Can't mmap /dev/zero

cking · November 23, 2018, 9:27am

Hi there, I’ve got an application that mmap’d /dev/zero. This isn’t particularly an insecure operation, all the application needs is some zero’d pages. However, the operation is being denied.

audit: type=1400 audit(1542964976.932:3722): apparmor=“DENIED” operation=“file_mmap” profile=“snap.e820-bios.e820-bios” name="/dev/zero" pid=2876 comm=“e820-bios” requested_mask=“m” denied_mask=“m” fsuid=0 ouid=0

Any ideas how to solve this?

jamesh · November 23, 2018, 10:32am

Is the code under your control? If so, could you modify it to use the MAP_ANONYMOUS flag instead? That avoids the need to open /dev/zero, and should work with the current policy.

cking · November 23, 2018, 10:33am

This code is not under my control, it’s from libx86

jdstrand · November 28, 2018, 8:38pm

I suspect that the binary or a library it uses has an executable stack: Snap and executable stacks