| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Jul 2009 11:18:44 -0400 From: Eric Paris <eparis@...hat.com> To: Alan Cox <alan@...rguk.ukuu.org.uk> Cc: linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov, linux-security-module@...r.kernel.org, sds@...ho.nsa.gov, jmorris@...ei.org, spender@...ecurity.net, dwalsh@...hat.com, cl@...ux-foundation.org, arjan@...radead.org, kyle@...artin.ca, cpardy@...hat.com, arnd@...db.de Subject: Re: [PATCH 1/2] VM/SELinux: require CAP_SYS_RAWIO for all mmap_zero operations On Tue, 2009-07-21 at 16:04 +0100, Alan Cox wrote: > On Tue, 21 Jul 2009 10:41:58 -0400 > Eric Paris <eparis@...hat.com> wrote: > > > Currently non-SELinux systems need CAP_SYS_RAWIO for an application to mmap > > the 0 page. On SELinux systems they need a specific SELinux permission, > > but do not need CAP_SYS_RAWIO. This has proved to be a poor decision by > > the SELinux team as, by default, SELinux users are logged in unconfined and > > thus a malicious non-root has nothing stopping them from mapping the 0 page > > of virtual memory. > > So the poor decision is in fact that the SELinux users start as > unconfined rather than taking away a few things like the the min map > stuff which can then be given back to specific apps. See Fedora Core 2 of an example why confining users causes people to just turn off SELinux. In F10 we had around 90% SELinux enforcing of machines the reported to smolt for more than 3 months. We are trying to slowly reign people in with SELinux and confining the user is one of those near impossibilities without breaking every power user out there.... > > On a non-SELinux system, a malicious non-root user is unable to do this, as > > they need CAP_SYS_RAWIO. > > > > This patch checks CAP_SYS_RAWIO for all operations which attemt to map a > > page below mmap_min_addr. > > So "wine" now needs to run with CAP_SYS_RAWIO or you turn all the > security off. Now, as in today, yes. To run wine today it either needs CAP_SYS_RAWIO or you disable for the whole system. I noted that I believe ubuntu just turns it off for the whole system when you install WINE. This patch doesn't change that fact. All it does is add that requirement to SELinux systems that already exists on non-selinux systems. > Am I missing something here, this "solution" sounds completely brain > dead ? Well, with patch 2/2 you still get your SELinux protections (only for 1 page) even if you disable it for the whole system. So in the end, you have better protection than you have today with this series.... -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists