SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: [RFC][PATCH] Control ability to have a writable executable mapping This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_epoch.ncsc.mil> Date: Wed, 10 Nov 2004 10:35:06 -0500 On Tue, 2004-11-09 at 16:05, Stephen Smalley wrote: > Sorry, the last statement isn't accurate; this patch only provides > SELinux policy control over the ability to have a mapping that is > simultaneously writable and executable. One could still create a rw > mapping and then later change its protection to rx. For anonymous > mappings, the patch could be trivially modified to apply the check for > any PROT_EXEC mapping and thus prevent executable anonymous mappings > entirely except when explicitly allowed; that seems reasonable. Private > file mappings are more problematic. Ok, based on feedback and some sample code from Roland McGrath (but any bugs are likely mine), here are revised kernel and policy patches with the following changes: - permission name has changed from wxpage to execmem to more accurately represent the meaning, - always check this permission for any executable anonymous mapping, whether presently writable or not, - check this permission not only for a writable executable private file mapping, but also for an executable private file mapping that has been previously written (based on whether a COW has occurred for the mapping). This brings the check closer to the goal of controlling the ability to make executable a mapping that can contain data not covered by file permission checks. Constructive comments welcome. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. text/x-patch attachment: sel-execmem.patch__charset_UTF-8 text/x-patch attachment: policy-execmem.patch__charset_UTF-8 Received on Wed 10 Nov 2004 - 10:39:08 EST This message: [ Message body ] Next message: Thomas Bleher: "Re: Patches without the can_network patch." Previous message: Stephen Smalley: "Re: [RFC][PATCH] Control ability to have a writable executable mapping" In reply to: Stephen Smalley: "Re: [RFC][PATCH] Control ability to have a writable executable mapping" Next in thread: Stephen Smalley: "Re: [RFC][PATCH] Control ability to have a writable executable mapping" Reply: Stephen Smalley: "Re: [RFC][PATCH] Control ability to have a writable executable mapping" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom