>
> The kernel makes the decision on what is valid via security_mmap_addr().
> Assuming there are no security fears of an untrusted application
> tricking some priviledged application to set up these maps the answer is
> just calling security_mmap_addr() instead of doing if(addr <
> mmap_min_addr)
Quoting Cyrill Gorcunov (gorcu...@openvz.org):
> > The kernel makes the decision on what is valid via security_mmap_addr().
> > Assuming there are no security fears of an untrusted application
> > tricking some priviledged application to set up these maps the answer is
> > just calling security_mma
On Mon, Dec 31, 2012 at 10:20:47AM -0500, Eric Paris wrote:
>
> Is there anything which prevents an unpriv application from changing
> mm.mm_start_code and mm.mm_end_code in the image, thus taking advantage
> of the privileged restore code to bypass the mmap_min_addr
> restrictions?
Well, you ca
On Mon, 2012-12-31 at 19:13 +0400, Cyrill Gorcunov wrote:
> On Mon, Dec 31, 2012 at 09:27:14AM -0500, Eric Paris wrote:
> > On Mon, 2012-12-31 at 14:14 +0400, Andrew Vagin wrote:
> > > On Sun, Dec 30, 2012 at 05:03:07PM -0500, Eric Paris wrote:
> > > > On Sat, 2012-12-29 at 15:00 +0400, Andrey Vagi
On Mon, Dec 31, 2012 at 09:27:14AM -0500, Eric Paris wrote:
> On Mon, 2012-12-31 at 14:14 +0400, Andrew Vagin wrote:
> > On Sun, Dec 30, 2012 at 05:03:07PM -0500, Eric Paris wrote:
> > > On Sat, 2012-12-29 at 15:00 +0400, Andrey Vagin wrote:
> > > > The address should be bigger than dac_mmap_min_ad
On Mon, 2012-12-31 at 14:14 +0400, Andrew Vagin wrote:
> On Sun, Dec 30, 2012 at 05:03:07PM -0500, Eric Paris wrote:
> > On Sat, 2012-12-29 at 15:00 +0400, Andrey Vagin wrote:
> > > The address should be bigger than dac_mmap_min_addr, because
> > > a process with CAP_RAWIO can map a vma bellow mmap
On Sun, Dec 30, 2012 at 05:03:07PM -0500, Eric Paris wrote:
> On Sat, 2012-12-29 at 15:00 +0400, Andrey Vagin wrote:
> > The address should be bigger than dac_mmap_min_addr, because
> > a process with CAP_RAWIO can map a vma bellow mmap_min_addr.
>
> NAK
Currently prctl(PR_SET_MM_*, addr, ) retur
On Sat, 2012-12-29 at 15:00 +0400, Andrey Vagin wrote:
> The address should be bigger than dac_mmap_min_addr, because
> a process with CAP_RAWIO can map a vma bellow mmap_min_addr.
NAK
This doesn't make any sense. dac_mmap_min_addr should ONLY be used in
security/min_addr.c and security/commonca
The address should be bigger than dac_mmap_min_addr, because
a process with CAP_RAWIO can map a vma bellow mmap_min_addr.
Cc: Andrew Morton
Cc: Kees Cook
Cc: Cyrill Gorcunov
Cc: Serge Hallyn
Cc: "Eric W. Biederman"
Cc: Eric Paris
Cc: James Morris
Signed-off-by: Andrey Vagin
---
kernel/sys
9 matches
Mail list logo
