mailing list of musl libc
 help / color / mirror / code / Atom feed
From: Rich Felker <dalias@libc.org>
To: Alexander Monakov <amonakov@ispras.ru>
Cc: musl@lists.openwall.com, Andrew Rogers <andrew.rogerstech@gmail.com>
Subject: Re: [musl] Potential DL_NOMMU_SUPPORT bug.
Date: Sun, 24 Jan 2021 13:55:45 -0500	[thread overview]
Message-ID: <20210124185545.GT23432@brightrain.aerifal.cx> (raw)
In-Reply-To: <alpine.LNX.2.20.13.2101242140070.31613@monopod.intra.ispras.ru>

On Sun, Jan 24, 2021 at 09:48:11PM +0300, Alexander Monakov wrote:
> > > sdcard [pseudo-]partition is usually mounted noexec, so mmap with PROT_EXEC
> > > should fail.
> > 
> > Uhg, that makes no sense. Does it enforce that even for MAP_PRIVATE,
> > which should semantically be equivalent to just making anon memory
> > with the requested permissions and copying the file contents into it??
> 
> I think it makes sense: isn't the entire point of 'noexec' that a user
> who has write access only to noexec filesystems will not be able to run
> arbitrary binary code (assuming the already-present binaries are not
> cooperative, unlike musl ld.so with the above patch would be)? Enforcing
> noexec for MAP_PRIVATE ensures the users can not trivially side-step
> noexec by invoking ld.so (without extra checks on ld.so side).

I always viewed noexec (as opposed to something like nosuid) as a
non-security-boundary, a sort of soft block for mounting filesystems
that you don't want to execute programs from, for example a disk image
known to contain malware that you're analyzing or a flash drive not
expected to contain meaningful executable data but where all files
would appear as +x due to FAT limitations. The expectation is that it
can be bypassed. With a "restricted shell" type environment (very
careful selection of what programs are present), it can plausibly be
turned into a (very fragile) security boundary, but I didn't expect
the kernel to be making weird rules to facilitate that.

In any case, it seems that's how it is, and inability to dlopen (or
LD_LIBRARY_PATH+DT_NEEDED or whatnot) from a noexec mount is
annoying...

Rich

  reply	other threads:[~2021-01-24 18:56 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-23  6:47 Andrew Rogers
2021-01-24 15:40 ` Rich Felker
2021-01-24 15:58   ` Alexander Monakov
2021-01-24 18:10     ` Rich Felker
2021-01-24 18:48       ` Alexander Monakov
2021-01-24 18:55         ` Rich Felker [this message]
2021-01-30 17:44           ` Andrew Rogers
2021-01-30 19:01             ` Rich Felker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210124185545.GT23432@brightrain.aerifal.cx \
    --to=dalias@libc.org \
    --cc=amonakov@ispras.ru \
    --cc=andrew.rogerstech@gmail.com \
    --cc=musl@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).