Subject: Re: mmap(), security and /dev/zero
To: None <,>
From: Matt Thomas <>
List: tech-security
Date: 06/24/2004 10:00:14
On Jun 24, 2004, at 1:58 AM, Alan Barrett wrote:
> How does the following compromise sound?
>         shlibs must be in files that have "r" permission.
>         shlibs must be on file systems that honour "x" permission
>                 (that is, were not mounted with the noexec option).

Now that we have noexec permissions on pages (for some architectures),
make the mapping of vnode backed pages with PROT_EXEC only be allowed
on filesystems that were not mounted with noexec.  Otherwise,
mmap/uvm_map/mprotect will return EPERM for the mapping operation.

Matt Thomas                     email:
3am Software Foundry              www:
Cupertino, CA              disclaimer: I avow all knowledge of this