Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR Kconfig option. In the past I tried to get this enabled by default using sysctl, a fedora kernel patch, and now I've got the Kconfig option in the upstream kernel. Lets set this equal to 65536. I've been running with this setting on my F8 laptop for some time and haven't seen any problems (although I do know that dosemu may be an issue for both of the people in the world who use it, there also may be some virt issues that I don't know about but which can be very quickly and easily sorted out)
This sysctl hardens the kernel against null pointer bugs. Remember the priv escalation that was all the news last weekend? Not an issue with this enabled!
http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-li...
-Eric
On Thu, Feb 14, 2008 at 11:09:52AM -0500, Eric Paris wrote:
Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR Kconfig option. In the past I tried to get this enabled by default using sysctl, a fedora kernel patch, and now I've got the Kconfig option in the upstream kernel. Lets set this equal to 65536. I've been running with this setting on my F8 laptop for some time and haven't seen any problems (although I do know that dosemu may be an issue for both of the people in the world who use it, there also may be some virt issues that I don't know about but which can be very quickly and easily sorted out)
This sysctl hardens the kernel against null pointer bugs. Remember the priv escalation that was all the news last weekend? Not an issue with this enabled!
http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-li...
I'm more concerned about wine than dosemu. That also uses vm86 afaik. Setting it to !0 on non-x86 builds sounds like it's a safe thing to do however.
Dave
On Thu, 2008-02-14 at 12:24 -0500, Dave Jones wrote:
On Thu, Feb 14, 2008 at 11:09:52AM -0500, Eric Paris wrote:
Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR Kconfig option. In the past I tried to get this enabled by default using sysctl, a fedora kernel patch, and now I've got the Kconfig option in the upstream kernel. Lets set this equal to 65536. I've been running with this setting on my F8 laptop for some time and haven't seen any problems (although I do know that dosemu may be an issue for both of the people in the world who use it, there also may be some virt issues that I don't know about but which can be very quickly and easily sorted out)
This sysctl hardens the kernel against null pointer bugs. Remember the priv escalation that was all the news last weekend? Not an issue with this enabled!
http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-li...
I'm more concerned about wine than dosemu. That also uses vm86 afaik. Setting it to !0 on non-x86 builds sounds like it's a safe thing to do however.
Dave
My (minimal) testing of wine indicated that it did try to make use of mapping the low pages but it still worked when it couldn't map them. I ask Dan to go ahead and allowed wine to map those pages in selinux policy, but in the selinux=0 case it might cause some problems.
I guess I should bring it up with the wine community to get a better understanding of exactly why they are trying to map those pages and how it handles those failures (in my case it handled them quite nicely)
-Eric
On Thu, Feb 14, 2008 at 12:29:18PM -0500, Eric Paris wrote:
My (minimal) testing of wine indicated that it did try to make use of mapping the low pages but it still worked when it couldn't map them
Hmm. Graceful fallback is good, but I wonder if it's now using a slower path or something.
I guess I should bring it up with the wine community to get a better understanding of exactly why they are trying to map those pages and how it handles those failures (in my case it handled them quite nicely)
Well lets set it to 0 across all archs, and see if anything else stops working. Hopefully this is the extent of the breakage.
Dave
On Thu, 14 Feb 2008 12:29:18 -0500 Eric Paris eparis@redhat.com wrote:
I guess I should bring it up with the wine community to get a better understanding of exactly why they are trying to map those pages and how it handles those failures (in my case it handled them quite nicely)
Keep me in the loop on this. Would be nice to stay ahead of bug reports =)
Thanks, Andreas
On Thu, 14 Feb 2008 12:29:18 -0500 Eric Paris eparis@redhat.com wrote:
My (minimal) testing of wine indicated that it did try to make use of mapping the low pages but it still worked when it couldn't map them. I ask Dan to go ahead and allowed wine to map those pages in selinux policy, but in the selinux=0 case it might cause some problems.
See https://bugzilla.redhat.com/show_bug.cgi?id=433641...
- Andreas
On Thu, 2008-02-14 at 11:09 -0500, Eric Paris wrote:
Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR Kconfig option. In the past I tried to get this enabled by default using sysctl, a fedora kernel patch, and now I've got the Kconfig option in the upstream kernel. Lets set this equal to 65536. I've been running with this setting on my F8 laptop for some time and haven't seen any problems (although I do know that dosemu may be an issue for both of the people in the world who use it, there also may be some virt issues that I don't know about but which can be very quickly and easily sorted out)
Ack from me. Both X and vbetool use x86emu instead of vm86 in F9, so I don't need vm86 mode to work.
- ajax
On Thu, 14 Feb 2008, Adam Jackson wrote:
On Thu, 2008-02-14 at 11:09 -0500, Eric Paris wrote:
Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR Kconfig option. In the past I tried to get this enabled by default using sysctl, a fedora kernel patch, and now I've got the Kconfig option in the upstream kernel. Lets set this equal to 65536. I've been running with this setting on my F8 laptop for some time and haven't seen any problems (although I do know that dosemu may be an issue for both of the people in the world who use it, there also may be some virt issues that I don't know about but which can be very quickly and easily sorted out)
Ack from me. Both X and vbetool use x86emu instead of vm86 in F9, so I don't need vm86 mode to work.
Looks like SELinux policy provides the mmap_zero perm to 'xserver', which bypasses the check, and we should not need this now.
- James
kernel@lists.fedoraproject.org