-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
document allow_execmem #381
Comments
hi, anyone? |
It is documented: execmem: "Make executable an anonymous mapping or private file mapping that is writable." It's bad because it allows a write/execute code path. This really only useful for things that JIT IIRC. Sometimes it triggers because of bad file permissions, ie they open a file writeable but never actually write and the fix is changing the code not the policy. |
@williamcroberts thank you for the hint. How would you authorize processes to access memory safely? |
Hi,
I'm testing rules on a Debian.
Why do we have to allow
execmem
manually in some cases where apps need it (seems to happen frequently)?I guess if it's not enabled by default, then it's probably not particularly safe or there are some issues related. Is that a good practice to allow it generally like
sudo setsebool -P allow_execmem 1
?If it's not a good practice, can you indicate the right one?
The text was updated successfully, but these errors were encountered: