Ard Biesheuvel writes: > This patch adds support for the PROT_FINAL flag to > the mmap() and mprotect() syscalls. > > The PROT_FINAL flag indicates that the requested set > of protection bits should be final, i.e., it shall > not be allowed for a subsequent mprotect call to > set protection bits that were not set already. > > This is mainly intended for the dynamic linker, > which sets up the address space on behalf of > dynamic binaries. By using this flag, it can > prevent exploited code from remapping read-only > executable code or data sections read-write.
I can see why you might think this is a good idea, but I don't like it for several reasons: - If .text is mapped non-writable and final, how would a debugger (or any ptrace-using monitor-like application) plant a large number of breakpoints in a target process? Breakpoint registers aren't enough because (a) they're few in number, and (b) not all CPUs have them. - You're proposing to give one component (the dynamic linker/ loader) absolute power to impose new policies on all applications. How would an application that _deliberately_ does something the new policies don't allow tell the dynamic linker or kernel to get out of its way? This clearly changes the de-facto ABIs, and as such I think it needs much more detailed analysis than what you've done here. At the very least I think this change should be opt-in, but that would require a kernel option or sysctl, or some config file for the user-space dynamic linker/loader. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/