enable null pointer hardening by default
Eric Sandeen
sandeen at redhat.com
Thu Dec 13 16:07:54 UTC 2007
Eric Paris wrote:
> I'd like to see the fedora kernel enable the null pointer hardening work
> I did upstream by default.
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ed0321895182ffb6ecf210e066d87911b270d587
>
> Upstream refused to turn it on as it is known to break non-root users of
> dosemu and they felt very strongly that not one user could break. It
> can be easily disabled with an entry in sysctl.conf for any such users.
> Certainly turning this on is something we would want to release note in
> F9 (which I don't know the process to do)
>
> This must not be applied to F8 until at least after the rebase to 2.6.24
> as the 2.6.23 implementation of my hardening work is known buggy and
> causes unneeded issues.
>
> Would anyone have a problem carrying this patch in fedora? This would
> be a forever fedora'ism.
Couldn't this default value be a kernel config option?
(CONFIG_DEFAULT_MMAP_MIN_ADDR) or something less verbose...
-Eric
> ---
>
> security/security.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/security/security.c b/security/security.c
> index 0e1f1f1..61787bb 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -23,7 +23,7 @@ extern struct security_operations dummy_security_ops;
> extern void security_fixup_ops(struct security_operations *ops);
>
> struct security_operations *security_ops; /* Initialized to NULL */
> -unsigned long mmap_min_addr; /* 0 means no protection */
> +unsigned long mmap_min_addr = 65536; /* protect first 64k */
>
> static inline int verify(struct security_operations *ops)
> {
>
>
> _______________________________________________
> Fedora-kernel-list mailing list
> Fedora-kernel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-kernel-list
More information about the Fedora-kernel-list
mailing list