> For dynamic binaries, valid regions are ld.so's text segment, the signal > trampoline, and libc.so's text segment... AND the main program's text. > > Unfortunately our current go build model hasn't followed solaris/macos > approach yet of calling libc stubs, and uses the inappropriate "embed > system calls directly" method, so for now we'll need to authorize the main > program text as well. A comment in exec_elf.c explains this. > > If go is adapted to call library-based system call stubs on OpenBSD as > well, this problem will go away. There may be other environments creating > raw system calls. I guess we'll need to find them as time goes by, and > hope in time we can repair those also.
Or you could use an ELF note to flag binaries allowed to issue syscalls from their text section: only static binaries (including ld.so) and go binaries would need them.