OpenCloudOS-Kernel/security
Kees Cook 4ae69e6b71 mmap_min_addr check CAP_SYS_RAWIO only for write
Redirecting directly to lsm, here's the patch discussed on lkml:
http://lkml.org/lkml/2010/4/22/219

The mmap_min_addr value is useful information for an admin to see without
being root ("is my system vulnerable to kernel NULL pointer attacks?") and
its setting is trivially easy for an attacker to determine by calling
mmap() in PAGE_SIZE increments starting at 0, so trying to keep it private
has no value.

Only require CAP_SYS_RAWIO if changing the value, not reading it.

Comment from Serge :

  Me, I like to write my passwords with light blue pen on dark blue
  paper, pasted on my window - if you're going to get my password, you're
  gonna get a headache.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
(cherry picked from commit 822cceec72)
2010-05-14 19:03:15 +10:00
..
integrity/ima include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
keys KEYS: call_sbin_request_key() must write lock keyrings before modifying them 2010-05-05 23:50:24 +10:00
selinux SELinux: Reduce max avtab size to avoid page allocation failures 2010-04-15 09:26:01 +10:00
smack include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
tomoyo include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
Kconfig remove CONFIG_SECURITY_FILE_CAPABILITIES compile option 2009-11-24 15:06:47 +11:00
Makefile NOMMU: Optimise away the {dac_,}mmap_min_addr tests 2009-12-17 09:25:19 +11:00
capability.c Security: add static to security_ops and default_security_ops variable 2010-02-24 08:11:02 +11:00
commoncap.c syslog: clean up needless comment 2010-02-05 17:48:51 +11:00
device_cgroup.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
inode.c security: testing the wrong variable in create_by_name() 2010-04-22 21:17:41 +10:00
lsm_audit.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
min_addr.c mmap_min_addr check CAP_SYS_RAWIO only for write 2010-05-14 19:03:15 +10:00
security.c Merge branch 'next' into for-linus 2010-03-01 09:36:31 +11:00