From: Stas Sergeev <stsp@aknet.ru>
To: Arjan van de Ven <arjan@infradead.org>
Cc: Linux kernel <linux-kernel@vger.kernel.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Hugh Dickins <hugh@veritas.com>,
Ulrich Drepper <drepper@redhat.com>,
Valdis.Kletnieks@vt.edu
Subject: Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps
Date: Tue, 03 Oct 2006 21:15:05 +0400 [thread overview]
Message-ID: <45229A99.6060703@aknet.ru> (raw)
In-Reply-To: <1159887682.2891.537.camel@laptopd505.fenrus.org>
Hello.
Arjan van de Ven wrote:
> no what bothers me that on the one hand you want no execute from the
> partition, and AT THE SAME TIME want stuff to execute from there (being
> libraries or binaries, same thing to me).
The original problem came from "noexec" on /dev/shm
mount. There is no library and no binary there, but
the programs do shm_open(), ftruncate() and
mmap(MAP_SHARED, PROT_EXEC) to get some shared memory
with an exec perm. That fails.
> That duality feels strange to me,
IMHO there should be some policy that can be achieved.
If the policy is: "noexec should fail execve()", then
this can be achieved, and that's what it was in the past.
What is the policy now? The things like a possibility
to mprotect() that memory to PROT_EXEC, or in case of a
MAP_PRIVATE, to simply use MAP_ANONYMOUS then read(),
suggests that there is no strict policy at all any more.
> I could understand if you wanted noexec to be MORE strict; I fail to
> understand why you want it LESS strict!
My point is that it is neither more not less strict with
such a change. If the workaround is trivial anyway
(either mprotect or use MAP_ANONYMOUS and read()), then
there is no point in such a strictness. On the other
hand, the programs break.
What was pointed out by Hugh is that the current behaveour
is needed to solve one particular problem, which is when
the user invokes ld.so directly and you want it to fail on
a noexec partition. I accept that argument, but I have to
add that the mmap change doesn't solve the similar problem
when the user uses ld.so directly to execute the binaries
he doesn't have an exec permissions for.
So I think another solution is needed: the one, preferrably,
not breaking an existing apps; solving both of the above
problems, not just one of them; allowing an admin to control
that behaveour in a convenient way.
My idea is to execute the loader with the fsuid=0. Then you
can do simply "chmod 'go-x' ld.so", and the problem solved.
I'd like any opinions on that idea, although nothing positive
is expected at that point. :)
> What breaks?
You missed the beginning of the discussion, but briefly:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=386945
... breaks UML and dosemu.
Also I speculate that it makes Wine slower causing it to
fallback to read() if the windows partition is mounted with
"noexec" (which I think is/was common). In that case people
will never figure out why Wine suddenly became slower and
more memory-consuming than before.
next prev parent reply other threads:[~2006-10-03 17:13 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-23 10:30 [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Stas Sergeev
2006-09-23 15:16 ` Hugh Dickins
2006-09-23 15:36 ` Ulrich Drepper
2006-09-23 15:47 ` Stas Sergeev
2006-09-25 1:12 ` Valdis.Kletnieks
2006-09-25 4:35 ` Stas Sergeev
2006-09-23 15:42 ` Stas Sergeev
2006-09-23 16:04 ` Hugh Dickins
