sxadm - 管理 Solaris 安全扩展配置
sxadm enable [-c property=value[,property=value,...]]
extension[,extension,...]
sxadm exec [-i] [-s extension=value,...] command
sxadm delcust [extension,...]
sxadm disable extension[,extension,...]
sxadm get [-p] [-o field[,...]] property[,...] [extension]
sxadm help [subcommand]
sxadm set property=value[,property=value,...] extension
sxadm status [-p] [-o field[,...]] [extension]
sxadm 命令配置并提供有关 Solaris 安全扩展的信息。
sxadm exec 子命令用于为特定命令启用或禁用安全扩展。这些扩展会应用到关联的进程,并且任何子进程可以使用 –i 选项继承这些扩展。请参见“安全扩展”部分。
所有其他 sxadm 子命令可配置并提供有关系统级别安全扩展的信息。这些扩展同时应用到全局区域和非全局区域。
进程的安全扩展由 exec(2) 确定,并从此对进程有效。扩展将在进程整个生命周期内有效,直到进程退出或再次调用 exec(2)。系统级别扩展可影响所有进程。进程级别扩展影响单个进程,并由所有子进程继承(假设子进程没有特权)。请参见“安全扩展”部分。
使用 ld(1) 构建单个可执行程序时,这些可执行程序可标记有安全扩展要求。此标记设置可确保满足关联的进程要求,而无需考虑任何系统级别扩展。可使用进程级别扩展覆盖标记有安全扩展的可执行程序。请参见“标记了扩展的可执行程序”部分。
Some security extensions restrict an application, providing defenses that constrain borderline behavior.因此,当应用安全扩展时,某些现有应用程序可能会失败或遇到性能降低的问题。通常,较新的防御导致应用程序失败的可能性更高。随着时间的推移,由于保护等级变得更重要,编程实践会受影响,由于应用安全扩展而发生的故障将减少。
Some security extensions may affect performance, by enabling additional checks or reducing the usage of certain caches and buffers.System administrators may need to choose between performance and security depending on the requirements of their environment.
可以使用以下安全扩展。These extensions may reduce the chances of attackers finding known entry points, planting exploitation code in locations that can later be executed, or taking advantage of CPU implementations.
应用程序数据完整性是随 SPARC M7 处理器引入的一项功能,通过此功能,可以使用唯一标识符对内存范围进行标记。See adi(7).这些标识符可用于通过具有不匹配标识符的指针自动检测无效的读写操作。堆分配器可使用此功能有效检测相邻的缓冲区溢出,并通过统计方式防范野指针和释放后使用情形。
ADI 是一项强大的技术,但可能与执行底层地址计算的应用程序不兼容。特别是,由于系统要标记指针,依赖指针运算的应用程序需要先将指针规范化。此外,访问缓冲区限制以外的区域也会被检测为致命错误。已知部分应用程序使用这些访问作为设计优化措施,因此这些应用程序在 ADI 下会失败。如果应用程序能够在内存检查器(例如 valgrind)下成功运行,那么它很有可能不会出现这些问题。由于这些原因,ADIHEAP 的 'all' 模型不受支持,而且在测试通过二进制标记启用 ADIHEAP 的应用程序时应格外小心。
ADIHEAP 扩展仅在某些内存分配器上可用,而且仅适用于支持 ADI 的 SPARC 系统。
ADI identifiers can be used to enable the automatic detection of buffer overflows that overwrite the register save area of a stack frame when the save area contains valid contents.
部分应用程序或解释语言可能会有意地直接读取或修改自己的堆栈。因此,ADISTACK 的 'all' 模型不受支持,而且在测试通过二进制标记启用 ADISTACK 的应用程序时应格外小心。
ADISTACK 扩展仅适用于支持 ADI 的 SPARC 系统。
ASLR 将对进程的关键区域(例如,堆栈、基于 brk 的堆、内存段映射等)激活随机化。作为与位置无关的可执行程序而构建的应用程序的内存映射也根据 ASLR 随机化。
HW_BTI provides hardware-based mitigation for CVE-2017-5715 (Branch Target Injection, Spectre Variant 2) for SPARC CPUs.When enabled, some applications might experience lower performance.
IBPB is a mitigation for CVE-2017-5715 for Intel CPUs.It is used in the kernel to guarantee that older indirect branches cannot influence predictions of indirect branches in the future.It is enabled by default on systems where it is required and supported.When it is enabled some applications might experience lower performance.
