Subject: Re: mmap(), security and /dev/zero
To: Bill Studenmund <wrstuden@NetBSD.org>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 06/25/2004 08:41:31
On Thu, Jun 24, 2004 at 12:19:51PM -0700, Bill Studenmund wrote:
>On Thu, Jun 24, 2004 at 10:58:54AM +0200, Alan Barrett wrote:
>> How does the following compromise sound?
>>
>> shlibs must be in files that have "r" permission.
>> shlibs must be on file systems that honour "x" permission
>> (that is, were not mounted with the noexec option).
>
>I think that sounds quite reasonable. And I don't think it'd be too hard
>to implement.
i think this is the already case, given:
(1) you must be able to read a file to open it, which you must do
in order to mmap it
(2) this code from src/sys/uvm:uvm_mmap()
/*
* Don't allow mmap for EXEC if the file system
* is mounted NOEXEC.
*/
if ((prot & PROT_EXEC) != 0 &&
(vp->v_mount->mnt_flag & MNT_NOEXEC) != 0)
return (EACCES);
(3) this code from src/sys/uvm/uvm_map.c:uvm_map_protect()
/*
* Don't allow VM_PROT_EXECUTE to be set on entries that
* point to vnodes that are associated with a NOEXEC file
* system.
*/
if (UVM_ET_ISOBJ(current) &&
UVM_OBJ_IS_VNODE(current->object.uvm_obj)) {
struct vnode *vp =
(struct vnode *) current->object.uvm_obj;
if ((new_prot & VM_PROT_EXECUTE) != 0 &&
(vp->v_mount->mnt_flag & MNT_NOEXEC) != 0) {
error = EACCES;
goto out;
}
}
the only thing that's *not* covered, afaict, is filesystems that get
remounted (ie, mount -u) with/without noexec. the transition between
those two states doesn't affect anything that's already got executable
mappings.
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
werdna@squooshy.com * "information is power -- share the wealth."