Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934939AbcJZUcP (ORCPT ); Wed, 26 Oct 2016 16:32:15 -0400 Received: from mail-lf0-f66.google.com ([209.85.215.66]:34759 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932607AbcJZUcJ (ORCPT ); Wed, 26 Oct 2016 16:32:09 -0400 To: Paul Moore , Eric Paris , James Morris , "Serge E. Hallyn" , "moderated list:SELINUX SECURITY MODULE" , "open list:SECURITY SUBSYSTEM" , open list , Stephen Smalley From: Topi Miettinen Subject: selinux: should execmem disable shmat(..., SHM_EXEC)? Openpgp: id=A0F2EB0D8452DA908BEC8E911CF9ADDBD610E936 Message-ID: <3f453e5e-e70c-f00d-9b5b-f09addd04ada@gmail.com> Date: Wed, 26 Oct 2016 20:31:36 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 735 Lines: 27 Hi, Maybe this is a stupid question and I didn't test this with SELinux, but it looks to me that SELinux execmem does not prevent process from getting writable and executable memory mappings by using shmat(..., SHM_EXEC). Shouldn't this be blocked by execmem, I suppose it is there to prevent this kind of memory access? Here's a test program: #include #include int main(void) { int shmid; char *execmem; void (*fn)(void); shmid = shmget(IPC_PRIVATE, 4096, IPC_CREAT | 0777); execmem = shmat(shmid, 0, SHM_EXEC); shmctl(shmid, IPC_RMID, 0); *execmem = 0xc3; // retq fn = (void (*)(void))execmem; fn(); shmdt(execmem); } -Topi