[oe] some possible fixes in the OE web pages
Robert P. J. Day
rpjday at crashcourse.ca
Thu May 13 12:20:46 UTC 2010
On Thu, 13 May 2010, Roman I Khimov wrote:
... mmap_min_addr stuff snipped ...
> The real solution is in the kernel, it should be fixed for latest
> Ubuntu and hopefully Fedora will catch up on this issue too.
>
> http://git.kernel.org/?p=linux/kernel/git/jmorris/security-
> testing-2.6.git;a=commitdiff;h=822cceec7248013821d655545ea45d1c6a9d15b3
>
> Interesting that openSUSE with 2.6.31 kernel doesn't have such
> problems... And our main build machine with Debian stable + 2.6.30
> kernel works fine too. Probably this check got introduced in 2.6.32.
not sure which kernel *version* it showed up in, but it appears to
be a result of this commit from nov of last year (which you can see
ended up being unnecessarily restrictive -- d'oh!):
commit 0e1a6ef2dea88101b056b6d9984f3325c5efced3
Author: Kees Cook <kees.cook at canonical.com>
Date: Sun Nov 8 09:37:00 2009 -0800
sysctl: require CAP_SYS_RAWIO to set mmap_min_addr
Currently the mmap_min_addr value can only be bypassed during mmap when
the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself
can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO.
This patch adds a check for the capability before allowing mmap_min_addr to
be changed.
Signed-off-by: Kees Cook <kees.cook at canonical.com>
Acked-by: Serge Hallyn <serue at us.ibm.com>
Signed-off-by: James Morris <jmorris at namei.org>
diff --git a/security/min_addr.c b/security/min_addr.c
index c844eed..fc43c9d 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table,
int write,
{
int ret;
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
+
ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
update_mmap_min_addr();
whereupon the security-related fix is, as was mentioned previously,
submitted here:
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=822cceec7248013821d655545ea45d1c6a9d15b3
rday
--
========================================================================
Robert P. J. Day Waterloo, Ontario, CANADA
Linux Consulting, Training and Kernel Pedantry.
Web page: http://crashcourse.ca
Twitter: http://twitter.com/rpjday
========================================================================
More information about the Openembedded-devel
mailing list