2006-09-23 16:38 ` Stas Sergeev
2006-09-23 18:58 ` Alan Cox
2006-09-24 6:55 ` Stas Sergeev
2006-09-24 9:17 ` Hugh Dickins
2006-09-24 10:00 ` Stas Sergeev
2006-09-24 13:53 ` Alan Cox
2006-09-24 14:54 ` Stas Sergeev
2006-09-24 15:48 ` Ulrich Drepper
2006-09-24 16:31 ` Stas Sergeev
2006-09-24 16:49 ` Ulrich Drepper
2006-09-24 17:04 ` Stas Sergeev
2006-09-24 18:09 ` Stas Sergeev
2006-09-24 19:14 ` David Wagner
2006-09-24 19:37 ` Kyle Moffett
2006-09-24 22:49 ` David Wagner
2006-09-25 10:53 ` Pavel Machek
2006-09-25 21:36 ` David Wagner
2006-09-27 11:51 ` Pavel Machek
2006-09-24 20:06 ` Denis Vlasenko
2006-09-24 20:22 ` Stas Sergeev
2006-09-24 23:04 ` David Wagner
2006-09-26 19:46 ` Stas Sergeev
2006-09-27 22:33 ` Arjan van de Ven
2006-09-27 23:10 ` David Wagner
2006-09-27 23:38 ` Jesper Juhl
2006-09-29 1:14 ` David Wagner
2006-09-28 4:52 ` Stas Sergeev
2006-09-30 9:42 ` Stas Sergeev
2006-10-03 15:01 ` Arjan van de Ven
2006-10-03 17:15 ` Stas Sergeev [this message]
2006-10-03 17:23 ` Ulrich Drepper
2006-10-03 18:06 ` Stas Sergeev
2006-10-03 19:19 ` Ulrich Drepper
2006-10-03 19:40 ` Stas Sergeev
2006-10-03 19:54 ` Arjan van de Ven
2006-10-04 19:36 ` Stas Sergeev
2006-10-04 21:31 ` David Wagner
2006-10-04 3:11 ` David Wagner
2006-10-04 3:51 ` Ulrich Drepper
2006-10-04 4:21 ` David Wagner
2006-10-04 6:03 ` Kyle Moffett
2006-10-04 17:30 ` Ulrich Drepper
2006-10-03 18:23 ` Arjan van de Ven
2006-10-03 18:40 ` Stas Sergeev
2006-10-03 18:42 ` Arjan van de Ven
2006-10-03 19:07 ` Stas Sergeev
2006-10-03 21:00 ` Jakub Jelinek
2006-10-04 19:06 ` Stas Sergeev
2006-10-06 18:09 ` [patch] honour MNT_NOEXEC for access() Stas Sergeev
2006-10-06 21:34 ` Alan Cox
2006-10-06 21:17 ` Ulrich Drepper
2006-10-07 11:19 ` Stas Sergeev
2006-10-07 15:00 ` David Wagner
2006-10-07 16:31 ` Ulrich Drepper
2006-10-07 19:14 ` Stas Sergeev
2006-10-07 19:36 ` David Wagner
2006-10-08 8:32 ` Arjan van de Ven
2006-10-08 9:11 ` Stas Sergeev
2006-10-08 10:55 ` Arjan van de Ven
2006-10-08 13:46 ` Stas Sergeev
2006-10-09 2:09 ` Horst H. von Brand
2006-10-09 4:40 ` Stas Sergeev
2006-10-07 13:18 ` Stas Sergeev
2006-10-08 0:30 ` Jeremy Fitzhardinge
2006-10-08 9:10 ` Stas Sergeev
2006-10-08 9:56 ` Jeremy Fitzhardinge
2006-10-08 10:36 ` Stas Sergeev
2006-10-08 10:39 ` Jesper Juhl
2006-10-08 13:22 ` Stas Sergeev
2006-10-06 22:26 ` Jesper Juhl
2006-10-04 19:30 ` [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Stas Sergeev
2006-10-04 3:20 ` David Wagner
2006-10-04 3:17 ` David Wagner
2006-10-04 13:41 ` Jeff Dike
2006-10-04 18:02 ` Jesper Juhl
2006-10-04 19:48 ` Stas Sergeev
2006-09-27 19:16 ` [patch] remove MNT_NOEXEC check for PROT_EXEC MAP_PRIVATE mmaps Stas Sergeev
2006-09-27 20:05 ` Hugh Dickins
2006-09-28 4:33 ` Stas Sergeev
2006-09-28 16:42 ` Hugh Dickins
2006-09-29 1:41 ` David Wagner
2006-09-29 20:50 ` Arjan van de Ven
2006-09-29 16:54 ` Stas Sergeev
2006-09-24 19:59 ` [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Alan Cox
2006-09-24 20:07 ` Stas Sergeev
2006-09-24 0:53 ` Arjan van de Ven
2006-09-25 17:17 ` Stas Sergeev
2006-09-25 17:43 ` Stas Sergeev
2006-09-25 20:12 ` David Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45229A99.6060703@aknet.ru \
--to=stsp@aknet.ru \
--cc=Valdis.Kletnieks@vt.edu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=drepper@redhat.com \
--cc=hugh@veritas.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.