On Wed, 2006-04-19 at 22:52 -0700, John Reiser wrote:
> I develop the Linux+ELF side of UPX, which compresses executable programs
> to save storage space and invocation time. Immediately after kernel
> execve() of a compressed program, a small decompressor reconstructs
> the original PT_LOADs directly into address space; then execution proceeds
> as usual. The decompression writes instructions which execute later,
> directly into pages with both PROT_WRITE and PROT_EXEC, so perhaps
> there should be a { denied } avc due to execmem when SELinux is in
> enforcing mode. Reading the explanation of execmem in
> http://people.redhat.com/drepper/selinux-mem.html
> supports this theory.
>
> However, under all released FC5 kernels including 2.6.16-1.2096_FC5,
> I see no execmem complaints. Strace of typical execution begins:
Hmmm...shouldn't.
# /usr/sbin/getsebool allow_execmem
(If on, /usr/sbin/setsebool allow_execmem=0, or run your test under a
confined domain.)
# cat /selinux/checkreqprot
# execstack -q /path/to/program
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
