Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755777AbZFCVH2 (ORCPT ); Wed, 3 Jun 2009 17:07:28 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753626AbZFCVHU (ORCPT ); Wed, 3 Jun 2009 17:07:20 -0400 Received: from earthlight.etchedpixels.co.uk ([81.2.110.250]:34592 "EHLO www.etchedpixels.co.uk" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752791AbZFCVHT (ORCPT ); Wed, 3 Jun 2009 17:07:19 -0400 Date: Wed, 3 Jun 2009 22:07:39 +0100 From: Alan Cox To: Christoph Lameter Cc: Linus Torvalds , "Larry H." , linux-mm@kvack.org, Rik van Riel , linux-kernel@vger.kernel.org, pageexec@freemail.hu Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change ZERO_SIZE_PTR to point at unmapped space) Message-ID: <20090603220739.1f6fb518@lxorguk.ukuu.org.uk> In-Reply-To: References: <20090530230022.GO6535@oblivion.subreption.com> <20090531022158.GA9033@oblivion.subreption.com> <20090602203405.GC6701@oblivion.subreption.com> <20090603182949.5328d411@lxorguk.ukuu.org.uk> <20090603180037.GB18561@oblivion.subreption.com> <20090603183939.GC18561@oblivion.subreption.com> <20090603202117.39b070d5@lxorguk.ukuu.org.uk> X-Mailer: Claws Mail 3.7.0 (GTK+ 2.14.7; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 890 Lines: 20 > > You need it in the default (no security) version of security_file_mmap() > > in security.h not hard coded into do_mmap_pgoff, and leave the one in > > cap_* alone. > > But that would still leave it up to the security "models" to check > for basic security issues. Correct. You have no knowledge of the policy at the higher level. In the SELinux case security labels are used to identify code which is permitted to map low pages. That means the root/RAW_IO security sledgehammer can be replaced with a more secure labelling system. Other policy systems might do it on namespaces (perhaps /bin and /usr/bin mapping zero OK, /home not etc) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/