On 3/15/2024 11:30 AM, Christian Göttsche wrote: > On Fri, 15 Mar 2024 at 19:22, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >> On 3/15/2024 11:08 AM, Christian Göttsche wrote: >>> Add a new hook guarding instantiations of programs with executable >>> stack. They are being warned about since commit 47a2ebb7f505 ("execve: >>> warn if process starts with executable stack"). Lets give LSMs the >>> ability to control their presence on a per application basis. >> This seems like a hideously expensive way to implement a flag >> disallowing execution of programs with executable stacks. What's >> wrong with adding a flag VM_NO_EXECUTABLE_STACK? > That would be global and not on a per application basis. > One might want to exempt known legacy programs. OK, I can see that. > Also is performance a concern for this today's rare occurrence? Performance is *always* a concern. You're adding a new hook list for a "rare" case. You're extended SELinux policy to include the case. This really should be a hardening feature, not an SELinux policy feature. The hook makes no sense for an LSM like Smack, which only implements subject+object controls. You could implement a stand alone LSM that implements only this hook, but again, it's not really access control, it's hardening.