On Tue, 2008-06-10 at 14:00 -0400, Eric Paris wrote: > On Tue, Jun 10, 2008 at 1:49 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > Java is known to require execmem for runtime code generation. There is > > a java_t domain that you can look at as an example. I think they allow > > it execstack too, although I'm not as clear as to why that is necessary, > > possibly for the thread stack allocation. > > > > Thread stacks may be allocated with PROT_EXEC if the executable is > > marked as requiring an executable stack or if it lacks the marking; > > execstack should tell you the story there. > > > > If we can't give execmem w/o giving execstack too, then execstack isn't > > useful as a separate permission. > > As I recall, which is always a dangerous thing for me todo, execstack > needs execmem for multithreaded processes because the 'stack' of the > second thread is just 'memory' from the point of view of the > permission checks. Yes, that one I understand and am ok with. > execmem does not need execstack..... That is theoretically true but I wasn't sure we had real working examples of programs that only require the former and not the latter. > java probably actually uses an executable stack which is why it needs both..... -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
