On Sat, 6 Jul 2019, Salvatore Mesoraca wrote: > Adding documentation for S.A.R.A. LSM. It would be good if you could add an operational overview to help people understand how it works in practice, e.g. setting policies for binaries via sara-xattr and global config via saractl (IIUC). It's difficult to understand if you have to visit several links to piece things together. > +S.A.R.A.'s Submodules > +===================== > + > +WX Protection > +------------- > +WX Protection aims to improve user-space programs security by applying: > + > +- `W^X enforcement`_ > +- `W!->X (once writable never executable) mprotect restriction`_ > +- `Executable MMAP prevention`_ > + > +All of the above features can be enabled or disabled both system wide > +or on a per executable basis through the use of configuration files managed by > +`saractl` [2]_. How complete is the WX protection provided by this module? How does it compare with other implementations (such as PaX's restricted mprotect). > +Parts of WX Protection are inspired by some of the features available in PaX. Some critical aspects are copied (e.g. trampoline emulation), so it's more than just inspired. Could you include more information in the description about what's been ported from PaX to SARA? -- James Morris <jmorris@xxxxxxxxx>
