Re: enable CONFIG_SECURITY_MMAP_MIN_ADDR
On Thu, 14 Feb 2008, Adam Jackson wrote: > On Thu, 2008-02-14 at 11:09 -0500, Eric Paris wrote: > > Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR > > Kconfig option. In the past I tried to get this enabled by default > > using sysctl, a fedora kernel patch, and now I've got the Kconfig option > > in the upstream kernel. Lets set this equal to 65536. I've been > > running with this setting on my F8 laptop for some time and haven't seen > > any problems (although I do know that dosemu may be an issue for both of > > the people in the world who use it, there also may be some virt issues > > that I don't know about but which can be very quickly and easily sorted > > out) > > Ack from me. Both X and vbetool use x86emu instead of vm86 in F9, so I > don't need vm86 mode to work. Looks like SELinux policy provides the mmap_zero perm to 'xserver', which bypasses the check, and we should not need this now. - James -- James Morris <[EMAIL PROTECTED]> ___ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: enable CONFIG_SECURITY_MMAP_MIN_ADDR
On Thu, 2008-02-14 at 11:09 -0500, Eric Paris wrote: > Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR > Kconfig option. In the past I tried to get this enabled by default > using sysctl, a fedora kernel patch, and now I've got the Kconfig option > in the upstream kernel. Lets set this equal to 65536. I've been > running with this setting on my F8 laptop for some time and haven't seen > any problems (although I do know that dosemu may be an issue for both of > the people in the world who use it, there also may be some virt issues > that I don't know about but which can be very quickly and easily sorted > out) Ack from me. Both X and vbetool use x86emu instead of vm86 in F9, so I don't need vm86 mode to work. - ajax ___ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: enable CONFIG_SECURITY_MMAP_MIN_ADDR
On Thu, Feb 14, 2008 at 12:29:18PM -0500, Eric Paris wrote: > My (minimal) testing of wine indicated that it did try to make use of > mapping the low pages but it still worked when it couldn't map them Hmm. Graceful fallback is good, but I wonder if it's now using a slower path or something. > I guess I should bring it up with the wine community to get a better > understanding of exactly why they are trying to map those pages and how > it handles those failures (in my case it handled them quite nicely) Well lets set it to 0 across all archs, and see if anything else stops working. Hopefully this is the extent of the breakage. Dave -- http://www.codemonkey.org.uk ___ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: enable CONFIG_SECURITY_MMAP_MIN_ADDR
On Thu, 2008-02-14 at 12:24 -0500, Dave Jones wrote: > On Thu, Feb 14, 2008 at 11:09:52AM -0500, Eric Paris wrote: > > Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR > > Kconfig option. In the past I tried to get this enabled by default > > using sysctl, a fedora kernel patch, and now I've got the Kconfig option > > in the upstream kernel. Lets set this equal to 65536. I've been > > running with this setting on my F8 laptop for some time and haven't seen > > any problems (although I do know that dosemu may be an issue for both of > > the people in the world who use it, there also may be some virt issues > > that I don't know about but which can be very quickly and easily sorted > > out) > > > > This sysctl hardens the kernel against null pointer bugs. Remember the > > priv escalation that was all the news last weekend? Not an issue with > > this enabled! > > > > > http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/ > > I'm more concerned about wine than dosemu. That also uses vm86 afaik. > Setting it to !0 on non-x86 builds sounds like it's a safe thing to do > however. > > Dave My (minimal) testing of wine indicated that it did try to make use of mapping the low pages but it still worked when it couldn't map them. I ask Dan to go ahead and allowed wine to map those pages in selinux policy, but in the selinux=0 case it might cause some problems. I guess I should bring it up with the wine community to get a better understanding of exactly why they are trying to map those pages and how it handles those failures (in my case it handled them quite nicely) -Eric ___ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: enable CONFIG_SECURITY_MMAP_MIN_ADDR
On Thu, Feb 14, 2008 at 11:09:52AM -0500, Eric Paris wrote: > Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR > Kconfig option. In the past I tried to get this enabled by default > using sysctl, a fedora kernel patch, and now I've got the Kconfig option > in the upstream kernel. Lets set this equal to 65536. I've been > running with this setting on my F8 laptop for some time and haven't seen > any problems (although I do know that dosemu may be an issue for both of > the people in the world who use it, there also may be some virt issues > that I don't know about but which can be very quickly and easily sorted > out) > > This sysctl hardens the kernel against null pointer bugs. Remember the > priv escalation that was all the news last weekend? Not an issue with > this enabled! > > http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/ I'm more concerned about wine than dosemu. That also uses vm86 afaik. Setting it to !0 on non-x86 builds sounds like it's a safe thing to do however. Dave -- http://www.codemonkey.org.uk ___ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list
enable CONFIG_SECURITY_MMAP_MIN_ADDR
Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR Kconfig option. In the past I tried to get this enabled by default using sysctl, a fedora kernel patch, and now I've got the Kconfig option in the upstream kernel. Lets set this equal to 65536. I've been running with this setting on my F8 laptop for some time and haven't seen any problems (although I do know that dosemu may be an issue for both of the people in the world who use it, there also may be some virt issues that I don't know about but which can be very quickly and easily sorted out) This sysctl hardens the kernel against null pointer bugs. Remember the priv escalation that was all the news last weekend? Not an issue with this enabled! http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/ -Eric ___ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: rawhide & -debug
An idea that was tossed around was to do something similar to what we do in release builds, and offer separate debug/nodebug builds. But instead of how we do it in releases, do the opposite, and have a -nodebug build, whilst keeping the regular kernel debug-turned-on to maximise coverage testing. Personally, I'd like to see this but let's face it, we always will have situations where changing the timing of the kernel execution causes bugs to come-and-go. I guess there may have to be a certain amount of debug we have to live with. P. Dave ___ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list