On Sun, Feb 26, 2017 at 03:27:05PM +0100, Kamil Rytarowski wrote: > On 26.02.2017 15:05, co...@sdf.org wrote: > > On Sun, Feb 26, 2017 at 02:52:39PM +0100, Kamil Rytarowski wrote: > >> Can we have something like MAP_NOMPROTECT? Something like it would be > >> used to mmap(2) RWX region: > >> > >> void *mapping = mmap(NULL, rounded_size, PROT_READ | PROT_WRITE | > >> PROT_EXEC, MAP_ANON | MAP_PRIVATE | MAP_NOMPROTECT, -1, 0); > >> > >> Are doubled mappings more secure than this? > >> > > > > what pax mprotect does is silently turn RWX mapping to RW. > > > > What's the [security] difference between fooling and disabling mprotect > for a memory region? > > Is there a room to add this nomprotect allocator in libutil(3) to make > it convenient to reuse out of libffi? >
Just disable it if you want RWX mappings. I don't see the problem.