O. P. · Jul 2, 2019 · 8:06 PM UTC

O. P.

O. P. @zer0pntr

2 Jul 2019

Some better news regarding to FreeBSD land: svnweb.freebsd.org/base?view… @paxteam @grsecurity

PaX Team · Jul 3, 2019 · 10:36 AM UTC

PaX Team @paxteam

3 Jul 2019

looks interesting, something we considered doing in around 2000/2001 but the (linux) world wasn't quite ready at the time. one question: does vm_map_protect(..., max_prot, TRUE) in kern_mprotect fail if max_prot were to add new rights? it had better... ;)

Ed Maste · Jul 3, 2019 · 12:31 PM UTC

Ed Maste @ed_maste

3 Jul 2019

Of course :) Same question came up in the code review, resulting in a clarification in the man page: svnweb.freebsd.org/base?view…

PaX Team · Jul 3, 2019 · 2:00 PM UTC

PaX Team · Jul 3, 2019 · 2:00 PM UTC

PaX Team @paxteam

3 Jul 2019

Replying to @ed_maste @zer0pntr @grsecurity

i see, though it still kinda only implies it since 'new_prot' can either be the new value for 'prot' or 'maxprot', doesn't make it easier on the reader ;). i'd have probably forked this into two separate functions setting prot/max_prot respectively instead of the bool selector...

Jul 3, 2019 · 2:00 PM UTC

Ed Maste · Jul 3, 2019 · 3:18 PM UTC

Ed Maste @ed_maste

3 Jul 2019

Replying to @paxteam @zer0pntr @grsecurity

Yes but probably too much churn; do you find this sufficiently clear (moved after the description of new_prot and set_max): Whether set_max is TRUE or FALSE new_prot may not include any protection bits that are not already set in max_protection on every entry within the range.

PaX Team · Jul 3, 2019 · 10:01 PM UTC

PaX Team @paxteam

3 Jul 2019

you should probably ask your intended audience :) but if i were you, i'd get rid of the double negation and just state that new_prot can at most have bits that are already present in max_prot.

more replies