From 5efa8e507b937d01fca88876205b395ed8c6e2c5 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Thu, 5 May 2022 18:30:24 +0200 Subject: [PATCH] Kernel: Implement an `axallowed` mount option Similar to `W^X` and `wxallowed`, this allows for anonymous executable mappings. --- Base/usr/share/man/man2/mount.md | 1 + Kernel/API/POSIX/unistd.h | 1 + Kernel/Syscalls/mmap.cpp | 2 +- Userland/Applications/SystemMonitor/main.cpp | 1 + Userland/Utilities/mount.cpp | 4 ++++ 5 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Base/usr/share/man/man2/mount.md b/Base/usr/share/man/man2/mount.md index 9953b2dbb42..0dd9c99a41f 100644 --- a/Base/usr/share/man/man2/mount.md +++ b/Base/usr/share/man/man2/mount.md @@ -38,6 +38,7 @@ The following `flags` are supported: * `MS_RDONLY`: Mount the filesystem read-only. * `MS_REMOUNT`: Remount an already mounted filesystem (see below). * `MS_WXALLOWED`: Allow W^X protection circumvention for executables on this file system. +* `MS_AXALLOWED`: Allow anonymous executable mappings for executables on this file system. These flags can be used as a security measure to limit the possible abuses of the newly mounted file system. diff --git a/Kernel/API/POSIX/unistd.h b/Kernel/API/POSIX/unistd.h index db26821fba4..efa35bce141 100644 --- a/Kernel/API/POSIX/unistd.h +++ b/Kernel/API/POSIX/unistd.h @@ -28,6 +28,7 @@ extern "C" { #define MS_RDONLY (1 << 4) #define MS_REMOUNT (1 << 5) #define MS_WXALLOWED (1 << 6) +#define MS_AXALLOWED (1 << 7) enum { _SC_MONOTONIC_CLOCK, diff --git a/Kernel/Syscalls/mmap.cpp b/Kernel/Syscalls/mmap.cpp index 94d9ada8b2d..998f4b1de5f 100644 --- a/Kernel/Syscalls/mmap.cpp +++ b/Kernel/Syscalls/mmap.cpp @@ -75,7 +75,7 @@ ErrorOr Process::validate_mmap_prot(int prot, bool map_stack, bool map_ano bool make_writable = prot & PROT_WRITE; bool make_executable = prot & PROT_EXEC; - if (map_anonymous && make_executable) + if (map_anonymous && make_executable && !(executable()->mount_flags() & MS_AXALLOWED)) return EINVAL; if (map_stack && make_executable) diff --git a/Userland/Applications/SystemMonitor/main.cpp b/Userland/Applications/SystemMonitor/main.cpp index a97f4c3a125..98065b3599a 100644 --- a/Userland/Applications/SystemMonitor/main.cpp +++ b/Userland/Applications/SystemMonitor/main.cpp @@ -287,6 +287,7 @@ public: check(MS_BIND, "bind"); check(MS_RDONLY, "ro"); check(MS_WXALLOWED, "wxallowed"); + check(MS_AXALLOWED, "axallowed"); if (builder.string_view().is_empty()) return String("defaults"); return builder.to_string(); diff --git a/Userland/Utilities/mount.cpp b/Userland/Utilities/mount.cpp index 8479d7b5fb0..ac19c70e922 100644 --- a/Userland/Utilities/mount.cpp +++ b/Userland/Utilities/mount.cpp @@ -38,6 +38,8 @@ static int parse_options(StringView options) flags |= MS_REMOUNT; else if (part == "wxallowed") flags |= MS_WXALLOWED; + else if (part == "axallowed") + flags |= MS_AXALLOWED; else warnln("Ignoring invalid option: {}", part); } @@ -180,6 +182,8 @@ static ErrorOr print_mounts() out(",bind"); if (mount_flags & MS_WXALLOWED) out(",wxallowed"); + if (mount_flags & MS_AXALLOWED) + out(",axallowed"); outln(")"); });