On 10/24/2016 10:42 AM, Judd Meinders wrote: > On Mon, Oct 24, 2016 at 9:35 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> >> On 10/21/2016 06:20 PM, Robert Lee wrote: >>> Given the unpleasant nature of CVE-2016-5195, would an SELinux confined >>> application that exploited the Dirty COW vulnerability be capable also >>> of escaping domain enforcement? >>> >>> Hopefully my question is not ambiguous. >>> >>> Thanks in advance. >> >> Sorry, SELinux can't help with CVE-2016-5195. > > Couldn't SELinux help reduce the attack surface. From the small > amount of testing I have conducted, it looks like the attacker is > required to be able to read the file or object they are trying to > manipulate. If MAC denies read, the attack doesn't work right? > > Please let me know if I'm mistaken. For files, yes (but plenty of files that must be normally readable can be written via it). Doesn't help at all for vDSO-based root. SELinux ptrace checks are also not useful here because introspection is always allowed by the kernel (whether or not that is a good idea is open to debate). _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
