| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Oct 2016 20:31:36 +0000
From: Topi Miettinen <toiwoton@...il.com>
To: Paul Moore <paul@...l-moore.com>,
Eric Paris <eparis@...isplace.org>,
James Morris <james.l.morris@...cle.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
"moderated list:SELINUX SECURITY MODULE" <selinux@...ho.nsa.gov>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>,
Stephen Smalley <sds@...ho.nsa.gov>
Subject: selinux: should execmem disable shmat(..., SHM_EXEC)?
Hi,
Maybe this is a stupid question and I didn't test this with SELinux, but
it looks to me that SELinux execmem does not prevent process from
getting writable and executable memory mappings by using shmat(...,
SHM_EXEC). Shouldn't this be blocked by execmem, I suppose it is there
to prevent this kind of memory access?
Here's a test program:
#include <sys/ipc.h>
#include <sys/shm.h>
int main(void) {
int shmid;
char *execmem;
void (*fn)(void);
shmid = shmget(IPC_PRIVATE, 4096, IPC_CREAT | 0777);
execmem = shmat(shmid, 0, SHM_EXEC);
shmctl(shmid, IPC_RMID, 0);
*execmem = 0xc3; // retq
fn = (void (*)(void))execmem;
fn();
shmdt(execmem);
}
-Topi
Powered by blists - more mailing lists