On Mon, 2019-03-18 at 18:18 +0300, Igor Zhbanov wrote: > Hello! > > I've found that IMA checks for executable mmap()s but not for the combination > of mmap(..., PROT_READ, ...) + mprotect(..., PROT_EXEC). > > So it looks like is possible to load arbitrary executable code by rewriting > dlopen() and dlsym() functions to map all ELF segments read-only first then > making them executable with mprotect(). > > So should security_file_mprotect() be changed similarly > to security_mmap_file() to call IMA security hook? How? security_mmap_file() is passed a file descriptor and the signature, stored as an xattr, can be verified. Mimi
