So far I have:
- static binaries
LD_PRELOAD for SetUID/SetGID binaries- From internal documentation (Userspace live patching):
MemoryDenyWriteExecute=yes in service configuration file.
In SLES15.4 I found:
auditd.serviceaugenrules.servicesystemd-journald.servicesystemd-logind.servicesystemd-udevd.serviceuuidd.service
- seccomp driver causing calls to
mprotect with EXEC flags to be blocked
(Can this be detected? Do we have a list?)
- I assume SELinux or AppArmor settings?
We need to document the exceptions. Also we should provide admins with the tooling to discover such non-livepatchable processes, so they can restart them.
So far I have:
LD_PRELOADfor SetUID/SetGID binariesMemoryDenyWriteExecute=yesin service configuration file.In SLES15.4 I found:
auditd.serviceaugenrules.servicesystemd-journald.servicesystemd-logind.servicesystemd-udevd.serviceuuidd.servicemprotectwithEXECflags to be blocked(Can this be detected? Do we have a list?)
We need to document the exceptions. Also we should provide admins with the tooling to discover such non-livepatchable processes, so they can restart them.