Eric Paris wrote: > On Tue, Jun 10, 2008 at 1:49 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > >> Java is known to require execmem for runtime code generation. There is >> a java_t domain that you can look at as an example. I think they allow >> it execstack too, although I'm not as clear as to why that is necessary, >> possibly for the thread stack allocation. >> >> Thread stacks may be allocated with PROT_EXEC if the executable is >> marked as requiring an executable stack or if it lacks the marking; >> execstack should tell you the story there. >> >> If we can't give execmem w/o giving execstack too, then execstack isn't >> useful as a separate permission. > > As I recall, which is always a dangerous thing for me todo, execstack > needs execmem for multithreaded processes because the 'stack' of the > second thread is just 'memory' from the point of view of the > permission checks. > > execmem does not need execstack..... > > java probably actually uses an executable stack which is why it needs both..... I believe it was only one of the java implementations that needed execstack. The others did not, but it was either to just allow it for all. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
