Re: MDWE does not prevent read-only, executable, shared memory regions to be updated by backing file writes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

alip writes via Kernel.org Bugzilla:

Note, this is trivial to mitigate with a seccomp-bpf filter.
Sample code in Rust. Given "ctx" is a seccomp filter context:

// Prevent executable shared memory.
ctx.add_rule_conditional(
    ScmpAction::KillProcess,
    ScmpSyscall::new("mmap"), // same applies for mmap2.
    &[scmp_cmp!($arg2 & PROT_EXEC == PROT_EXEC),
      scmp_cmp!($arg3 & MAP_SHARED == MAP_SHARED)],
)?;

This is what syd[1] does since version 3.15.1

[1]: https://man.exherbolinux.org/syd.7.html#Advanced_Memory_Protection_Mechanisms

View: https://bugzilla.kernel.org/show_bug.cgi?id=219227#c2
You can reply to this message to join the discussion.
-- 
Deet-doot-dot, I am a bot.
Kernel.org Bugzilla (bugspray 0.1-dev)
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux