On Wed, 2008-02-20 at 08:50 -0500, Stephen Smalley wrote:
On Wed, 2008-02-20 at 11:08 +0100, Miklos Szeredi wrote:
Please don't introduce a special case for just nfs. All filesystems
should control their mount options, so please provide some library
helpers for context= handling and
is just bigger.
Signed-off-by: Eric Paris [EMAIL PROTECTED]
---
I tested mounting using both the version 6 binary mount data from
userspace and using the text mount options in a simple program I wrote
to call mount directly. I was able to correctly set the selinux context
of my mounts
On Fri, 2007-12-21 at 23:59 +0100, Jan Engelhardt wrote:
On Dec 21 2007 14:35, Greg KH wrote:
I guess it could be, but the input for /proc/sys/vm/mmap_min_addr is
base 10 as well
sysfs is autobase, i.e. echo 0xb000 /sys/foo will Do The Right Thing.
yes but if you cat
On Thu, 2007-12-20 at 00:29 +0100, Jan Engelhardt wrote:
On Dec 19 2007 16:59, Eric Paris wrote:
+config SECURITY_DEFAULT_MMAP_MIN_ADDR
+int Low address space to protect from user allocation
Hm, should not this be 'hex'?
I guess it could be, but the input for /proc/sys/vm
-off-by: James Morris [EMAIL PROTECTED]
Acked-by: Eric Paris [EMAIL PROTECTED]
---
mm.h |5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 1b7b95c..02fbac7 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
Since it was decided that low memory protection from userspace couldn't
be turned on by default add a Kconfig option to allow users/distros to
set a default at compile time. This value is still tunable after boot
in /proc/sys/vm/mmap_min_addr
Signed-off-by: Eric Paris [EMAIL PROTECTED
Given a specifically crafted binary do_brk() can be used to get low
pages available in userspace virtually memory and can thus be used to
circumvent the mmap_min_addr low memory protection. Add security checks
in do_brk().
Signed-off-by: Eric Paris [EMAIL PROTECTED]
---
mm/mmap.c |4
to
be patched to use this new interface for every possible LSM. This is
because it was stated to me very clearly that LSM's should not attempt
to understand FS mount data and the burdon to understand security should
be in the FS which owns the options.
Signed-off-by: Eric Paris [EMAIL PROTECTED
On Fri, 2007-11-09 at 08:29 -0800, Casey Schaufler wrote:
--- Stephen Smalley [EMAIL PROTECTED] wrote:
On Thu, 2007-11-08 at 16:37 -0500, Eric Paris wrote:
Adds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and
security_clont_sb_mnt_opts to the LSM and to SELinux
to understand security should
be in the FS which owns the options.
Signed-off-by: Eric Paris [EMAIL PROTECTED]
---
For now the only forseen user of this interface is NFS. NFS uses a
binary blob in kernel for mount data (it uses this blob irrespective of
the binary vs. text mount options it can get
[snip from fs/super.c:vfs_kern_mount() just for reference]
if (data) {
secdata = alloc_secdata();
if (!secdata)
goto out_mnt;
error = security_sb_copy_data(type, data, secdata);
if (error)
11 matches
Mail list logo
