1 /* $NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $ */
4 * Copyright (c) 2011 The NetBSD Foundation, Inc.
7 * This code is derived from software contributed to The NetBSD Foundation
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
31 #include <sys/cdefs.h>
32 __RCSID("$NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $");
34 #include <sys/param.h>
36 #include <sys/sysctl.h>
48 #include "../common/exec_prot.h"
52 static int pax_global = -1;
53 static int pax_enabled = -1;
54 static char path[] = "mmap";
56 static void sighandler(int);
57 static bool paxinit(void);
58 static bool paxset(int, int);
69 size_t len = sizeof(int);
72 rv = sysctlbyname("security.pax.mprotect.global",
73 &pax_global, &len, NULL, 0);
78 rv = sysctlbyname("security.pax.mprotect.enabled",
79 &pax_enabled, &len, NULL, 0);
85 paxset(int global, int enabled)
87 size_t len = sizeof(int);
90 rv = sysctlbyname("security.pax.mprotect.global",
91 NULL, NULL, &global, len);
96 rv = sysctlbyname("security.pax.mprotect.enabled",
97 NULL, NULL, &enabled, len);
106 ATF_TC_WITH_CLEANUP(mprotect_access);
107 ATF_TC_HEAD(mprotect_access, tc)
109 atf_tc_set_md_var(tc, "descr", "Test for EACCES from mprotect(2)");
112 ATF_TC_BODY(mprotect_access, tc)
114 int prot[2] = { PROT_NONE, PROT_READ };
119 fd = open(path, O_RDONLY | O_CREAT, 0600);
120 ATF_REQUIRE(fd >= 0);
123 * The call should fail with EACCES if we try to mark
124 * a PROT_NONE or PROT_READ file/section as PROT_WRITE.
126 for (i = 0; i < __arraycount(prot); i++) {
128 map = mmap(NULL, page, prot[i], MAP_SHARED, fd, 0);
130 if (map == MAP_FAILED)
135 ATF_REQUIRE(mprotect(map, page, PROT_WRITE) != 0);
136 ATF_REQUIRE(errno == EACCES);
137 ATF_REQUIRE(munmap(map, page) == 0);
140 ATF_REQUIRE(close(fd) == 0);
143 ATF_TC_CLEANUP(mprotect_access, tc)
148 ATF_TC(mprotect_err);
149 ATF_TC_HEAD(mprotect_err, tc)
151 atf_tc_set_md_var(tc, "descr", "Test error conditions of mprotect(2)");
154 ATF_TC_BODY(mprotect_err, tc)
158 ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ) != 0);
159 ATF_REQUIRE(errno == EINVAL);
163 ATF_TC(mprotect_exec);
164 ATF_TC_HEAD(mprotect_exec, tc)
166 atf_tc_set_md_var(tc, "descr",
167 "Test mprotect(2) executable space protections");
171 * Trivial function -- should fit into a page
173 ATF_TC_BODY(mprotect_exec, tc)
179 xp_support = exec_prot_support();
181 switch (xp_support) {
184 "Execute protection callback check not implemented");
188 "Host does not support executable space protection");
190 case PARTIAL_XP: case PERPAGE_XP: default:
196 if (pax_enabled == 1 && pax_global == 1)
197 atf_tc_skip("PaX MPROTECT restrictions enabled");
201 * Map a page read/write and copy a trivial assembly function inside.
202 * We will then change the mapping rights:
203 * - first by setting the execution right, and check that we can
204 * call the code found in the allocated page.
205 * - second by removing the execution right. This should generate
206 * a SIGSEGV on architectures that can enforce --x permissions.
209 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
210 ATF_REQUIRE(map != MAP_FAILED);
212 memcpy(map, (void *)return_one,
213 (uintptr_t)return_one_end - (uintptr_t)return_one);
215 /* give r-x rights then call code in page */
216 ATF_REQUIRE(mprotect(map, page, PROT_EXEC|PROT_READ) == 0);
217 ATF_REQUIRE(((int (*)(void))map)() == 1);
219 /* remove --x right */
220 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
223 ATF_REQUIRE(pid >= 0);
226 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
227 ATF_CHECK(((int (*)(void))map)() == 1);
233 ATF_REQUIRE(munmap(map, page) == 0);
235 ATF_REQUIRE(WIFEXITED(sta) != 0);
237 switch (xp_support) {
239 /* Partial protection might fail; skip the test when it does */
240 if (WEXITSTATUS(sta) != SIGSEGV) {
241 atf_tc_skip("Host only supports "
242 "partial executable space protection");
245 case PERPAGE_XP: default:
246 /* Per-page --x protection should not fail */
247 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
253 ATF_TC(mprotect_pax);
254 ATF_TC_HEAD(mprotect_pax, tc)
256 atf_tc_set_md_var(tc, "descr", "PaX restrictions and mprotect(2)");
257 atf_tc_set_md_var(tc, "require.user", "root");
260 ATF_TC_BODY(mprotect_pax, tc)
262 const int prot[4] = { PROT_NONE, PROT_READ, PROT_WRITE };
263 const char *str = NULL;
268 if (!paxinit() || !paxset(1, 1))
272 * As noted in the original PaX documentation [1],
273 * the following restrictions should apply:
275 * (1) creating executable anonymous mappings
277 * (2) creating executable/writable file mappings
279 * (3) making a non-executable mapping executable
281 * (4) making an executable/read-only file mapping
282 * writable except for performing relocations
283 * on an ET_DYN ELF file (non-PIC shared library)
285 * The following will test only the case (3).
287 * [1] http://pax.grsecurity.net/docs/mprotect.txt
289 * (Sun Apr 3 11:06:53 EEST 2011.)
291 for (i = 0; i < __arraycount(prot); i++) {
293 map = mmap(NULL, page, prot[i], MAP_ANON, -1, 0);
295 if (map == MAP_FAILED)
298 rv = mprotect(map, 1, prot[i] | PROT_EXEC);
300 (void)munmap(map, page);
303 str = "non-executable mapping made executable";
309 if (pax_global != -1 && pax_enabled != -1)
310 (void)paxset(pax_global, pax_enabled);
313 atf_tc_fail("%s", str);
316 ATF_TC(mprotect_write);
317 ATF_TC_HEAD(mprotect_write, tc)
319 atf_tc_set_md_var(tc, "descr", "Test mprotect(2) write protections");
322 ATF_TC_BODY(mprotect_write, tc)
329 * Map a page read/write, change the protection
330 * to read-only with mprotect(2), and try to write
331 * to the page. This should generate a SIGSEGV.
333 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
334 ATF_REQUIRE(map != MAP_FAILED);
336 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 3);
337 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
340 ATF_REQUIRE(pid >= 0);
343 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
344 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 0);
349 ATF_REQUIRE(WIFEXITED(sta) != 0);
350 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
351 ATF_REQUIRE(munmap(map, page) == 0);
356 page = sysconf(_SC_PAGESIZE);
357 ATF_REQUIRE(page >= 0);
359 ATF_TP_ADD_TC(tp, mprotect_access);
360 ATF_TP_ADD_TC(tp, mprotect_err);
362 ATF_TP_ADD_TC(tp, mprotect_exec);
364 ATF_TP_ADD_TC(tp, mprotect_pax);
365 ATF_TP_ADD_TC(tp, mprotect_write);
367 return atf_no_error();