[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: how does execstack work?

From: Stephen Smalley <sds tycho nsa gov>
To: Sebastian Pfaff <sebastian pfaff gmail com>
Cc: fedora-selinux-list redhat com
Subject: Re: how does execstack work?
Date: Tue, 17 Mar 2009 13:28:57 -0400

On Tue, 2009-03-17 at 17:49 +0100, Sebastian Pfaff wrote:
> Does SELinux prevent exectution on the stack? If yes, how can i see  
> this. It would also be helpful, when i had an example which shows me a  
> denial of execstack (searching the log gave no results here). Or is  
> something wrong with my example?
> I suppose, i have an wrong understanding adout how SELinux execstack  
> works. Please help to clarify this.

The SELinux execstack check only comes into play if the process calls
mprotect(...PROT_EXEC...) on the stack.  It is just a policy control
over the ability of the process to mark its stack executable.  If the
program was marked as requiring an executable stack, then that won't
ever happen - the kernel will set it up accordingly from the beginning.

http://people.redhat.com/drepper/selinux-mem.html

-- 
Stephen Smalley
National Security Agency

References:
- how does execstack work?
  - From: Sebastian Pfaff

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]