mirror of
https://git.yoctoproject.org/meta-security
synced 2026-02-25 17:40:10 +00:00
Add option to prevent memory mappings that are both writable and executable. https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute= Core Suricata developer:a606a81032/7.0/suricata-4.1.1-service.patch (L23)Fedora:cfb3b996f5Resolve SELinux AVC denial: type=PROCTITLE proctitle=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 type=SYSCALL arch=aarch64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC avc: denied { execmem } for pid=283 comm=Suricata-Main scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>