build/mac/change_mach_o_flags.py

   1 #!/usr/bin/env python
   2 # Copyright (c) 2011 The Chromium Authors. All rights reserved.
   3 # Use of this source code is governed by a BSD-style license that can be
   4 # found in the LICENSE file.
   5
   6 """Usage: change_mach_o_flags.py [--executable-heap] [--no-pie] <executablepath>
   7
   8 Arranges for the executable at |executable_path| to have its data (heap)
   9 pages protected to prevent execution on Mac OS X 10.7 ("Lion"), and to have
  10 the PIE (position independent executable) bit set to enable ASLR (address
  11 space layout randomization). With --executable-heap or --no-pie, the
  12 respective bits are cleared instead of set, making the heap executable or
  13 disabling PIE/ASLR.
  14
  15 This script is able to operate on thin (single-architecture) Mach-O files
  16 and fat (universal, multi-architecture) files. When operating on fat files,
  17 it will set or clear the bits for each architecture contained therein.
  18
  19 NON-EXECUTABLE HEAP
  20
  21 Traditionally in Mac OS X, 32-bit processes did not have data pages set to
  22 prohibit execution. Although user programs could call mprotect and
  23 mach_vm_protect to deny execution of code in data pages, the kernel would
  24 silently ignore such requests without updating the page tables, and the
  25 hardware would happily execute code on such pages. 64-bit processes were
  26 always given proper hardware protection of data pages. This behavior was
  27 controllable on a system-wide level via the vm.allow_data_exec sysctl, which
  28 is set by default to 1. The bit with value 1 (set by default) allows code
  29 execution on data pages for 32-bit processes, and the bit with value 2
  30 (clear by default) does the same for 64-bit processes.
  31
  32 In Mac OS X 10.7, executables can "opt in" to having hardware protection
  33 against code execution on data pages applied. This is done by setting a new
  34 bit in the |flags| field of an executable's |mach_header|. When
  35 MH_NO_HEAP_EXECUTION is set, proper protections will be applied, regardless
  36 of the setting of vm.allow_data_exec. See xnu-1699.22.73/osfmk/vm/vm_map.c
  37 override_nx and xnu-1699.22.73/bsd/kern/mach_loader.c load_machfile.
  38
  39 The Apple toolchain has been revised to set the MH_NO_HEAP_EXECUTION when
  40 producing executables, provided that -allow_heap_execute is not specified
  41 at link time. Only linkers shipping with Xcode 4.0 and later (ld64-123.2 and
  42 later) have this ability. See ld64-123.2.1/src/ld/Options.cpp
  43 Options::reconfigureDefaults() and
  44 ld64-123.2.1/src/ld/HeaderAndLoadCommands.hpp
  45 HeaderAndLoadCommandsAtom<A>::flags().
  46
  47 This script sets the MH_NO_HEAP_EXECUTION bit on Mach-O executables. It is
  48 intended for use with executables produced by a linker that predates Apple's
  49 modifications to set this bit itself. It is also useful for setting this bit
  50 for non-i386 executables, including x86_64 executables. Apple's linker only
  51 sets it for 32-bit i386 executables, presumably under the assumption that
  52 the value of vm.allow_data_exec is set in stone. However, if someone were to
  53 change vm.allow_data_exec to 2 or 3, 64-bit x86_64 executables would run
  54 without hardware protection against code execution on data pages. This
  55 script can set the bit for x86_64 executables, guaranteeing that they run
  56 with appropriate protection even when vm.allow_data_exec has been tampered
  57 with.
  58
  59 POSITION-INDEPENDENT EXECUTABLES/ADDRESS SPACE LAYOUT RANDOMIZATION
  60
  61 This script sets or clears the MH_PIE bit in an executable's Mach-O header,
  62 enabling or disabling position independence on Mac OS X 10.5 and later.
  63 Processes running position-independent executables have varying levels of
  64 ASLR protection depending on the OS release. The main executable's load
  65 address, shared library load addresess, and the heap and stack base
  66 addresses may be randomized. Position-independent executables are produced
  67 by supplying the -pie flag to the linker (or defeated by supplying -no_pie).
