execstack protections doesn't work for executables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear all,

I'm on Fedora release 37 and have two files with execstack flag set:
$ readelf -a ./testx | grep -A1 STACK
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    0x10
$ readelf -a ./libtestx.so | grep -A1 STACK
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    0x10

Protection is enabled:
# getsebool selinuxuser_execstack
selinuxuser_execstack --> off

Library is not loadable:
$ enable -f ./libtestx.so x
-bash: enable: cannot open shared object ./libtestx.so: ./libtestx.so:
cannot enable executable stack as shared object requires: Permission
denied
type=AVC msg=audit(01/23/2024 15:44:26.837:637) : avc:  denied  {
execstack } for  pid=1685 comm=bash
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process permissive=0

But the executable runs without restriction:
$ ./testx
This executable should be rejected as execstack

Is it wrong behaviour?
I think that the needed LSM hook is not called from all the needed
places in the kernel.
I wrote a mail about this here:
https://www.spinics.net/lists/linux-security-module/msg56376.html

Usually kernel people pay attention to problems that really affect
users. So if someone could confirm the problem - it would help to fix
it.
Thank you for the attention.

Kind regards,
Dmitry Mastykin
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux