Re: [patch] honour MNT_NOEXEC for access()

From: Stas Sergeev
Date: Sun Oct 08 2006 - 09:21:07 EST


Hello.

Jesper Juhl wrote:
As I see it, what we can resonably do with 'noexec' is
- make execve() fail.
Done.

- make access(), faccessat() return EACCESS for files stored on
'noexec' filesystems.
Done now in -mm.

- make mmap(...PROT_EXEC...) fail for files stored on 'noexec' filesystems.
Even for MAP_PRIVATE?
But in what way the "noexec" is better than "chmod -x",
which does _not_ make the PROT_EXEC to fail?

Since we can't really prevent things like perl/php/bash/tcl/whatever
scripts from being executed/interpreted from there with this
mechanism, let's not worry about that. Leave that for things like
SELinux to deal with.
Exactly, but isn't it the same with mmap? (MAP_PRIVATE at least)
Since you can't prevent the prog to simply read() the data into
an anonymously mapped space, you can just as well leave that to
selinux too.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/