Re: mmap_min_addr and your local LSM (ok, just SELinux)
From: Kyle McMartin
Date: Tue Jul 21 2009 - 00:14:07 EST
On Mon, Jul 20, 2009 at 07:23:43PM -0400, Eric Paris wrote:
> With SELinux mapping the 0 page requires an SELinux policy permission,
> mmap_zero. Without SELinux mapping the 0 page requires CAP_SYS_RAWIO.
> Note that CAP_SYS_RAWIO roughly translates to uid=0 since noone really
> does interesting things with capabilities.
>
[...]
> I believe (from reading mailing lists) if you install WINE on ubuntu it
> automatically disables these protections. Thus installing wine on
> ubuntu disables ALL hardening gains of the mmap_min_addr.
>
[...]
> So on a non-SELinux system users would end up with exactly what they
> have today. if you want to run WINE as a normal user you have to set
> mmap_min_addr = 0 and then you no longer need CAP_SYS_RAWIO. Not much
> else we can do if your distro down support fine grained permissions.
>
Why do we not add a personality flag for this? With that, at least you
could require a harmless setuid wrapper for wine that just set the
personality bits and dropped root.
That at least would allow the people not shipping SELinux by default,
(which, really, is everyone but us, afaik...) to at least avoid having
to whole-sale disable the mmap_min_addr protections, which seems unduly
harsh... (If they're doing this without consulting the user, then, wow,
that's just anti-social...)
Of course, I might be missing the plot entirely here.
(Or, as someone else pointed out, force people to run this crap in a
VM. ;-)
regards, Kyle
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/