Harden memory-deny-write-execute against READ_IMPLIES_EXEC

[rusty-snake]

See https://gist.github.com/rusty-snake/481ad71892fb587a6056326686e55bf7

https://codeberg.org/crabjail/crablock/src/commit/d6dae786b0227fe1b97355412beee3aa46559522/src/modules/seccomp.rs#L643-L647

[glitsj16]

@rusty-snake

On the gist you mention
[...]
3. shmat on architectures that multiplex is through ipc.
[...]

Do you have any insights on whether setting kernel parameter ia32_emulation=0 can help in this context?

[rusty-snake]

Yes.

To be precise, disabling ia32 emulation, be it in Kconfig, as boot parameter or with a seccomp filter (systemd can set a system-wide filter for that) on a x86-64 system leaves only x86-64 and x32 (different ABIs, same architecture) which implement shmat as syscall.

In general you should disable/restrict such ugly/scary emulation features.
And OT, while my fedora hardening script(s) are (still) not ready, https://github.com/a13xp0p0v/kernel-hardening-checker it a great tool to check your Kconfig, cmdline and sysctls. _{But do not blindly apply everything from it and stay in front of a brick.}