| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKFga-dDRyRwxUu4Sv7QLcoyY5T3xxhw48LP2goWs=avGW0d_A@mail.gmail.com> Date: Mon, 20 Aug 2012 23:48:37 +0200 From: Ard Biesheuvel <ard.biesheuvel@...il.com> To: Kees Cook <keescook@...omium.org> Cc: linux-kernel@...r.kernel.org Subject: Re: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect > This seems like a good idea to me. It would allow more than just the > loader to harden userspace allocations. It's a more direct version of > PaX's "MPROTECT" feature[1]. That feature hardens existing loaders, > but doesn't play nice with JITs (like Java), but this lets a loader > (or JIT) opt-in to the protection and have some direct control over it. > If desired, additional restrictions can be imposed by using the security framework, e.g,, disallow non-final r-x mappings. > It seems like there needs to be a sensible way to detect that this flag is > available, though. > I am open for suggestions to address this. Our particular implementation of the loader (on an embedded system) tries to set it on the first mmap invocation, and stops trying if it fails. Not the most elegant approach, I know ... -- Ard. > -Kees > > [1] http://pax.grsecurity.net/docs/mprotect.txt > > -- > Kees Cook @outflux.net -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists