enable CONFIG_SECURITY_MMAP_MIN_ADDR
Eric Paris
eparis at redhat.com
Thu Feb 14 17:29:18 UTC 2008
On Thu, 2008-02-14 at 12:24 -0500, Dave Jones wrote:
> On Thu, Feb 14, 2008 at 11:09:52AM -0500, Eric Paris wrote:
> > Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR
> > Kconfig option. In the past I tried to get this enabled by default
> > using sysctl, a fedora kernel patch, and now I've got the Kconfig option
> > in the upstream kernel. Lets set this equal to 65536. I've been
> > running with this setting on my F8 laptop for some time and haven't seen
> > any problems (although I do know that dosemu may be an issue for both of
> > the people in the world who use it, there also may be some virt issues
> > that I don't know about but which can be very quickly and easily sorted
> > out)
> >
> > This sysctl hardens the kernel against null pointer bugs. Remember the
> > priv escalation that was all the news last weekend? Not an issue with
> > this enabled!
> >
> > http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/
>
> I'm more concerned about wine than dosemu. That also uses vm86 afaik.
> Setting it to !0 on non-x86 builds sounds like it's a safe thing to do however.
>
> Dave
My (minimal) testing of wine indicated that it did try to make use of
mapping the low pages but it still worked when it couldn't map them. I
ask Dan to go ahead and allowed wine to map those pages in selinux
policy, but in the selinux=0 case it might cause some problems.
I guess I should bring it up with the wine community to get a better
understanding of exactly why they are trying to map those pages and how
it handles those failures (in my case it handled them quite nicely)
-Eric
More information about the Fedora-kernel-list
mailing list