  68 Executables linked with a deployment target of 10.7 or higher have PIE on
  69 by default.
  70
  71 This script is never strictly needed during the build to enable PIE, as all
  72 linkers used are recent enough to support -pie. However, it's used to
  73 disable the PIE bit as needed on already-linked executables.
  74 """
  75
  76 import optparse
  77 import os
  78 import struct
  79 import sys
  80
  81
  82 # <mach-o/fat.h>
  83 FAT_MAGIC = 0xcafebabe
  84 FAT_CIGAM = 0xbebafeca
  85
  86 # <mach-o/loader.h>
  87 MH_MAGIC = 0xfeedface
  88 MH_CIGAM = 0xcefaedfe
  89 MH_MAGIC_64 = 0xfeedfacf
  90 MH_CIGAM_64 = 0xcffaedfe
  91 MH_EXECUTE = 0x2
  92 MH_PIE = 0x00200000
  93 MH_NO_HEAP_EXECUTION = 0x01000000
  94
  95
  96 class MachOError(Exception):
  97   """A class for exceptions thrown by this module."""
  98
  99   pass
 100
 101
 102 def CheckedSeek(file, offset):
 103   """Seeks the file-like object at |file| to offset |offset| and raises a
 104   MachOError if anything funny happens."""
 105
 106   file.seek(offset, os.SEEK_SET)
 107   new_offset = file.tell()
 108   if new_offset != offset:
 109     raise MachOError, \
 110           'seek: expected offset %d, observed %d' % (offset, new_offset)
 111
 112
 113 def CheckedRead(file, count):
 114   """Reads |count| bytes from the file-like |file| object, raising a
 115   MachOError if any other number of bytes is read."""
 116
 117   bytes = file.read(count)
 118   if len(bytes) != count:
 119     raise MachOError, \
 120           'read: expected length %d, observed %d' % (count, len(bytes))
 121
 122   return bytes
 123
 124
 125 def ReadUInt32(file, endian):
 126   """Reads an unsinged 32-bit integer from the file-like |file| object,
 127   treating it as having endianness specified by |endian| (per the |struct|
 128   module), and returns it as a number. Raises a MachOError if the proper
 129   length of data can't be read from |file|."""
 130
 131   bytes = CheckedRead(file, 4)
 132
 133   (uint32,) = struct.unpack(endian + 'I', bytes)
 134   return uint32
 135
 136
 137 def ReadMachHeader(file, endian):
 138   """Reads an entire |mach_header| structure (<mach-o/loader.h>) from the
 139   file-like |file| object, treating it as having endianness specified by
 140   |endian| (per the |struct| module), and returns a 7-tuple of its members
 141   as numbers. Raises a MachOError if the proper length of data can't be read
 142   from |file|."""
 143
 144   bytes = CheckedRead(file, 28)
 145
 146   magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \
 147       struct.unpack(endian + '7I', bytes)
 148   return magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags
 149
 150
 151 def ReadFatArch(file):
 152   """Reads an entire |fat_arch| structure (<mach-o/fat.h>) from the file-like
 153   |file| object, treating it as having endianness specified by |endian|
 154   (per the |struct| module), and returns a 5-tuple of its members as numbers.
 155   Raises a MachOError if the proper length of data can't be read from
 156   |file|."""
 157
 158   bytes = CheckedRead(file, 20)
 159
 160   cputype, cpusubtype, offset, size, align = struct.unpack('>5I', bytes)
 161   return cputype, cpusubtype, offset, size, align
 162
 163
 164 def WriteUInt32(file, uint32, endian):
 165   """Writes |uint32| as an unsinged 32-bit integer to the file-like |file|
 166   object, treating it as having endianness specified by |endian| (per the
 167   |struct| module)."""
