| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.1.10.0907221141570.17465@gentwo.org> Date: Wed, 22 Jul 2009 11:42:32 -0400 (EDT) From: Christoph Lameter <cl@...ux-foundation.org> To: James Morris <jmorris@...ei.org> cc: Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov, linux-security-module@...r.kernel.org, sds@...ho.nsa.gov, spender@...ecurity.net, dwalsh@...hat.com, arjan@...radead.org, alan@...rguk.ukuu.org.uk, kyle@...artin.ca, cpardy@...hat.com, arnd@...db.de Subject: Re: [PATCH -v2 1/2] VM/SELinux: require CAP_SYS_RAWIO for all mmap_zero operations On Wed, 22 Jul 2009, James Morris wrote: > On Tue, 21 Jul 2009, Eric Paris wrote: > > > error = security_file_mmap(file, reqprot, prot, flags, addr, 0); > > if (error) > > return error; > > + > > + if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO)) > > + return -EACCES; > > + > > These DAC checks should happen before the LSM hook, in keeping with the > general design goal of LSM of "DAC before MAC", so that application > behavior remains as consistent as possible. Could they be moved out of core code? mmap_min_addr is already a strange feature. Now we adding something on top of it. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists