t_mprotect.c revision 313498 
1/* $NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $ */
2
3/*-
4 * Copyright (c) 2011 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Jukka Ruohonen.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31#include <sys/cdefs.h>
32__RCSID("$NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $");
33
34#include <sys/param.h>
35#include <sys/mman.h>
36#include <sys/sysctl.h>
37#include <sys/wait.h>
38
39#include <errno.h>
40#include <fcntl.h>
41#include <stdlib.h>
42#include <string.h>
43#include <unistd.h>
44
45#include <atf-c.h>
46
47#ifdef __NetBSD__
48#include "../common/exec_prot.h"
49#endif
50
51static long	page = 0;
52static int	pax_global = -1;
53static int	pax_enabled = -1;
54static char	path[] = "mmap";
55
56static void	sighandler(int);
57static bool	paxinit(void);
58static bool	paxset(int, int);
59
60static void
61sighandler(int signo)
62{
63	_exit(signo);
64}
65
66static bool
67paxinit(void)
68{
69	size_t len = sizeof(int);
70	int rv;
71
72	rv = sysctlbyname("security.pax.mprotect.global",
73	    &pax_global, &len, NULL, 0);
74
75	if (rv != 0)
76		return false;
77
78	rv = sysctlbyname("security.pax.mprotect.enabled",
79	    &pax_enabled, &len, NULL, 0);
80
81	return rv == 0;
82}
83
84static bool
85paxset(int global, int enabled)
86{
87	size_t len = sizeof(int);
88	int rv;
89
90	rv = sysctlbyname("security.pax.mprotect.global",
91	    NULL, NULL, &global, len);
92
93	if (rv != 0)
94		return false;
95
96	rv = sysctlbyname("security.pax.mprotect.enabled",
97	    NULL, NULL, &enabled, len);
98
99	if (rv != 0)
100		return false;
101
102	return true;
103}
104
105
106ATF_TC_WITH_CLEANUP(mprotect_access);
107ATF_TC_HEAD(mprotect_access, tc)
108{
109	atf_tc_set_md_var(tc, "descr", "Test for EACCES from mprotect(2)");
110}
111
112ATF_TC_BODY(mprotect_access, tc)
113{
114	int prot[2] = { PROT_NONE, PROT_READ };
115	void *map;
116	size_t i;
117	int fd;
118
119	fd = open(path, O_RDONLY | O_CREAT);
120	ATF_REQUIRE(fd >= 0);
121
122	/*
123	 * The call should fail with EACCES if we try to mark
124	 * a PROT_NONE or PROT_READ file/section as PROT_WRITE.
125	 */
126	for (i = 0; i < __arraycount(prot); i++) {
127
128		map = mmap(NULL, page, prot[i], MAP_SHARED, fd, 0);
129
130		if (map == MAP_FAILED)
131			continue;
132
133		errno = 0;
134
135		ATF_REQUIRE(mprotect(map, page, PROT_WRITE) != 0);
136		ATF_REQUIRE(errno == EACCES);
137		ATF_REQUIRE(munmap(map, page) == 0);
138	}
139
140	ATF_REQUIRE(close(fd) == 0);
141}
142
143ATF_TC_CLEANUP(mprotect_access, tc)
144{
145	(void)unlink(path);
146}
147
148ATF_TC(mprotect_err);
149ATF_TC_HEAD(mprotect_err, tc)
150{
151	atf_tc_set_md_var(tc, "descr", "Test error conditions of mprotect(2)");
152}
153
154ATF_TC_BODY(mprotect_err, tc)
155{
156	errno = 0;
157
158	ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ) != 0);
159	ATF_REQUIRE(errno == EINVAL);
160}
161
162#ifdef __NetBSD__
163ATF_TC(mprotect_exec);
164ATF_TC_HEAD(mprotect_exec, tc)
165{
166	atf_tc_set_md_var(tc, "descr",
167	    "Test mprotect(2) executable space protections");
168}
169
170/*
171 * Trivial function -- should fit into a page
172 */
173ATF_TC_BODY(mprotect_exec, tc)
174{
175	pid_t pid;
176	void *map;
177	int sta, xp_support;
178
179	xp_support = exec_prot_support();
180
181	switch (xp_support) {
182	case NOTIMPL:
183		atf_tc_skip(
184		    "Execute protection callback check not implemented");
185		break;
186	case NO_XP:
187		atf_tc_skip(
188		    "Host does not support executable space protection");
189		break;
190	case PARTIAL_XP: case PERPAGE_XP: default:
191		break;
192	}
193
194	if (!paxinit())
195		return;
196	if (pax_enabled == 1 && pax_global == 1)
197		atf_tc_skip("PaX MPROTECT restrictions enabled");
198
199
200	/*
201	 * Map a page read/write and copy a trivial assembly function inside.
202	 * We will then change the mapping rights:
203	 * - first by setting the execution right, and check that we can
204	 *   call the code found in the allocated page.
205	 * - second by removing the execution right. This should generate
206	 *   a SIGSEGV on architectures that can enforce --x permissions.
