On 10/26/2016 04:31 PM, Topi Miettinen wrote:
> Hi,
>
> Maybe this is a stupid question and I didn't test this with SELinux, but
> it looks to me that SELinux execmem does not prevent process from
> getting writable and executable memory mappings by using shmat(...,
> SHM_EXEC). Shouldn't this be blocked by execmem, I suppose it is there
> to prevent this kind of memory access?
>
> Here's a test program:
> #include <sys/ipc.h>
> #include <sys/shm.h>
>
> int main(void) {
> int shmid;
> char *execmem;
> void (*fn)(void);
>
> shmid = shmget(IPC_PRIVATE, 4096, IPC_CREAT | 0777);
> execmem = shmat(shmid, 0, SHM_EXEC);
> shmctl(shmid, IPC_RMID, 0);
> *execmem = 0xc3; // retq
> fn = (void (*)(void))execmem;
> fn();
> shmdt(execmem);
> }
>
> -Topi
>
The test program fails with a seg fault and a SELinux avc denial for
execmem permission when run in a domain that lacks execmem permission.
Thanks though for the test; I'll add it to the selinux testsuite to
ensure we don't regress in this area.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
