On Thu, 2008-02-14 at 12:24 -0500, Dave Jones wrote: > On Thu, Feb 14, 2008 at 11:09:52AM -0500, Eric Paris wrote: > > Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR > > Kconfig option. In the past I tried to get this enabled by default > > using sysctl, a fedora kernel patch, and now I've got the Kconfig option > > in the upstream kernel. Lets set this equal to 65536. I've been > > running with this setting on my F8 laptop for some time and haven't seen > > any problems (although I do know that dosemu may be an issue for both of > > the people in the world who use it, there also may be some virt issues > > that I don't know about but which can be very quickly and easily sorted > > out) > > > > This sysctl hardens the kernel against null pointer bugs. Remember the > > priv escalation that was all the news last weekend? Not an issue with > > this enabled! > > > > http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/ > > I'm more concerned about wine than dosemu. That also uses vm86 afaik. > Setting it to !0 on non-x86 builds sounds like it's a safe thing to do however. > > Dave My (minimal) testing of wine indicated that it did try to make use of mapping the low pages but it still worked when it couldn't map them. I ask Dan to go ahead and allowed wine to map those pages in selinux policy, but in the selinux=0 case it might cause some problems. I guess I should bring it up with the wine community to get a better understanding of exactly why they are trying to map those pages and how it handles those failures (in my case it handled them quite nicely) -Eric _______________________________________________ Fedora-kernel-list mailing list Fedora-kernel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-kernel-list
