On Wed, Jan 18, 2012 at 7:04 AM, Eric Paris <eparis@xxxxxxxxxx> wrote:
>
> Gratuitous SELinux for the win e-mail! (Feel free to delete now) We
> typically, for all confined domains, do not allow mapping anonymous
> memory both W and X. Actually you can't even map it W and then map it
> X...
That doesn't help.
Anonymous memory is the *one* kind of mapping that this cannot happen
for - because then you have the same page mapped only at one
particular virtual address (and all modern x86's are entirely coherent
in the pipeline for that case, afaik).
> Now if there is file which you have both W and X SELinux permissions
> (which is rare, but not impossible) you could map it in two places. So
> we can (and do) build SELinux sandboxes which address this.
So the cases that matter are file-backed and various shared memory setups.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
