How can firefox (sometimes) make memory executable?
Dominick Grift
domg472 at gmail.com
Sat Jun 18 20:54:41 UTC 2011
On Sat, 2011-06-18 at 22:47 +0200, Göran Uddeborg wrote:
> But both of these systems are x86_64 systems.
Strange, as i never noticed this issues on any of my x86_64 systems
> More exactly, why doesn't x86_64 need execmem? Firefox does
> apparently allocate memory that is both executable and writeable on
> x86_64 systems too.
Do not know, i was under the impressions that it did not need it.
> > you can also set boolean allow_execmem to true i believe
>
> Yes, that makes firefox runnable again. But if possible I would
> prefer to have it turned off. And it does work with it turned off on
> the fresh install, so I guess there is some way to do it.
It is possible to silently deny this access but there are issue to take
into account probably. Basically much of firefox gets run in the calling
user domain "on behalf of the user". Many other applications get run in
the calling user domain as well.
So if you would use "semodule -D .." to add a "dontaudit" rule to the
policy database ( a rule that says deny this but do not audit the denial
) then you would potentially silently block other programs from
executing writable memory as well.
So you might get into a situation where some app refuses to run and you
would not find any traces of it in audit.log wrt to selinux blocking it
access to execmem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110618/3a38cb7e/attachment.bin
More information about the selinux
mailing list