On Sun, Aug 07, 2016 at 10:20:50PM +0200, Christian Weisgerber wrote: > OpenBSD is increasingly mandating W^X. What does that mean? Memory > can either be mapped writable, or it can be executable, but not > both (Write xor eXecute). This is a security concern. Without > W^X, an attacker can load their own code into memory and then execute > it. W^X protects against this. > > Unfortunately there is important third-party code, such as just-in-time > compilers, that still uses mmap(2) to make memory both writable and > executable, so for the time being, we have to arrange ourselves > with it. > > For a binary to be allowed to violate W^X, it must > (1) reside on a filesystem that is mounted with the "wxallowed" > flag (the installer enables this for /usr/local); > (2) be annotated with PT_OPENBSD_WXNEEDED at the ELF level. > > So far, only (1) is strictly enforced and any program in violation > is terminated at once. > > For (2), the W^X violation is logged (dmesg, syslog). In recent > snapshots, the offending mmap() call has also begun to return an > error. Alas, many programs don't handle this failure gracefully > and crash. > > Now, obviously getting rid of W^X violations has to be the end goal, > but that will take time and effort. In the meantime, offenders > *MUST* be marked wxneeded. This is done by linking the executable > with "ld -z wxneeded". When linking is performed through cc, which > is the usual case, you add "-Wl,-z,wxneeded" to the linking command > line. That's it. > > Currently only four affected ports are marked wxneeded. More will > need this. Please, when you see a port throwing "foo(4711): W^X > violation" log messages, look into adding wxneeded. > > We can draw up a list of affected ports, but it isn't exactly hard > to notice. Some ports already need wxneeded to build. Presumably > there are a few others where it will only show up at run time. > > This is important. The W^X hammer is coming down and without > wxneeded annotations you will find that a number of your favorite > programs (e.g. everything Mozilla) will no longer run.
Free ok coupons to whoever wants to fix 'everything Mozilla' by applying the necessary knob/bandaid like a sir. I wont have time nor interest to look into this before g2k16. Landry
