Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

document allow_execmem #381

Open
jmau111 opened this issue Jan 21, 2023 · 3 comments
Open

document allow_execmem #381

jmau111 opened this issue Jan 21, 2023 · 3 comments

Comments

@jmau111
Copy link

jmau111 commented Jan 21, 2023
edited
Loading

Hi,

I'm testing rules on a Debian.

Why do we have to allow execmem manually in some cases where apps need it (seems to happen frequently)?

avc:  denied  { execmem } for  pid=nnnn comm="...

I guess if it's not enabled by default, then it's probably not particularly safe or there are some issues related. Is that a good practice to allow it generally like sudo setsebool -P allow_execmem 1?

If it's not a good practice, can you indicate the right one?
@jmau111
Copy link
Author

jmau111 commented Apr 8, 2023

hi, anyone?

@williamcroberts
Copy link

It is documented:

execmem: "Make executable an anonymous mapping or private file mapping that is writable."

It's bad because it allows a write/execute code path. This really only useful for things that JIT IIRC. Sometimes it triggers because of bad file permissions, ie they open a file writeable but never actually write and the fix is changing the code not the policy.

@jmau111
Copy link
Author

jmau111 commented Apr 8, 2023

@williamcroberts thank you for the hint. How would you authorize processes to access memory safely?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmau111 @williamcroberts