A reboot is required after enabling or disabling IBPB for the changes to take effect.
IBRS is a mitigation for CVE-2017-5715 for Intel CPUs.It is called on every entry into the kernel and restricts the speculation of indirect branches.It is enabled by default on systems where it is required and supported.When it is enabled some applications might experience lower performance.
A reboot is required after enabling or disabling IBRS for the changes to take effect.
IF_PSCHANGE_MC_NO is a readonly extension that is enabled only if the CPU includes a hardware mitigation for the Machine Check Error on Page Size Change (aka IFU) vulnerability (CVE-2018-12207).
KADI 使用应用程序数据完整性来捕获内核堆中的内存损坏。KADI 提供保护以防止缓冲区溢出、在释放后使用、在重新分配后使用和双重释放。
启用或禁用 KADI 后,必须重新引导才能使更改生效。
KADI is a development-only feature to be used as a debugging aid by developers of device drivers and other kernel modules.It may decrease system stability, so is not recommended for use on production systems at this time.A future release may declare KADI suitable for production deployment.
KPTI isolates kernel page tables from user space processes to reduce the opportunity for kernel data leakage.On Intel CPUs this can mitigate CVE-2017-5754 Rogue Data Cache Load (RDCL) and other vulnerabilities.
KPTI is always enabled and can not be disabled on SPARC systems.KPTI is enabled by default on x86 systems.A reboot is required on x86 systems after enabling or disabling KPTI for the changes to take effect.
L1DF is a mitigation for CVE-2018-3646 for Intel CPUs only.It flushes sensitive data from the L1D cache to prevent an untrusted guest virtual machine from inferring data from other guest virtual machines.This flush is performed every time the host system enters a virtual machine (VM entry).As part of this mitigation disabling hyper-threading (HT) while running virtual machines is strongly recommended.
This mitigation is enabled by default on systems where it is required and supported.
A reboot is required after enabling or disabling L1DF for the changes to take effect.
MD_CLEAR is a mitigation for the Microarchitectural Data Sampling (MDS) series of vulnerabilities for Intel CPUs only.The vulnerabilities are CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS), CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM).The mitigation overwrites the store and fill buffers on the logical processors that are affected by MDS.
This mitigation is enabled by default on systems where it is required and supported.
A reboot is required after enabling or disabling MD_CLEAR for the changes to take effect.
MDS_NO is a readonly extension that is only enabled if the CPU is not vulnerable to the Microarchitectural Data Sampling (MDS) series of vulnerabilities that are mitigated in software by the MD_CLEAR extension.
NXHEAP 可防止为进程堆分配的页可执行。
NXSTACK 防止为进程栈分配的页可执行。维护与传统 /etc/system noexec_user_stack 和 noexec_user_stack_log 设置的向后兼容性,尽管此类控制已经过时,并应改用 sxadm。
RDCL_NO is a readonly extension that is only enabled if the CPU is not vulnerable to the Rogue Data Cache Load (RDCL) and Microarchitectural Fill Buffer Data Sampling (MFBDS) vulnerabilities (CVE-2017-5754, CVE-2018-3646 and CVE-2018-12130).
RSBS is a mitigation for CVE-2018-15572.Enabled by default, it restricts speculation based on the Return Stack Buffer state.
RSBS is always enabled on SPARC systems and cannot be disabled.
On x86 systems, RSBS may be enabled or disabled.A reboot is required for the change to take effect.
SMAP is mechanism to disallow supervisor mode execution of text mapped only in userland on Intel CPUs.It is enabled by default when it is supported by the hardware.Certain applications or drivers can fail when SMAP is enabled.
A reboot is required after enabling or disabling SMAP for the changes to take effect.
SSBD is a mitigation for CVE-2018-3639.It restricts loads from speculating around older stores.It is enabled by default on systems where it is required and supported.When enabled, some applications might experience lower performance.
On SPARC, sxadm(8) only displays the current state of SSBD.Enabling or disabling SSBD can be done on Fujitsu SPARC systems that support SSBD via an XSCF command.See XSCF Reference Manual of your system for more information.A host reboot is required to make changes.
On x86 systems, SSBD is enabled per-process, either by tagging the executable with the ssbd elf tag (see ld(1)) or by executing the process via the sxadm command and enabling the feature.
On affected Intel systems with the 2021.2 IPU or later microcode updates, the SSBD extension also enables the Predictive Store Forwarding Disable (PSFD) mitigation for CVE-2021-0145.
