Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps

From: Stas Sergeev
Date: Tue Sep 26 2006 - 15:45:37 EST

Next message: Pavel Machek: "Re: [PATCH 5/5] Add gsm phone support for the mixer in tsc2101 alsa driver."
Previous message: Jeff Garzik: "Re: pata_serverworks oopses in latest -git"
In reply to: David Wagner: "Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps"
Next in thread: Arjan van de Ven: "Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Guys.

Noone provided a reason for (or even tried to defend)
the fact that PROT_EXEC is rejected by "noexec" even
for MAP_PRIVATE, while, say, PROT_WRITE is *not* rejected
for "ro" filesystem for MAP_PRIVATE. What was argued is
only MAP_SHARED.
I take it as an indication that people basically agree
that "noexec" should not affect MAP_PRIVATE like that.
So how about the patch (like the attached one) which
changes only the behaveour of MAP_PRIVATE?

Reasons:
- MAP_PRIVATE should not behave like that, "ro" and PROT_WRITE
is a witness.
- This is not a security check - file-backed MAP_PRIVATE
can just be replaced with MAP_PRIVATE | MAP_ANONYMOUS
mmap and read().
- The programs (like AFAIK wine) use MAP_PRIVATE mmaps to
access the windows dlls, which are usually on a "noexec"
fat or ntfs partitions. Wine might be smart enough not to
break but fallback to read(), but this is slower and more
memory-consuming. Some other program may not be that smart
and break. So there is clearly a need for MAP_PRIVATE with
PROT_EXEC on the noexec partitions.

Please let me know why this patch should not be applied.

--- a/mm/mmap.c 2006-01-25 15:02:24.000000000 +0300
+++ b/mm/mmap.c 2006-09-21 13:19:15.000000000 +0400
@@ -900,7 +900,7 @@
if (!file->f_op || !file->f_op->mmap)
return -ENODEV;

- if ((prot & PROT_EXEC) &&
+ if ((flags & MAP_SHARED) && (prot & PROT_EXEC) &&
(file->f_vfsmnt->mnt_flags & MNT_NOEXEC))
return -EPERM;
}
@@ -911,7 +911,8 @@
* mounted, in which case we dont add PROT_EXEC.)
*/
if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
- if (!(file && (file->f_vfsmnt->mnt_flags & MNT_NOEXEC)))
+ if (!(file && (flags & MAP_SHARED) &&
+ (file->f_vfsmnt->mnt_flags & MNT_NOEXEC)))
prot |= PROT_EXEC;

if (!len)
--- a/mm/nommu.c 2006-04-12 09:37:34.000000000 +0400
+++ b/mm/nommu.c 2006-09-21 13:21:32.000000000 +0400
@@ -495,7 +495,7 @@

/* handle executable mappings and implied executable
* mappings */
- if (file->f_vfsmnt->mnt_flags & MNT_NOEXEC) {
+ if ((flags & MAP_SHARED) && file->f_vfsmnt->mnt_flags & MNT_NOEXEC) {
if (prot & PROT_EXEC)
return -EPERM;
}

Next message: Pavel Machek: "Re: [PATCH 5/5] Add gsm phone support for the mixer in tsc2101 alsa driver."
Previous message: Jeff Garzik: "Re: pata_serverworks oopses in latest -git"
In reply to: David Wagner: "Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps"
Next in thread: Arjan van de Ven: "Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]