Should mprotect(..., PROT_EXEC) be checked by IMA?

Jordan Glover Golden_Miller83 at protonmail.ch
Fri Mar 29 11:51:41 UTC 2019


On Friday, March 29, 2019 10:59 AM, Mimi Zohar <zohar at linux.ibm.com> wrote:

> [Cc'ing the LSM mailing list and others]
>
> On Fri, 2019-03-29 at 13:00 +0300, Igor Zhbanov wrote:
>
> > Hi Mimi,On 28.03.2019 20:17, Mimi Zohar wrote:
>
> > > I just came across the grsecurity article on mprotect.[1]
> > > Has anyone looked at it? Would it make sense to make it a minor LSM?
> > > [1]https://pax.grsecurity.net/docs/mprotect.txt
> >
> > Interesting article. It is almost exactly of what I wanted to be implemented.
> > If this minor LSM would be stackable to allow combining with e.g. SELinux
> > then why not.
>
> Stacking shouldn't be a problem.  Other LSMs are already on the
> mprotect hook.  Let's hear what others think.
>
> Mimi

There is already minor LSM in progress: https://sara.smeso.it/en/latest/

Jordan



More information about the Linux-security-module-archive mailing list