[Cc'ing Kees] On Fri, 2019-03-22 at 10:59 +0300, Igor Zhbanov wrote: > On 21.03.2019 21:04, Matthew Garrett wrote: > > On Thu, Mar 21, 2019 at 4:48 AM Igor Zhbanov <i.zhbanov@xxxxxxxxxxxx> wrote: > >> Along with disabling creating anonymous executable pages at all since > >> is is hardly needed for the system services for normal work. > > > > Is this true? Do no JIT compilers behave this way? > > Well, besides JIT I've scanned all /proc/PID/maps of my web-server and didn't > find any process with mapped anonymous executable pages. > > As for JIT I suppose we could use prctl or something else to allow having > anonymous executable pages. > > I'm pondering about some system-wide (or prosses subtree-wide) default > setting controlling whether it is allowed to have anonymous pages by default, > and then some mechanism to turn it on/off on a per-process bases. Perhaps > with some locking preventing reenabling after it was dropped. > > And what do you think about it? I just came across the grsecurity article on mprotect.[1] Has anyone looked at it? Would it make sense to make it a minor LSM? Mimi [1]https://pax.grsecurity.net/docs/mprotect.txt
