GNU C 库的内存密封

Benefits for LWN subscribers: Subscribing helps keep LWN publishing and gives immediate access to all site content and extra features.
mseal() system call: Allows a process to prevent future changes to parts of its address space, patterned after mimmutable() in OpenBSD. Generated much discussion and was merged for 6.10 kernel release. Intended to increase security by making it harder for attackers to make changes. Interface is similar to the kernel's.
Zanella's patch set: Adds support for mseal() to the GNU C library (glibc). Optionally seals various parts of the address space like binary code, preloaded libraries, vDSO area, dynamic libraries with dlopen() and audit modules. There is a glibc tunable gtld.rtld.seal to control sealing behavior (0 to disable, 1 to ignore failures, 2 to kill process on failure). This is early work, mseal() not in released kernel yet and patch set may change. Expected 6.10 release date is mid-July, so it may be in glibc 2.41 instead of 2.40.

阅读 32
0 条评论