Subject: Re: mmap(), security and /dev/zero
To: None <tech-security@NetBSD.org, tech-kern@NetBSD.org>
From: Matt Thomas <matt@3am-software.com>
List: tech-kern
Date: 06/24/2004 10:00:14
On Jun 24, 2004, at 1:58 AM, Alan Barrett wrote:
> How does the following compromise sound?
>
>         shlibs must be in files that have "r" permission.
>         shlibs must be on file systems that honour "x" permission
>                 (that is, were not mounted with the noexec option).

Now that we have noexec permissions on pages (for some architectures),
make the mapping of vnode backed pages with PROT_EXEC only be allowed
on filesystems that were not mounted with noexec.  Otherwise,
mmap/uvm_map/mprotect will return EPERM for the mapping operation.

-- 
Matt Thomas                     email: matt@3am-software.com
3am Software Foundry              www: http://3am-software.com/bio/matt/
Cupertino, CA              disclaimer: I avow all knowledge of this 
message.