Article 1F8XM W^X now mandatory in OpenBSD

W^X now mandatory in OpenBSD

by
from OpenBSD Journal on (#1F8XM)
Traditional Unix has allowed memory to be mapped W | X. Everyone now knows that's a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.

CVSROOT:/cvsModule name:srcChanges by:deraadt@cvs.openbsd.org2016/05/27 13:45:04Modified files:lib/libc/sys : mmap.2 mount.2 mprotect.2 sbin/mount : mntopts.h mount.8 mount.c sbin/mount_ffs : mount_ffs.c sbin/mount_nfs : mount_nfs.c sys/kern : kern_sysctl.c vfs_syscalls.c sys/sys : mount.h sysctl.h sys/uvm : uvm_mmap.c usr.sbin/pstat : pstat.c Log message:W^X violations are no longer permitted by default. A kernel log messageis generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flagkern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredumpcreation.W^X violating programs can be permitted on a ffs/nfs filesystem-basis,using the "wxallowed" mount option. One day far in the futureupstream software developers will understand that W^X violations are atremendously risky practice and that style of programming will bebanished outright. Until then, we recommend most users need to use thewxallowed option on their /usr/local filesystem. At least your otherfilesystems don't permit such programs.
Read more...
External Content
Source RSS or Atom Feed
Feed Location http://undeadly.org/cgi?action=rss
Feed Title OpenBSD Journal
Feed Link http://undeadly.org/
Reply 0 comments