Push mmap_min_addr changes to Linus

Push mmap_min_addr changes to Linus

[Eric Paris]

I'm tired of these recent exploits and SELinux being weaker against
local user priv escalation bugs using NULL pointers.  Can we push 

7c73875e7dda627040b12c19b01db634fa7f0fd1
84336d1a77ccd2c06a730ddd38e695c2324a7386
a2551df7ec568d87793d2eea4ca744e86318f205
47d439e9fb8a81a90022cfa785bf1c36c4e2aff6

To linus?  It's fixing a clear security bug in that we are not checking
DAC before granting mmap_min_addr.  If need be I'll write another
smaller patch which just does the DAC check in the SELinux security
hook, but I'd rather see the true separation.

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Push mmap_min_addr changes to Linus

[James Morris]

On Fri, 14 Aug 2009, Eric Paris wrote:

> I'm tired of these recent exploits and SELinux being weaker against
> local user priv escalation bugs using NULL pointers.  Can we push 
> 
> 7c73875e7dda627040b12c19b01db634fa7f0fd1
> 84336d1a77ccd2c06a730ddd38e695c2324a7386
> a2551df7ec568d87793d2eea4ca744e86318f205
> 47d439e9fb8a81a90022cfa785bf1c36c4e2aff6
> 
> To linus?  It's fixing a clear security bug in that we are not checking
> DAC before granting mmap_min_addr.  If need be I'll write another
> smaller patch which just does the DAC check in the SELinux security
> hook, but I'd rather see the true separation.

Probably best to make the smallest possible change now, so I suggest the 
latter (which might be useful for distro backporting).


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Push mmap_min_addr changes to Linus

[Eric Paris]

On Sat, 2009-08-15 at 19:46 +1000, James Morris wrote:
> On Fri, 14 Aug 2009, Eric Paris wrote:
> 
> > I'm tired of these recent exploits and SELinux being weaker against
> > local user priv escalation bugs using NULL pointers.  Can we push 
> > 
> > 7c73875e7dda627040b12c19b01db634fa7f0fd1
> > 84336d1a77ccd2c06a730ddd38e695c2324a7386
> > a2551df7ec568d87793d2eea4ca744e86318f205
> > 47d439e9fb8a81a90022cfa785bf1c36c4e2aff6
> > 
> > To linus?  It's fixing a clear security bug in that we are not checking
> > DAC before granting mmap_min_addr.  If need be I'll write another
> > smaller patch which just does the DAC check in the SELinux security
> > hook, but I'd rather see the true separation.
> 
> Probably best to make the smallest possible change now, so I suggest the 
> latter (which might be useful for distro backporting).

I thought about it overnight and decided that I am unwilling to go that
route.  Tieing both CAP_SYS_RAWIO and mmap_zero to the same /proc
tunable would reduce security when people have to set it to 0.  While we
fix the current SELinux weakness compared to non-SELinux systems we
would be giving up the current SELinux strengths.

Please push these as they stand.

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.