OpenBSD is increasingly mandating W^X. What does that mean? Memory
can either be mapped writable, or it can be executable, but not
both (Write xor eXecute). This is a security concern. Without
W^X, an attacker can load their own code into memory and then execute
it. W^X protects against this.
Unfortunately there is important third-party code, such as just-in-time
compilers, that still uses mmap(2) to make memory both writable and
executable, so for the time being, we have to arrange ourselves
with it.
For a binary to be allowed to violate W^X, it must
(1) reside on a filesystem that is mounted with the "wxallowed"
flag (the installer enables this for /usr/local);
(2) be annotated with PT_OPENBSD_WXNEEDED at the ELF level.
So far, only (1) is strictly enforced and any program in violation
is terminated at once.
For (2), the W^X violation is logged (dmesg, syslog). In recent
snapshots, the offending mmap() call has also begun to return an
error. Alas, many programs don't handle this failure gracefully
and crash.
Now, obviously getting rid of W^X violations has to be the end goal,
but that will take time and effort. In the meantime, offenders
*MUST* be marked wxneeded. This is done by linking the executable
with "ld -z wxneeded". When linking is performed through cc, which
is the usual case, you add "-Wl,-z,wxneeded" to the linking command
line. That's it.
Currently only four affected ports are marked wxneeded. More will
need this. Please, when you see a port throwing "foo(4711): W^X
violation" log messages, look into adding wxneeded.
We can draw up a list of affected ports, but it isn't exactly hard
to notice. Some ports already need wxneeded to build. Presumably
there are a few others where it will only show up at run time.
This is important. The W^X hammer is coming down and without
wxneeded annotations you will find that a number of your favorite
programs (e.g. everything Mozilla) will no longer run.
--
Christian "naddy" Weisgerber na...@mips.inka.de
