A couple of nits, but otherwise looks quite reasonable.

IMO there is too much controls now for wxorx. There is proccontrol -m wxmap, and essentially adding yet another knob breaks it.
Also I am not sure that we want/need logging for mmap/mprotect violating the policy. It is a developer's option, not an administrator.

What I do like from your patch is the SIGTRAP/TRAP_WXORX, which clearly needs its own knob. But I suggest to remove logging.

WRT my comment of changing the default to be premature, I remember that an exp run was taken by Ed (?, added emaste to reviewers), and the result was that most high-profile jit using programs failed.

In D36595#831026, @kib wrote:

IMO there is too much controls now for wxorx. There is proccontrol -m wxmap, and essentially adding yet another knob breaks it.

I'll look into this a little more.

Also I am not sure that we want/need logging for mmap/mprotect violating the policy. It is a developer's option, not an administrator.

My reason for adding this was based on my own experience trying to deploy W^X protection. The first thing I wanted to know was which programs I run this might break. Having a logging option allowed me to see this (as an administrator). Having the signal allowed me to more easily find where the call was buried (as a developer).

WRT my comment of changing the default to be premature, I remember that an exp run was taken by Ed (?, added emaste to reviewers), and the result was that most high-profile jit using programs failed.

I don't doubt this. Problems like this are why my patch still leaves the protection disabled by default. I just moved the place it was disabled from the ELF level to the VM level. The only thing that used to work which will now break is an ELF file which has a section with RWX protection and does not have the special control flag to allow WX.

In D36595#831110, @jtl wrote:

In D36595#831026, @kib wrote:

IMO there is too much controls now for wxorx. There is proccontrol -m wxmap, and essentially adding yet another knob breaks it.

I'll look into this a little more.

What we have currently is one set of controls which selects the processes for which we are going to enforce W^X:

• the ELF allow_wx sysctls
• procctl -m wxmap
• (any others?)

What I am proposing is that we have two sets of controls:

• The existing set which selects processes for which we are going to consider enforcing W^X
• A new set of controls which selects the enforcement mechanism we will apply (which could include not enforcing it)

I believe the above separation is useful for system administrators who are trying to transition to a W^X configuration. We could probably collapse this to a single set of controls which applies on a per-process basis. However, I'm not sure whether that would be easier or harder to understand (either as a kernel developer or as a user).

In D36595#831136, @jtl wrote:

In D36595#831110, @jtl wrote:

In D36595#831026, @kib wrote:

IMO there is too much controls now for wxorx. There is proccontrol -m wxmap, and essentially adding yet another knob breaks it.

I'll look into this a little more.

What we have currently is one set of controls which selects the processes for which we are going to enforce W^X:

• the ELF allow_wx sysctls
• procctl -m wxmap
• (any others?)

What I am proposing is that we have two sets of controls:

• The existing set which selects processes for which we are going to consider enforcing W^X
• A new set of controls which selects the enforcement mechanism we will apply (which could include not enforcing it)

I believe the above separation is useful for system administrators who are trying to transition to a W^X configuration. We could probably collapse this to a single set of controls which applies on a per-process basis. However, I'm not sure whether that would be easier or harder to understand (either as a kernel developer or as a user).

I do not object against this. Even more, I believe that SIGTRAP reporting unifies two enforcement mechanisms, for capsicum and wxorx, and this is why I like it.

What I think excessive is the kernel verbosity, i.e. logging of the violations, instead of returning error/sending signal. In fact, even image activator logging is arguably excessive because wx mapping cannot be created if wxorx policy is enforced. But it is somewhat useful due to inability of the process to catch signals after its vmspace is destroyed and not yet recreated.

I'm still thinking about the documentation... I think the code is OK, modulo a couple of nits.

I like the change overall. I don't have strong feelings about supporting logging from the kernel. We don't do it for, e.g., Capsicum, but perhaps that'd be useful.

I still do not like the extra verbosity from kernel. If insisting on adding more kernel messages, you could make logging for SIGTRAP with interesting si_codes, covering both wxorx and capsicum in one shot.

In D36595#832812, @kib wrote:

I still do not like the extra verbosity from kernel. If insisting on adding more kernel messages, you could make logging for SIGTRAP with interesting si_codes, covering both wxorx and capsicum in one shot.

If I understand your suggested change correctly, it will not produce the same behavior as I have proposed. I only intended to send a signal to the process for debugging purposes. In normal use, I expect a system administrator would do what I did when I wanted to enable W^X:

1. Log violations, but do not actually enforce W^X. This gives a system administrator a chance to assess how many programs may work differently if W^X enforcement is enabled.
2. Optionally, use signals to debug where the actual violations are in the code so they can either change the code or understand the implications of denying the mapping.
3. Enable enforcement (with or without logging, according to their preference), which would simply deny such a mapping (without signaling the process).

As described above, I don't propose to always send a SIGTRAP to the user process. But, if I've misunderstood your proposal, please feel free to correct me.

In D36595#833573, @jtl wrote:

In D36595#832812, @kib wrote:

I still do not like the extra verbosity from kernel. If insisting on adding more kernel messages, you could make logging for SIGTRAP with interesting si_codes, covering both wxorx and capsicum in one shot.

If I understand your suggested change correctly, it will not produce the same behavior as I have proposed. I only intended to send a signal to the process for debugging purposes. In normal use, I expect a system administrator would do what I did when I wanted to enable W^X:

1. Log violations, but do not actually enforce W^X. This gives a system administrator a chance to assess how many programs may work differently if W^X enforcement is enabled.
2. Optionally, use signals to debug where the actual violations are in the code so they can either change the code or understand the implications of denying the mapping.
3. Enable enforcement (with or without logging, according to their preference), which would simply deny such a mapping (without signaling the process).

As described above, I don't propose to always send a SIGTRAP to the user process. But, if I've misunderstood your proposal, please feel free to correct me.

With my proposal, eventually you should get the same behavior, after the logging part is implemented, in the more generic context.

For now, I suggest to only add an optional ability to send SIGTRAP on wxorx violations. Next step would be add more generic optional logging for SIGTRAPs sending _places_ generated by syscall actions (i.e. capsicum + wxorx violations). It should get the knobs to configure same set of kernel actions (SIGTRAP yes/no, log yes/no) as in your patch.

Probably my proposal would be clearer if formulated more operational than functional:

• either in trapsignal() add special handling for SIGTRAP with known si_codes (TRAP_CAP/WXORX): pass or ignore, log or stay silent based on the set of options
• or add some syscalltrapped() wrapper around trapsignal() which do the some checks, and optionally calls trapsignal/log. This seems to be nicer because trapsignal() does not need to grow specific knowledge, and because ksi can be filled specifically in syscalltrapped() instead of the same code spread over the kernel.

This way it is more generic at least, and more useful, and is easier to extend for more similar situations by avoiding copy/pasting).