On Wed, 2006-04-19 at 22:52 -0700, John Reiser wrote:
I develop the Linux+ELF side of UPX, which compresses executable
programs
to save storage space and invocation time. Immediately after kernel
execve() of a compressed program, a small decompressor reconstructs
the original PT_LOADs directly into address space; then execution proceeds
as usual. The decompression writes instructions which execute later,
directly into pages with both PROT_WRITE and PROT_EXEC, so perhaps
there should be a { denied } avc due to execmem when SELinux is in
enforcing mode. Reading the explanation of execmem in
http://people.redhat.com/drepper/selinux-mem.html
supports this theory.
However, under all released FC5 kernels including 2.6.16-1.2096_FC5,
I see no execmem complaints. Strace of typical execution begins:
Hmmm...shouldn't.
# /usr/sbin/getsebool allow_execmem
(If on, /usr/sbin/setsebool allow_execmem=0, or run your test under a
confined domain.)
# cat /selinux/checkreqprot
# execstack -q /path/to/program
--
Stephen Smalley
National Security Agency