Bryan Steele Dec 3, 2023

Mark Kettenis laying the groundwork in LLVM/lld for some upcoming work in #OpenBSD. Stay tuned!

kettenis@ modified src/gnu/llvm/*: Collect .openbsd.syscalls sections into a new PT_OPENBSD_SYSCALLS segment.
This will be used soon to pin system calls to designated call sites.

ok deraadt@

And follow-up commit for binutils by kettenis@:

kettenis@ modified gnu/usr.bin/binutils-2.17/*: Collect .openbsd.syscalls sections into a new PT_OPENBSD_SYSCALLS segment.
This will be used soon to pin system calls to designated call sites.

ok deraadt@

And some further details by deraadt@:

deraadt@ modified src/sys/sys/exec_elf.h: PT_OPENBSD_SYSCALLS is an extension that points to non-LOAD section which contains {offset,syscall#} structures.
ok kettenis

Show threadBryan Steele Dec 8, 2023

Theo de Raadt on pinsyscalls(2), for pinning system calls on #OpenBSD. An evolution of msyscall(2) + pinsyscall(SYS_execve, ...) to pin all system calls to designated call sites

https://marc.info/?l=openbsd-tech&m=170205367232026&w=2

'pinning all system calls' - MARC

Show threadBryan Steele Dec 30, 2023

An update on pinsyscalls(2) from Theo de Raadt on #OpenBSD tech@, includes a patch for anyone interested in testing.

https://marc.info/?l=openbsd-tech&m=170396269502197&w=2

'update on pinsyscalls(2)' - MARC

Show threadBryan Steele Jan 16, 2024

The final pieces (kernel + ld .so) of pinsyscalls(2) has been committed to #OpenBSD -current! 

deraadt@ modified src/sys/{sys,kern,uvm}/*: The kernel will now read pinsyscall tables out of PT_OPENBSD_SYSCALLS in the main program or ld.so, and accept a submission of that information for libc.so from ld.so via pinsyscalls(2). At system call invocation, the syscall number is matched to the specific address it must come from.
ok kettenis, gnezdo, testing of variations by many people

deraadt@ modified src/libexec/ld.so: Read PT_OPENBSD_SYSCALLS in libc.so, and convert it to a table for pinsyscalls(2).
ok kettenis

Show threadBryan Steele Jan 16, 2024

One really cool property of this for static/static-PIE binaries, is that because kernel reads pinsyscall tables out of PT_OPENBSD_SYSCALLS in the binary, you can only call system calls linked into the program. ping(8) can't execve(2) because there's no "syscall" instruction for execve(2). 

#OpenBSD

👽Etsh (V6Sh) Project🐡Aug 22, 2024
Show threadBryan Steele 

System call pinning is now mandatory in #OpenBSD -current, with execv(2) now rejecting binaries without a valid pintable. 

deraadt@ modified src/sys/kern/exec_elf.c: If binaries lack a pintable, execve() can now reject them at startup by returning EINVAL, rather than at runtime when the first system call occurs (and then probably dumping core). Let's find out if there are any surprising exceptions we were unaware of (would need a custom linker, or a non-crt0 runtime)
errno discussions with kettenis, sthen, millert. Vague consensus it is
worth trying now.

Plus some additional cleanup in process flags, used in ps(1), to make available for future bits.

deraadt@ modified src/*: We do not need the PS_LIBCPIN and PS_PIN flag fields anymore, which were used during development (for visibility). There is speculation claudio will immediately use these bits for something else.

Aug 21, 2024 at 3:54amWeb