sysent: Add sv_protect
ClosedPublic
Actions

Authored by andrew on Nov 2 2023, 10:32 AM.

Details

Reviewers

kib
markj

Commits

rGeb32c1c75ab0: sysent: Add sv_protect

Summary

To allow for architecture specific protections add sv_protect to struct
sysent. This can be used to apply these after the executable is loaded
into the new address space.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

andrew created this revision.Nov 2 2023, 10:32 AM

Herald added a subscriber: imp. · View Herald TranscriptNov 2 2023, 10:32 AM

andrew requested review of this revision.Nov 2 2023, 10:32 AM

andrew added a parent revision: D42439: imgact_elf: Export __elfN(parse_notes).

Harbormaster completed remote builds in B54247: Diff 129623.Nov 2 2023, 10:32 AM

andrew added a child revision: D42441: arm64: Enable BTI in the kernel ELF loader.Nov 2 2023, 10:33 AM

kib accepted this revision.Nov 2 2023, 11:46 AM

kib added inline comments.

sys/kern/imgact_elf.c
1374–1377	May be move the call there? More data for imgp is initialized.

This revision is now accepted and ready to land.Nov 2 2023, 11:46 AM

Move sv_protect later and add it to __elfN(load_file)

This revision now requires review to proceed.Nov 2 2023, 2:32 PM

Harbormaster completed remote builds in B54251: Diff 129645.Nov 2 2023, 2:32 PM

In D42440#968474, @andrew wrote:

Move sv_protect later and add it to __elfN(load_file)

Why adding it to load_file? Now the callback is executing three times at least.

Why will it be called three times? It should only be called for the main executable, and in whichever load_file calls is successful.

I added it to load_file so the runtime linker will also be protected from when it starts executing.

In D42440#968760, @andrew wrote:

Why will it be called three times? It should only be called for the main executable, and in whichever load_file calls is successful.

I added it to load_file so the runtime linker will also be protected from when it starts executing.

Yes, it will be called twice, but I do not understand why is it should be arranged that way. Call it after everything is mapped, i.e. both the binary and optional interpreter.

For BTI we need to parse the ELF file to read a note to decide if protection should be enabled for just the memory loaded from that file. Because of this it's easier to check if we should protect some address space on a per-file base to both check if we need to enable BTI, and for what memory it needs to be enabled.

Then would it be more logical to have two differently named callbacks, indicating their purpose?

I added a flag for the callback to know if it's from the main executable, or the interpreter.

kib added inline comments.Nov 6 2023, 1:39 PM