2010/7/12 Török Edwin <edwintorok@xxxxxxxxx>: > [*] > I have some plans to make the JIT work without RWX, since ClamAV has 2 > phases: > - load DB, JIT compile bytecode (should use only RW- mapping, but > currently needs RWX) > - execute (JIT compiled) bytecode (should change mapping to be R-X) Just so you know that is going to require the same permissions. (Hopefully) The only way to get around the SELinux permissions is to have 2 separate mappings. Basically in really really rough sudo-code, file = open(filename, RWX); unlink(file); truncate(file, however big you need); exec_area = mmap(PROT_EXEC, file); write_area = mmap(PROT_WRITE, file); then do all of the writing to write_area and all of the executing in exec_area. http://people.redhat.com/drepper/selinux-mem.html Simply using mremap to change a mapping from PROT_WRITE to PROT_EXEC will cause the same problems as just doing it at the same time. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
