| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4528FBA5.9010701@aknet.ru> Date: Sun, 08 Oct 2006 17:22:45 +0400 From: Stas Sergeev <stsp@...et.ru> To: Jesper Juhl <jesper.juhl@...il.com> Cc: Jeremy Fitzhardinge <jeremy@...p.org>, Alan Cox <alan@...rguk.ukuu.org.uk>, Jakub Jelinek <jakub@...hat.com>, Arjan van de Ven <arjan@...radead.org>, Linux kernel <linux-kernel@...r.kernel.org>, Hugh Dickins <hugh@...itas.com>, Ulrich Drepper <drepper@...hat.com> Subject: Re: [patch] honour MNT_NOEXEC for access() Hello. Jesper Juhl wrote: > As I see it, what we can resonably do with 'noexec' is > - make execve() fail. Done. > - make access(), faccessat() return EACCESS for files stored on > 'noexec' filesystems. Done now in -mm. > - make mmap(...PROT_EXEC...) fail for files stored on 'noexec' filesystems. Even for MAP_PRIVATE? But in what way the "noexec" is better than "chmod -x", which does _not_ make the PROT_EXEC to fail? > Since we can't really prevent things like perl/php/bash/tcl/whatever > scripts from being executed/interpreted from there with this > mechanism, let's not worry about that. Leave that for things like > SELinux to deal with. Exactly, but isn't it the same with mmap? (MAP_PRIVATE at least) Since you can't prevent the prog to simply read() the data into an anonymously mapped space, you can just as well leave that to selinux too. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists