svn commit: r257126 - in stable/9/sys: kern sys

Fri, 25 Oct 2013 10:16:47 -0700 

Author: kib
Date: Fri Oct 25 17:15:57 2013
New Revision: 257126
URL: http://svnweb.freebsd.org/changeset/base/257126

Log:
  MFC r256504:
  Add a sysctl kern.disallow_high_osrel which disables executing the
  images compiled on the world with higher major version number than the
  high version number of the booted kernel.  Default to disable.

Modified:
  stable/9/sys/kern/kern_exec.c
  stable/9/sys/sys/param.h
Directory Properties:
  stable/9/sys/   (props changed)
  stable/9/sys/sys/   (props changed)

Modified: stable/9/sys/kern/kern_exec.c
==============================================================================
--- stable/9/sys/kern/kern_exec.c       Fri Oct 25 17:04:46 2013        
(r257125)
+++ stable/9/sys/kern/kern_exec.c       Fri Oct 25 17:15:57 2013        
(r257126)
@@ -122,6 +122,11 @@ u_long ps_arg_cache_limit = PAGE_SIZE / 
 SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, 
     &ps_arg_cache_limit, 0, "");
 
+static int disallow_high_osrel;
+SYSCTL_INT(_kern, OID_AUTO, disallow_high_osrel, CTLFLAG_RW,
+    &disallow_high_osrel, 0,
+    "Disallow execution of binaries built for higher version of the world");
+
 static int map_at_zero = 0;
 TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero);
 SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0,
@@ -558,6 +563,15 @@ interpret:
             vn_fullpath(td, imgp->vp, &imgp->execpath, &imgp->freepath) != 0))
                imgp->execpath = args->fname;
 
+       if (disallow_high_osrel &&
+           P_OSREL_MAJOR(p->p_osrel) > P_OSREL_MAJOR(__FreeBSD_version)) {
+               error = ENOEXEC;
+               uprintf("Osrel %d for image %s too high\n", p->p_osrel,
+                   imgp->execpath != NULL ? imgp->execpath : "<unresolved>");
+               vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
+               goto exec_fail_dealloc;
+       }
+
        /*
         * Copy out strings (args and env) and initialize stack base
         */

Modified: stable/9/sys/sys/param.h
==============================================================================
--- stable/9/sys/sys/param.h    Fri Oct 25 17:04:46 2013        (r257125)
+++ stable/9/sys/sys/param.h    Fri Oct 25 17:15:57 2013        (r257126)
@@ -80,6 +80,8 @@
 #define        P_OSREL_SIGWAIT         700000
 #define        P_OSREL_SIGSEGV         700004
 #define        P_OSREL_MAP_ANON        800104
+
+#define        P_OSREL_MAJOR(x)        ((x) / 100000)
 #endif
 
 #ifndef LOCORE
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to