TAA_NO is a readonly extension that has a status of enabled if and only if the CPU supports the Intel TSX feature and is not vulnerable to the TSX Asynchronous Abort (TAA) vulnerability (CVE-2019-11135) due to a hardware mitigation provided by the CPU.Otherwise, it has a status of not supported.
TSX_DISABLE is a readonly extension that has a status of enabled if the kernel has disabled TSX via an available control register.If both TAA_NO and TSX_DISABLE have a status of not supported, and MDS_NO also has a status of not supported, TAA may be mitigated by enabling the MD_CLEAR extension and rebooting if not already enabled.If MDS_NO has a status of enabled, then if both TAA_NO and TSX_DISABLE have a status of not supported, TAA can not be mitigated and a microcode update is necessary before TAA can be mitigated.
UMIP is a mechanism on Intel CPUs that restricts the execution of specific instructions if the CPU is running outside of its highest privileged mode (e.g. running in user mode).This is a security feature to prevent potential manipulation of system software data structures by malicious userland applications.It is enabled by default when it is supported by the hardware.
A reboot is required after enabling or disabling UMIP for the changes to take effect.
By default, the global zone and all non-global zones have the ASLR, NXHEAP, ADIHEAP, ADISTACK, and SSBD extensions enabled only for tagged binaries, while the NXSTACK extension is enabled for all processes.
安全扩展可具有一个或多个属性。所有扩展都有 model 属性。此属性定义扩展的适用对象。以下为存在的 model 属性。
针对所有进程启用安全扩展。
针对标记的二进制文件启用安全扩展。
遵循安全扩展系统缺省设置。请参见“安全扩展”部分。
安全扩展可能有其他属性。
NXHEAP 和 NXSTACK 提供日志记录属性,如果启用该属性,将报告从非可执行内存范围(NXSTACK 的堆栈以及 NXHEAP 的堆和数据)执行的尝试。
启用日志记录。
禁用日志记录。(缺省配置)
使用 sxadm 子命令 enable、disable、set 和 delcust 可在系统范围内修改安全扩展。例如,以下 sxadm 命令在系统范围内启用扩展。
# sxadm enable nxstack # sxadm enable aslr,nxheap
以下 sxadm 命令也通过明确标识各个属性在系统范围启用扩展。
# sxadm enable -c model=all aslr # sxadm enable -c model=all -c log=enable nxstack
还可以使用 sxadm 子命令 exec 为进程启用或禁用安全扩展。此子命令仅影响安全扩展的状态。扩展的任何其他属性继承自系统属性。以下 sxadm 命令可确保 foobar 进程在禁用扩展的情况下执行。
$ sxadm exec -s aslr=disable -s nxheap=disable foobar
也可以使用 smf(7) 在系统范围内配置安全扩展。安全扩展服务是 system/security/security-extensions,属性以 '[extension]/[property]' 的形式命名,其中 extension 是安全扩展的名称,property 是您要访问的属性的名称。
扩展状态可通过 '[extension]/config' 属性来配置,该属性可能具有以下值:
enable: the extension is enabled at boot disable: the extension is disabled at boot default: the extension has the Oracle provided default setting
All extensions in Oracle Solaris are shipped with configuration=default.
使用以下 ld(1) 选项构建单个可执行程序时,这些可执行程序可能标记有安全扩展要求。
控制 ADI 堆分配器使用标记。
控制 ADI 堆栈保护标记。
Control ASLR tagging.
控制非可执行堆标记设置。
控制非可执行栈标记设置。
Control SSBD mitigation tagging.
