lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Jul 2009 00:13:11 -0400 From: Kyle McMartin <kyle@...artin.ca> To: Eric Paris <eparis@...hat.com> Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov, sds@...ho.nsa.gov, jmorris@...ei.org, spender@...ecurity.net, dwalsh@...hat.com, cl@...ux-foundation.org, arjan@...radead.org, alan@...rguk.ukuu.org.uk Subject: Re: mmap_min_addr and your local LSM (ok, just SELinux) On Mon, Jul 20, 2009 at 07:23:43PM -0400, Eric Paris wrote: > With SELinux mapping the 0 page requires an SELinux policy permission, > mmap_zero. Without SELinux mapping the 0 page requires CAP_SYS_RAWIO. > Note that CAP_SYS_RAWIO roughly translates to uid=0 since noone really > does interesting things with capabilities. > [...] > I believe (from reading mailing lists) if you install WINE on ubuntu it > automatically disables these protections. Thus installing wine on > ubuntu disables ALL hardening gains of the mmap_min_addr. > [...] > So on a non-SELinux system users would end up with exactly what they > have today. if you want to run WINE as a normal user you have to set > mmap_min_addr = 0 and then you no longer need CAP_SYS_RAWIO. Not much > else we can do if your distro down support fine grained permissions. > Why do we not add a personality flag for this? With that, at least you could require a harmless setuid wrapper for wine that just set the personality bits and dropped root. That at least would allow the people not shipping SELinux by default, (which, really, is everyone but us, afaik...) to at least avoid having to whole-sale disable the mmap_min_addr protections, which seems unduly harsh... (If they're doing this without consulting the user, then, wow, that's just anti-social...) Of course, I might be missing the plot entirely here. (Or, as someone else pointed out, force people to run this crap in a VM. ;-) regards, Kyle -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists