Re: Threaded applications and "execmem" privilege

[Lorenzo Hernandez Garcia-Hierro <lorenzohgh@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1486 bytes --]

El lun, 28-11-2005 a las 16:18 +0100, Erich Schubert escribió:
> Okay, that probably means that most apps (maybe not java and x.org, but
> I don't have these on my selinux boxes anyway) should work just fine.
> And others probably too, since IIRC i386 doesn't enforce that anyway...
> But I'll switch to the patch you posted.

In IA32 PROT_READ implies PROT_EXEC, but "separation" can be enforced:
 http://pearls.tuxedo-es.org/papers/linuxsec-lsm2005/img61.jpg
 http://pearls.tuxedo-es.org/papers/linuxsec-lsm2005/img50.jpg

> Some more information on the issue:
> http://wiki.debian-hardened.org/SSP/ProPolice_Implementations

Please note that information is obsoleted (Hardened Debian used libssp
for ProPolice implementation, although SSP got merged into gcc-4.1
later). Take it as an experiment, and a reliable way of introducing
changes in the SSP code without recompiling everything but just libssp.

Some people are switching to Gentoo (Hardened) due to the problems
caused by some changes introduced in Debian's libc. Some vserver and
grsec users. What's the status now? Is it going to be worked out?

BTW, I would like to help out with anything regarding SELinux deployment
in Debian. I'm trying to work out stuff for Ubuntu Linux, but if it gets
into Debian first, then Ubuntu guys will sync, avoiding efforts
duplication.

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: Esta parte del mensaje está firmada digitalmente --]
[-- Type: application/pgp-signature, Size: 198 bytes --]