Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden memory-deny-write-execute against READ_IMPLIES_EXEC #6448

Open
rusty-snake opened this issue Aug 23, 2024 · 2 comments
Open

Harden memory-deny-write-execute against READ_IMPLIES_EXEC #6448

rusty-snake opened this issue Aug 23, 2024 · 2 comments
Labels
enhancement New feature request

Comments

@rusty-snake rusty-snake added the enhancement New feature request label Aug 23, 2024
@glitsj16
Copy link
Collaborator

@rusty-snake

On the gist you mention
[...]
3. shmat on architectures that multiplex is through ipc.
[...]

Do you have any insights on whether setting kernel parameter ia32_emulation=0 can help in this context?

@rusty-snake
Copy link
Collaborator Author

Yes.

To be precise, disabling ia32 emulation, be it in Kconfig, as boot parameter or with a seccomp filter (systemd can set a system-wide filter for that) on a x86-64 system leaves only x86-64 and x32 (different ABIs, same architecture) which implement shmat as syscall.

In general you should disable/restrict such ugly/scary emulation features.
And OT, while my fedora hardening script(s) are (still) not ready, https://github.com/a13xp0p0v/kernel-hardening-checker it a great tool to check your Kconfig, cmdline and sysctls. But do not blindly apply everything from it and stay in front of a brick.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature request
Projects
None yet
Development

No branches or pull requests

2 participants