Re: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect

From: Ard Biesheuvel
Date: Mon Aug 20 2012 - 17:48:39 EST

Next message: Dan Carpenter: "Re: [PATCH 09/20] staging: comedi: adv_pci1723: fix initial diosubdevice state and io_bits"
Previous message: Mauro Carvalho Chehab: "Re: linux-next: Tree for Aug 20 (media: saa7164)"
In reply to: Kees Cook: "Re: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> This seems like a good idea to me. It would allow more than just the
> loader to harden userspace allocations. It's a more direct version of
> PaX's "MPROTECT" feature[1]. That feature hardens existing loaders,
> but doesn't play nice with JITs (like Java), but this lets a loader
> (or JIT) opt-in to the protection and have some direct control over it.
>

If desired, additional restrictions can be imposed by using the
security framework, e.g,, disallow non-final r-x mappings.

> It seems like there needs to be a sensible way to detect that this flag is
> available, though.
>

I am open for suggestions to address this. Our particular
implementation of the loader (on an embedded system) tries to set it
on the first mmap invocation, and stops trying if it fails. Not the
most elegant approach, I know ...

--
Ard.

> -Kees
>
> [1] http://pax.grsecurity.net/docs/mprotect.txt
>
> --
> Kees Cook @outflux.net
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dan Carpenter: "Re: [PATCH 09/20] staging: comedi: adv_pci1723: fix initial diosubdevice state and io_bits"
Previous message: Mauro Carvalho Chehab: "Re: linux-next: Tree for Aug 20 (media: saa7164)"
In reply to: Kees Cook: "Re: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]