LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

mmap and PROT_EXEC

mmap and PROT_EXEC

Posted Mar 11, 2008 0:00 UTC (Tue) by jreiser (subscriber, #11027)
In reply to: Security benefits of noexec? by nix
Parent article: Secure temporary files in Linux (ZDNet India) 

mmap() and mprotect() involving PROT_EXEC are not necessarily trivial when Security Enhanced
Linux (SELinux) is present.  In particular, in some environments it is reasonable to attempt
to enforce the policy: "Any instruction ever executed must be fetched from the unchanging
PROT_EXEC pages of the following explicit list of files."  Accurate implementation of this
policy is a successful defense against many exploits.

(Log in to post comments)

mmap and PROT_EXEC

Posted Mar 11, 2008 12:36 UTC (Tue) by nix (subscriber, #2304) [Link] 

Yes, SELinux can plug this hole (although it might be annoying to do so).

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds