
 
+static int disallow_high_osrel;
+SYSCTL_INT(_kern, OID_AUTO, disallow_high_osrel, CTLFLAG_RW,
+    &disallow_high_osrel, 0,
+    "Disallow execution of binaries built for higher version of the world");
+
 static int map_at_zero = 0;
 TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero);
 SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0,
@@ -552,6 +557,15 @@ interpret:
             vn_fullpath(td, imgp->vp, &imgp->execpath, &imgp->freepath) != 0))
                imgp->execpath = args->fname;
 
+       if (disallow_high_osrel &&
+           P_OSREL_MAJOR(p->p_osrel) > P_OSREL_MAJOR(__FreeBSD_version)) {
+               error = ENOEXEC;
+               uprintf("Osrel %d for image %s too high\n", p->p_osrel,
+                   imgp->execpath != NULL ? imgp->execpath : "<unresolved>");
+               vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
+               goto exec_fail_dealloc;
+       }
+
        /*
         * Copy out strings (args and env) and initialize stack base
         */

Modified: head/sys/sys/param.h
==============================================================================
--- head/sys/sys/param.h        Tue Oct 15 06:35:22 2013        (r256503)
+++ head/sys/sys/param.h        Tue Oct 15 06:38:40 2013        (r256504)
@@ -80,6 +80,8 @@
 #define        P_OSREL_SIGWAIT         700000
 #define        P_OSREL_SIGSEGV         700004
 #define        P_OSREL_MAP_ANON        800104
+
+#define        P_OSREL_MAJOR(x)        ((x) / 100000)
 #endif
 
 #ifndef LOCORE
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to