libc & redteam folks: are there any interfaces in libc that return a pointer, that's not as-if-by-malloc or based on a pointer the caller passed in, to memory that the caller is actually allowed to write to? I think the answer is pretty much no.
Conversation
On Linux, /dev/shm is just a tmpfs filesystem with a naming convention for implementing that API. It doesn't actually map anything into the address space or give you a pointer to write to it without using mmap. Could give mmap as an example that's not simply malloc-alike though.
And mmap being used directly is quite relevant to this since they'll end up placed with other mmap mappings including libraries, etc. which is a reason for libc to to set it up so that there's a new random base for mmap after mapping the initially loaded libraries, etc.
2