[oe] some possible fixes in the OE web pages

Robert P. J. Day rpjday at crashcourse.ca
Thu May 13 12:20:46 UTC 2010 

On Thu, 13 May 2010, Roman I Khimov wrote:

... mmap_min_addr stuff snipped ...

> The real solution is in the kernel, it should be fixed for latest
> Ubuntu and hopefully Fedora will catch up on this issue too.
>
> http://git.kernel.org/?p=linux/kernel/git/jmorris/security-
> testing-2.6.git;a=commitdiff;h=822cceec7248013821d655545ea45d1c6a9d15b3
>
> Interesting that openSUSE with 2.6.31 kernel doesn't have such
> problems... And our main build machine with Debian stable + 2.6.30
> kernel works fine too. Probably this check got introduced in 2.6.32.

  not sure which kernel *version* it showed up in, but it appears to
be a result of this commit from nov of last year (which you can see
ended up being unnecessarily restrictive -- d'oh!):

commit 0e1a6ef2dea88101b056b6d9984f3325c5efced3
Author: Kees Cook <kees.cook at canonical.com>
Date:   Sun Nov 8 09:37:00 2009 -0800

    sysctl: require CAP_SYS_RAWIO to set mmap_min_addr

    Currently the mmap_min_addr value can only be bypassed during mmap when
    the task has CAP_SYS_RAWIO.  However, the mmap_min_addr sysctl value itself
    can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO.
    This patch adds a check for the capability before allowing mmap_min_addr to
    be changed.

    Signed-off-by: Kees Cook <kees.cook at canonical.com>
    Acked-by: Serge Hallyn <serue at us.ibm.com>
    Signed-off-by: James Morris <jmorris at namei.org>

diff --git a/security/min_addr.c b/security/min_addr.c
index c844eed..fc43c9d 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table,
int write,
 {
        int ret;

+       if (!capable(CAP_SYS_RAWIO))
+               return -EPERM;
+
        ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);

        update_mmap_min_addr();


whereupon the security-related fix is, as was mentioned previously,
submitted here:

http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=822cceec7248013821d655545ea45d1c6a9d15b3


rday

-- 

========================================================================
Robert P. J. Day                               Waterloo, Ontario, CANADA

            Linux Consulting, Training and Kernel Pedantry.

Web page:                                          http://crashcourse.ca
Twitter:                                       http://twitter.com/rpjday
========================================================================

More information about the Openembedded-devel mailing list