Steve Grubb wrote:
On Monday, April 15, 2013 09:12:57 AM Richard W.M. Jones wrote:
> which I interpret to mean that after using -fstack-protector-all and
> removing prelink, SELinux would become obsolete because no executable
> can be exploited.
I would say there is a place for SE Linux even if we compiled everything with
"all" because FORTIFY_SOURCE coverage is not absolute. For example, about a
month ago i ran the following test:
procs=`ls /proc | grep '^[0-9]' | sort -n`
for p in $procs
do
res=`cat /proc/$p/maps 2>/dev/null | awk '$2 ~ "wx" { print $2
}'`
if [ x"$res" != "x" ] ; then
cat /proc/$p/cmdline | awk '{ printf "%-35s\t", $1 }'
printf "%s\n" "$p"
fi
done
Neat.
I saved that in a script, then realized I could simplify it.
This is nearly equivalent:
$ grep -lE '^[0-9a-f-]+ .wx' /proc/*/maps 2>/dev/null \
|perl -ne 'm!^(/proc/(\d+))/.*! and printf qq(%5d %s\n), $2, `cat $1/cmdline`'
Sample output on an F18 system running the awesome window manager:
1836 /usr/lib/firefox/firefox-no-remote-Pdefault
Notice that the NUL-separated arguments aren't shown properly,
so filter the result through e.g., | tr '\0' ' '
Adjusted output:
1836 /usr/lib/firefox/firefox -no-remote -P default
What this does is display the programs with Writable and Executable
memory.
All Fedora desktops except Mate have WX memory. (I checked KDE, Gnome,
Cinnamon, and Mate.) WX memory is dangerous because the normal exploit pattern