[PATCH v5 01/12] S.A.R.A.: add documentation
James Morris
jmorris at namei.org
Sat Jul 13 00:14:41 UTC 2019
On Sat, 6 Jul 2019, Salvatore Mesoraca wrote:
> Adding documentation for S.A.R.A. LSM.
It would be good if you could add an operational overview to help people
understand how it works in practice, e.g. setting policies for binaries
via sara-xattr and global config via saractl (IIUC). It's difficult to
understand if you have to visit several links to piece things together.
> +S.A.R.A.'s Submodules
> +=====================
> +
> +WX Protection
> +-------------
> +WX Protection aims to improve user-space programs security by applying:
> +
> +- `W^X enforcement`_
> +- `W!->X (once writable never executable) mprotect restriction`_
> +- `Executable MMAP prevention`_
> +
> +All of the above features can be enabled or disabled both system wide
> +or on a per executable basis through the use of configuration files managed by
> +`saractl` [2]_.
How complete is the WX protection provided by this module? How does it
compare with other implementations (such as PaX's restricted mprotect).
> +Parts of WX Protection are inspired by some of the features available in PaX.
Some critical aspects are copied (e.g. trampoline emulation), so it's
more than just inspired. Could you include more information in the
description about what's been ported from PaX to SARA?
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list