On Sun, Aug 07, 2016 at 10:20:50PM +0200, Christian Weisgerber wrote: > OpenBSD is increasingly mandating W^X. What does that mean? Memory > can either be mapped writable, or it can be executable, but not > both (Write xor eXecute). This is a security concern. Without > W^X, an attacker can load their own code into memory and then execute > it. W^X protects against this. > > Unfortunately there is important third-party code, such as just-in-time > compilers, that still uses mmap(2) to make memory both writable and > executable, so for the time being, we have to arrange ourselves > with it. > > For a binary to be allowed to violate W^X, it must > (1) reside on a filesystem that is mounted with the "wxallowed" > flag (the installer enables this for /usr/local); > (2) be annotated with PT_OPENBSD_WXNEEDED at the ELF level. > > So far, only (1) is strictly enforced and any program in violation > is terminated at once. > > For (2), the W^X violation is logged (dmesg, syslog). In recent > snapshots, the offending mmap() call has also begun to return an > error. Alas, many programs don't handle this failure gracefully > and crash. > > Now, obviously getting rid of W^X violations has to be the end goal, > but that will take time and effort. In the meantime, offenders > *MUST* be marked wxneeded. This is done by linking the executable > with "ld -z wxneeded". When linking is performed through cc, which > is the usual case, you add "-Wl,-z,wxneeded" to the linking command > line. That's it. > > Currently only four affected ports are marked wxneeded. More will > need this. Please, when you see a port throwing "foo(4711): W^X > violation" log messages, look into adding wxneeded. > > We can draw up a list of affected ports, but it isn't exactly hard > to notice. Some ports already need wxneeded to build. Presumably > there are a few others where it will only show up at run time. > > This is important. The W^X hammer is coming down and without > wxneeded annotations you will find that a number of your favorite > programs (e.g. everything Mozilla) will no longer run. >
What should be done for ports like (just for example) calibre? It uses python, and uses PyQtWebkit to pull in Qt5Webkit which maps WX for its jit. Python itself doesn't need wxneeded but for calibre (and possibly other ports) to work it will. -- Carlin
