Editing Exec Shield (section)

== Implementation ==
Exec Shield works on all x86 CPUs utilizing the Code Segment limit.  Because of the way Exec Shield works, it is very lightweight; however, it won't fully protect arbitrary [[virtual memory]] layouts.  If the CS limit is raised, for example by calling mprotect() to make higher memory executable, then the protections are lost below that limit.  [[Ingo Molnar]] points this out in an e-mail conversation.  Most applications are fairly sane at this; the stack (the important part) at least winds up above any mapped libraries, so does not become executable except by explicit calls by the application.

As of August, 2004, nothing from the Exec Shield projects attempt to enforce memory protections by restricting [[mprotect]]() on any architecture; although memory may not initially be executable, it may become executable later, so the kernel will allow an application to mark memory pages as both writable and executable at the same time. However, in cooperation with the [[Security-Enhanced Linux]] project (SELinux), the standard policy for the [[Fedora (operating system)|Fedora Core]] distribution does prohibit this behavior for most executables, with only a few exceptions for compatibility reasons.
<!--Binary markings:  PT_GNU_STACK, PT_GNU_HEAP-->