sysent: Add sv_protect

To allow for architecture specific protections add sv_protect to struct
sysent. This can be used to apply these after the executable is loaded
into the new address space.

Reviewed by:	kib
Sponsored by:	Arm Ltd
Differential Revision:	https://reviews.freebsd.org/D42440

2 files changed, 11 insertions, 0 deletions

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index f361920e16d5..047bde3c250b 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -862,6 +862,9 @@ __elfN(load_file)(struct proc *p, const char *file, u_long *addr,
 	if (error != 0)
 		goto fail;
 
+	if (p->p_sysent->sv_protect != NULL)
+		p->p_sysent->sv_protect(imgp, SVP_INTERP);
+
 	*addr = base_addr;
 	*entry = (unsigned long)hdr->e_entry + rbase;
 
@@ -1369,6 +1372,9 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 	entry = (u_long)hdr->e_entry + imgp->et_dyn_addr;
 	imgp->entry_addr = entry;
 
+	if (sv->sv_protect != NULL)
+		sv->sv_protect(imgp, SVP_IMAGE);
+
 	if (interp != NULL) {
 		VOP_UNLOCK(imgp->vp);
 		if ((map->flags & MAP_ASLR) != 0) {
diff --git a/sys/sys/sysent.h b/sys/sys/sysent.h
index a23c338f9ce2..c582ed494be9 100644
--- a/sys/sys/sysent.h
+++ b/sys/sys/sysent.h
@@ -149,6 +149,7 @@ struct sysentvec {
 	vm_offset_t	sv_fxrng_gen_offset;
 	void		(*sv_onexec_old)(struct thread *td);
 	int		(*sv_onexec)(struct proc *, struct image_params *);
+	void		(*sv_protect)(struct image_params *, int);
 	void		(*sv_onexit)(struct proc *);
 	void		(*sv_ontdexit)(struct thread *td);
 	int		(*sv_setid_allowed)(struct thread *td,
@@ -187,6 +188,10 @@ struct sysentvec {
 #define	SVC_NOCOMPRESS	0x00000002	/* disable compression. */
 #define	SVC_ALL		0x00000004	/* dump everything */
 
+/* sv_protect flags */
+#define	SVP_IMAGE	0x00000001
+#define	SVP_INTERP	0x00000002
+
 #ifdef _KERNEL
 extern struct sysentvec aout_sysvec;
 extern struct sysent sysent[];