On Tue, 2012-01-17 at 22:25 -0800, Linus Torvalds wrote: > Of course, limiting things so that you cannot map the same page > executably *and* writably is one solution - and a good idea regardless > - so secure environments can still exist. But even then you could have > races in a multi-threaded environment (they'd just be *much* harder to > trigger for an attacker). Gratuitous SELinux for the win e-mail! (Feel free to delete now) We typically, for all confined domains, do not allow mapping anonymous memory both W and X. Actually you can't even map it W and then map it X... Now if there is file which you have both W and X SELinux permissions (which is rare, but not impossible) you could map it in two places. So we can (and do) build SELinux sandboxes which address this. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
