3

I am conducting some research on Grsecurity on Hardened Gentoo, see http://en.wikibooks.org/wiki/Grsecurity. To be more specific, I am trying to find an example where subject mode x makes a difference.

As said in the wiki: subject mode x: Allows executable anonymous shared memory for this subject.

Now, the kernel rejects

mem = mmap(NULL, MAP_SIZE, PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS | MAP_SHARED, -1, 0);

as well as

mem = mmap(NULL, MAP_SIZE, PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED, -1, 0);
mprotect(mem, MAP_SIZE, PROT_EXEC);

or vice versa. On the other hand

mem = mmap(NULL, MAP_SIZE, PROT_READ|PROT_EXEC, MAP_ANONYMOUS | MAP_SHARED, -1, 0);

works fine.

For all of the above it does not matter whether grsec is active or not, and if it is, it does not matter whether subject mode x is set or not - the kernel simply does not allow shared memory that is (or was) writable and executable.

Therefore: what is subject mode x good for, and for what piece of code would it make a difference?

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
countermode
  • 7,373
  • 5
  • 31
  • 58

1 Answers1

1

According to Brad Spengler the subject mode x applies to System V shared memory only, see http://forums.grsecurity.net/viewtopic.php?f=5&t=3935. On top of that PaX strikes unless MPROTECT is disabled for the binary under consideration.

countermode
  • 7,373
  • 5
  • 31
  • 58