The mode can be enable or disable.如果未提供 mode,则 enabled 是缺省设置。
标记可执行文件中定义的安全扩展可用以下方式与任何系统范围的安全设置交互。
将使用标记可执行文件中用于禁用特定扩展的安全设置,而无需查询系统安全设置。
只有在系统安全设置为 tagged-files 时,才使用标记可执行文件中用于启用特定扩展的安全设置。
通过 sxadm exec 指定的安全设置会覆盖标记可执行文件设置。
sxadm 命令包含以下子命令。
为当前区域启用指定扩展。–c 选项允许 sxadm 传递特定扩展的属性值。
如果扩展不可配置,此命令将失败。如果更改需要重新引导,则不修改扩展状态,而且会在重新引导时在 FLAGS 输出中将扩展标记为暂挂更改。
使用安全扩展的特定配置执行指定的 command。未在命令行上显式配置的每个安全扩展将使用系统配置。由 command 派生的子进程不会继承在命令行中指定的安全扩展配置。可以使用 –i 选项启用继承。setuid 和特权二进制文件不会继承任何配置。可以从一个命令行中使用多个 –s 选项表示多个配置。如果多次配置相同的扩展,则优先使用最后配置的扩展。在以下示例中,在启用了 ASLR 的情况下执行 foobar。
$ sxadm exec -s aslr=disable -s aslr=enable foobar
sxadm exec 子命令仅用于处理一种常见情形,即,将一个调试器应用于该调试器直接启动的一个进程。对于更为复杂的情形,该子命令不足以处理。在这种情况下,为了便于调试,可能需要使用 sxadm 来更改系统或区域级别安全扩展缺省设置,或者使用 ld(1) 按对象应用标记。
鉴于更改内存地址会使某些调试方案复杂化,因此当基于随机化机密的扩展处于活动状态时(例如 ASLR),此功能最引人关注。此功能对于显式测试采用不同安全扩展配置的应用程序也非常有用。
将扩展恢复为缺省配置。此选项可有效地删除任何定制。
为当前区域禁用指定扩展。
显示有关sxadm的使用信息或有关每个子命令的更多详细信息。
报告有关当前区域中所有安全扩展的状态的信息。如果指定了 –p 选项,则会以易于解析的格式显示输出。在命令行上指定extension可过滤出特定扩展。
计算机可解析的输出是以冒号分隔的字段列表。
extension:status[.model]:configuration[.model]:flag[[.flag]...]
其中:
扩展的名称
扩展的当前状态(启用或禁用)
当前为安全扩展(all、default 和 tagged-binaries)启用的模型
为扩展存储的配置(启用、禁用或系统缺省设置)
描述扩展的标志。每个标志在标志字段中以 "." 分隔。
扩展标志如下所述:
u: userland security extension k: kernel security extension c: the extension is configurable r: configuration changes require a reboot p: the extension has pending configuration changes which will be activated upon reboot
任何组件均不允许使用冒号 (:)、空号 (\0) 和换行符 (\n)。
显示安全扩展属性的值。可以将 property 定义为标记 "all" 以显示所有属性。如果指定了扩展,则仅显示指定扩展的属性的值。对于每个属性,将显示以下列:
extension: the extension the property refers to name: the name of the property value: the value of the property
缺省情况下,将显示所有列;可以使用 –o 选项指定特定列或所有列。如果指定了 –p,则会以易于解析的格式显示输出。此类格式是以冒号分隔的字段列表。
extension:name:value
任何组件均不允许使用冒号 (:)、空号 (\0) 和换行符 (\n)。
为指定扩展的属性分配值。
$ sxadm status -p -o extension,status aslr:enabled.tagged-files:u.c nxstack:enabled.all):u.c [...] $ $ sxadm status EXTENSION STATUS FLAGS aslr enabled (tagged-files) u-c--- nxstack enabled (all) u-c--- [...] $示例 2 使用 set/get 来设置/检索安全扩展属性
$ sxadm get model aslr EXTENSION PROPERTY VALUE aslr model default # sxadm set log=enable nxheap # sxadm get log nxheap EXTENSION PROPERTY VALUE nxheap log enable示例 3 运行调试会话
以下命令序列说明了在禁用 ASLR 的情况下执行的调试会话。
$ sxadm exec -i -s aslr=disable /bin/bash
# Because all processes (except privileged ones) inherit the
# (disabled) ASLR configuration, commands such as mdb and truss
# have repeatable results.
$ truss -t mmap /bin/true
mmap(0x00000000, 32, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5B0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5A0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE590000
[...]
$ truss -t mmap /bin/true
mmap(0x00000000, 32, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5B0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5A0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE590000
[...]
$ truss -t mmap /bin/true
mmap(0x00000000, 32, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5B0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5A0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE590000
[...]
命令执行成功。
命令因运行出错而退出。
有关下列属性的说明,请参见 attributes(7):
|
ld(1), exec(2), sx_enabled(3C), adi(7), attributes(7)
Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 4.0.x
Fujitsu XSCF Reference Manual
The sxadm command was added in Oracle Solaris 11.1.0.
Support for the following security extensions was first added in the listed Oracle Solaris release:
|
The SSBD extension for SPARC systems was originally delivered in Oracle Solaris 11.4.5 under the name HW_SSB, and was then renamed to SSBD in 11.4.18.