Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing List[RFC][PATCH 2/2] Further SELinux restrictions on mprotect
From: Lorenzo Hernández García-Hierro <lorenzo_at_gnu.org>
Date: Wed, 20 Apr 2005 19:18:08 +0200
This patch,based on sample code by Roland McGrath, adds an execheap permission check that controls the ability to make the heap executable so that this can be prevented in almost all cases (the X server is presently an exception, but this will hopefully be resolved in the future) so that even programs with execmem permission will need to have the anonymous memory mapped in order to make it executable. The only reason that we use a permission check for such restriction (vs. making it unconditional) is that the X module loader presently needs it; it could possibly be made unconditional in the future when X is changed. The policy patch for the execheap permission is available at: http://pearls.tuxedo-es.org/patches/selinux/policy-execheap.patch Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> --- linux-2.6-20050404-lorenzo/security/selinux/hooks.c | 11 ++++++++++ linux-2.6-20050404-lorenzo/security/selinux/include/av_perm_to_string.h | 1 linux-2.6-20050404-lorenzo/security/selinux/include/av_permissions.h | 1 3 files changed, 13 insertions(+) diff -puN security/selinux/include/av_permissions.h~kernel-execheap security/selinux/include/av_permissions.h --- linux-2.6-20050404/security/selinux/include/av_permissions.h~kernel-execheap 2005-04-20 19:02:37.743652408 +0200 +++ linux-2.6-20050404-lorenzo/security/selinux/include/av_permissions.h 2005-04-20 19:02:37.754650736 +0200 @@ -466,6 +466,7 @@Received on Wed 20 Apr 2005 - 14:05:46 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |