Does MAP_FIXED inhibit execmem denial?

John Reiser jreiser at
Thu Apr 20 05:52:28 UTC 2006

I develop the Linux+ELF side of UPX, which compresses executable programs
to save storage space and invocation time.  Immediately after kernel
execve() of a compressed program, a small decompressor reconstructs
the original PT_LOADs directly into address space; then execution proceeds
as usual.  The decompression writes instructions which execute later,
directly into pages with both PROT_WRITE and PROT_EXEC, so perhaps
there should be a { denied } avc due to execmem when SELinux is in
enforcing mode.  Reading the explanation of execmem in
supports this theory.

However, under all released FC5 kernels including 2.6.16-1.2096_FC5,
I see no execmem complaints.  Strace of typical execution begins:
old_mmap(0xc06000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0xc06000) = 0xc06000
  /* interval [0xc06000, +4096)  is written and executed >now< */
old_mmap(0x8048000, 45056, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x8048000
old_mmap(0x8048000, 40647, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x8048000
  /* interval [0x8048000, +40644)  is written >now< */
mprotect(0x8048000, 40644, PROT_READ|PROT_EXEC) = 0
  /* interval [0x8048000, +40644)  is executed later */
old_mmap(0x8052000, 3800, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0xa000) = 0x8052000
Notice that the first and third old_mmap() specify (PROT_WRITE | PROT_EXEC)
with (MAP_FIXED | MAP_ANONYMOUS)  [and other bits, too.]  SELinux was is
targeted enforcing mode, and this was an unconfined compressed executable.

How did these system calls evade being denied due to execmem?


More information about the fedora-selinux-list mailing list