On Thu, 13 May 2010, Roman I Khimov wrote: ... mmap_min_addr stuff snipped ...
> The real solution is in the kernel, it should be fixed for latest > Ubuntu and hopefully Fedora will catch up on this issue too. > > http://git.kernel.org/?p=linux/kernel/git/jmorris/security- > testing-2.6.git;a=commitdiff;h=822cceec7248013821d655545ea45d1c6a9d15b3 > > Interesting that openSUSE with 2.6.31 kernel doesn't have such > problems... And our main build machine with Debian stable + 2.6.30 > kernel works fine too. Probably this check got introduced in 2.6.32. not sure which kernel *version* it showed up in, but it appears to be a result of this commit from nov of last year (which you can see ended up being unnecessarily restrictive -- d'oh!): commit 0e1a6ef2dea88101b056b6d9984f3325c5efced3 Author: Kees Cook <[email protected]> Date: Sun Nov 8 09:37:00 2009 -0800 sysctl: require CAP_SYS_RAWIO to set mmap_min_addr Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed. Signed-off-by: Kees Cook <[email protected]> Acked-by: Serge Hallyn <[email protected]> Signed-off-by: James Morris <[email protected]> diff --git a/security/min_addr.c b/security/min_addr.c index c844eed..fc43c9d 100644 --- a/security/min_addr.c +++ b/security/min_addr.c @@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write, { int ret; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); update_mmap_min_addr(); whereupon the security-related fix is, as was mentioned previously, submitted here: http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=822cceec7248013821d655545ea45d1c6a9d15b3 rday -- ======================================================================== Robert P. J. Day Waterloo, Ontario, CANADA Linux Consulting, Training and Kernel Pedantry. Web page: http://crashcourse.ca Twitter: http://twitter.com/rpjday ======================================================================== _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
