Contributed by tj on 2016-05-27 from the x-chromosome dept.

Traditional Unix has allowed memory to be mapped W | X. Everyone now knows that�s a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2016/05/27 13:45:04 Modified files: lib/libc/sys : mmap.2 mount.2 mprotect.2 sbin/mount : mntopts.h mount.8 mount.c sbin/mount_ffs : mount_ffs.c sbin/mount_nfs : mount_nfs.c sys/kern : kern_sysctl.c vfs_syscalls.c sys/sys : mount.h sysctl.h sys/uvm : uvm_mmap.c usr.sbin/pstat : pstat.c Log message: W^X violations are no longer permitted by default. A kernel log message is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump creation. W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. At least your other filesystems don't permit such programs.

This is a first step towards mandatory W^X, a plateau no one else has been able to reach yet. Some ports have been modified to adhere to this rule, but a number of others (JDK, GCC, Mono, Chromium, etc) will need the /etc/fstab workaround until they can be fixed upstream. Firefox is a notable exception, having been refactored in just the last year. While these remaining violators are being reworked, an initial method has been introduced to differentiate between filesystems whose binaries are or are not entirely W^X-safe.

None of the base system binaries violate this check, so there should be no noticable effect if you don't have any third party packages installed.

More information for -current users can be found in the usual place.