Subject: Re: more on non-executable mappings vs. emulations
To: Christos Zoulas <email@example.com>
From: Emmanuel Dreyfus <firstname.lastname@example.org>
Date: 07/18/2004 21:56:29
>> I agree that we should not make kernels insecure by default in order
>> to please broken emulations. On the other hand, we should document
>> and explain why emulations break and provide a sysctl to let broken
>> emulated programs run until we supply the tools you mention above.
>> This sysctl should default to "off" and users should be strongly
>> cautioned against turning it "on".
> well, the tools will be much easier to write than the sysctl, so I'm only
> going to do the tools. I'd prefer that the sysctl thing never actually be
> done, since it opens a big can of worms.
On the other hand, the sysctl is the right fix. The patching program has
What if we want to run a binary from a R/O media? We can union mount
something on the top of it to use the modified binary, but it does not
sounds very appealing
What if we ever encounter a binary that checks its own sum?
What if we encounter a binary that really wants an executable stack (or
The latter problem is not specific to emulations and should probably be
addressed system-wide. After all, while it's a major security
improvement, no standard document said the stack and heap should be non
For that reasons, a sysctl in the proc subtree seems useful. Is it
really hard to implement? We could have a p_flag about non exeutable
mappings. In how many places we'd have to check for it?
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent
le binaire et ceux qui ne le comprennent pas.