Re: [patch] honour MNT_NOEXEC for access()
From: Stas Sergeev
Date: Sun Oct 08 2006 - 09:21:07 EST
Hello.
Jesper Juhl wrote:
As I see it, what we can resonably do with 'noexec' is
- make execve() fail.
Done.
- make access(), faccessat() return EACCESS for files stored on
'noexec' filesystems.
Done now in -mm.
- make mmap(...PROT_EXEC...) fail for files stored on 'noexec' filesystems.
Even for MAP_PRIVATE?
But in what way the "noexec" is better than "chmod -x",
which does _not_ make the PROT_EXEC to fail?
Since we can't really prevent things like perl/php/bash/tcl/whatever
scripts from being executed/interpreted from there with this
mechanism, let's not worry about that. Leave that for things like
SELinux to deal with.
Exactly, but isn't it the same with mmap? (MAP_PRIVATE at least)
Since you can't prevent the prog to simply read() the data into
an anonymously mapped space, you can just as well leave that to
selinux too.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/