207	 */
208
209	map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
210	ATF_REQUIRE(map != MAP_FAILED);
211
212	memcpy(map, (void *)return_one,
213	    (uintptr_t)return_one_end - (uintptr_t)return_one);
214
215	/* give r-x rights then call code in page */
216	ATF_REQUIRE(mprotect(map, page, PROT_EXEC|PROT_READ) == 0);
217	ATF_REQUIRE(((int (*)(void))map)() == 1);
218
219	/* remove --x right */
220	ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
221
222	pid = fork();
223	ATF_REQUIRE(pid >= 0);
224
225	if (pid == 0) {
226		ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
227		ATF_CHECK(((int (*)(void))map)() == 1);
228		_exit(0);
229	}
230
231	(void)wait(&sta);
232
233	ATF_REQUIRE(munmap(map, page) == 0);
234
235	ATF_REQUIRE(WIFEXITED(sta) != 0);
236
237	switch (xp_support) {
238	case PARTIAL_XP:
239		/* Partial protection might fail; skip the test when it does */
240		if (WEXITSTATUS(sta) != SIGSEGV) {
241			atf_tc_skip("Host only supports "
242			    "partial executable space protection");
243		}
244		break;
245	case PERPAGE_XP: default:
246		/* Per-page --x protection should not fail */
247		ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
248		break;
249	}
250}
251#endif
252
253ATF_TC(mprotect_pax);
254ATF_TC_HEAD(mprotect_pax, tc)
255{
256	atf_tc_set_md_var(tc, "descr", "PaX restrictions and mprotect(2)");
257	atf_tc_set_md_var(tc, "require.user", "root");
258}
259
260ATF_TC_BODY(mprotect_pax, tc)
261{
262	const int prot[4] = { PROT_NONE, PROT_READ, PROT_WRITE };
263	const char *str = NULL;
264	void *map;
265	size_t i;
266	int rv;
267
268	if (!paxinit() || !paxset(1, 1))
269		return;
270
271	/*
272	 * As noted in the original PaX documentation [1],
273	 * the following restrictions should apply:
274	 *
275	 *   (1) creating executable anonymous mappings
276	 *
277	 *   (2) creating executable/writable file mappings
278	 *
279	 *   (3) making a non-executable mapping executable
280	 *
281	 *   (4) making an executable/read-only file mapping
282	 *       writable except for performing relocations
283	 *       on an ET_DYN ELF file (non-PIC shared library)
284	 *
285	 *  The following will test only the case (3).
286	 *
287	 * [1] http://pax.grsecurity.net/docs/mprotect.txt
288	 *
289	 *     (Sun Apr 3 11:06:53 EEST 2011.)
290	 */
291	for (i = 0; i < __arraycount(prot); i++) {
292
293		map = mmap(NULL, page, prot[i], MAP_ANON, -1, 0);
294
295		if (map == MAP_FAILED)
296			continue;
297
298		rv = mprotect(map, 1, prot[i] | PROT_EXEC);
299
300		(void)munmap(map, page);
301
302		if (rv == 0) {
303			str = "non-executable mapping made executable";
304			goto out;
305		}
306	}
307
308out:
309	if (pax_global != -1 && pax_enabled != -1)
310		(void)paxset(pax_global, pax_enabled);
311
312	if (str != NULL)
313		atf_tc_fail("%s", str);
314}
315
316ATF_TC(mprotect_write);
317ATF_TC_HEAD(mprotect_write, tc)
318{
319	atf_tc_set_md_var(tc, "descr", "Test mprotect(2) write protections");
320}
321
322ATF_TC_BODY(mprotect_write, tc)
323{
324	pid_t pid;
325	void *map;
326	int sta;
327
328	/*
329	 * Map a page read/write, change the protection
330	 * to read-only with mprotect(2), and try to write
331	 * to the page. This should generate a SIGSEGV.
332	 */
333	map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
334	ATF_REQUIRE(map != MAP_FAILED);
335
336	ATF_REQUIRE(strlcpy(map, "XXX", 3) == 3);
337	ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
338
339	pid = fork();
340	ATF_REQUIRE(pid >= 0);
341
342	if (pid == 0) {
343		ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
344		ATF_REQUIRE(strlcpy(map, "XXX", 3) == 0);
345	}
346
347	(void)wait(&sta);
348
349	ATF_REQUIRE(WIFEXITED(sta) != 0);
350	ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
351	ATF_REQUIRE(munmap(map, page) == 0);
352}
353
354ATF_TP_ADD_TCS(tp)
355{
356	page = sysconf(_SC_PAGESIZE);
357	ATF_REQUIRE(page >= 0);
358
359	ATF_TP_ADD_TC(tp, mprotect_access);
360	ATF_TP_ADD_TC(tp, mprotect_err);
361#ifdef __NetBSD__
362	ATF_TP_ADD_TC(tp, mprotect_exec);
363#endif
364	ATF_TP_ADD_TC(tp, mprotect_pax);
365	ATF_TP_ADD_TC(tp, mprotect_write);
366
367	return atf_no_error();
368}
369