 168
 169   bytes = struct.pack(endian + 'I', uint32)
 170   assert len(bytes) == 4
 171
 172   file.write(bytes)
 173
 174
 175 def HandleMachOFile(file, options, offset=0):
 176   """Seeks the file-like |file| object to |offset|, reads its |mach_header|,
 177   and rewrites the header's |flags| field if appropriate. The header's
 178   endianness is detected. Both 32-bit and 64-bit Mach-O headers are supported
 179   (mach_header and mach_header_64). Raises MachOError if used on a header that
 180   does not have a known magic number or is not of type MH_EXECUTE. The
 181   MH_PIE and MH_NO_HEAP_EXECUTION bits are set or cleared in the |flags| field
 182   according to |options| and written to |file| if any changes need to be made.
 183   If already set or clear as specified by |options|, nothing is written."""
 184
 185   CheckedSeek(file, offset)
 186   magic = ReadUInt32(file, '<')
 187   if magic == MH_MAGIC or magic == MH_MAGIC_64:
 188     endian = '<'
 189   elif magic == MH_CIGAM or magic == MH_CIGAM_64:
 190     endian = '>'
 191   else:
 192     raise MachOError, \
 193           'Mach-O file at offset %d has illusion of magic' % offset
 194
 195   CheckedSeek(file, offset)
 196   magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \
 197       ReadMachHeader(file, endian)
 198   assert magic == MH_MAGIC or magic == MH_MAGIC_64
 199   if filetype != MH_EXECUTE:
 200     raise MachOError, \
 201           'Mach-O file at offset %d is type 0x%x, expected MH_EXECUTE' % \
 202               (offset, filetype)
 203
 204   original_flags = flags
 205
 206   if options.no_heap_execution:
 207     flags |= MH_NO_HEAP_EXECUTION
 208   else:
 209     flags &= ~MH_NO_HEAP_EXECUTION
 210
 211   if options.pie:
 212     flags |= MH_PIE
 213   else:
 214     flags &= ~MH_PIE
 215
 216   if flags != original_flags:
 217     CheckedSeek(file, offset + 24)
 218     WriteUInt32(file, flags, endian)
 219
 220
 221 def HandleFatFile(file, options, fat_offset=0):
 222   """Seeks the file-like |file| object to |offset| and loops over its
 223   |fat_header| entries, calling HandleMachOFile for each."""
 224
 225   CheckedSeek(file, fat_offset)
 226   magic = ReadUInt32(file, '>')
 227   assert magic == FAT_MAGIC
 228
 229   nfat_arch = ReadUInt32(file, '>')
 230
 231   for index in xrange(0, nfat_arch):
 232     cputype, cpusubtype, offset, size, align = ReadFatArch(file)
 233     assert size >= 28
 234
 235     # HandleMachOFile will seek around. Come back here after calling it, in
 236     # case it sought.
 237     fat_arch_offset = file.tell()
 238     HandleMachOFile(file, options, offset)
 239     CheckedSeek(file, fat_arch_offset)
 240
 241
 242 def main(me, args):
 243   parser = optparse.OptionParser('%prog [options] <executable_path>')
 244   parser.add_option('--executable-heap', action='store_false',
 245                     dest='no_heap_execution', default=True,
 246                     help='Clear the MH_NO_HEAP_EXECUTION bit')
 247   parser.add_option('--no-pie', action='store_false',
 248                     dest='pie', default=True,
 249                     help='Clear the MH_PIE bit')
 250   (options, loose_args) = parser.parse_args(args)
 251   if len(loose_args) != 1:
 252     parser.print_usage()
 253     return 1
 254
 255   executable_path = loose_args[0]
 256   executable_file = open(executable_path, 'rb+')
 257
 258   magic = ReadUInt32(executable_file, '<')
 259   if magic == FAT_CIGAM:
 260     # Check FAT_CIGAM and not FAT_MAGIC because the read was little-endian.
 261     HandleFatFile(executable_file, options)
 262   elif magic == MH_MAGIC or magic == MH_CIGAM or \
 263       magic == MH_MAGIC_64 or magic == MH_CIGAM_64:
 264     HandleMachOFile(executable_file, options)
 265   else:
 266     raise MachOError, '%s is not a Mach-O or fat file' % executable_file
 267
 268   executable_file.close()
 269   return 0
 270
 271
 272 if __name__ == '__main__':
 273   sys.exit(main(sys.argv[0], sys.argv[1:]))