Bug 534018

Summary: kernel: sysctl: require CAP_SYS_RAWIO to set mmap_min_addr [rhel-5.5]
Product: Red Hat Enterprise Linux 5 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Cong Wang <amwang>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.5CC: branto, dhoward, dzickus, eparis, eteo, jarod, jpirko, jskrabal, lwang, mgahagan, plyons, qcai, rkhan
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 534019 (view as bug list) Environment:
Last Closed: 2010-03-30 07:29:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 534019, 577206    
Attachments:
Description Flags
Reproducer for this bug. none

Description Eugene Teo (Security Response) 2009-11-10 06:06:59 UTC 
Description of problem:
Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO.  However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed.

http://marc.info/?l=linux-security-module&m=125770306901859&w=2
http://marc.info/?l=linux-security-module&m=125771613220062&w=2

Proposed patch:
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=0e1a6ef2dea88101b056b6d9984f3325c5efced3
Comment 3 RHEL Program Management 2009-12-07 19:49:25 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Qian Cai 2009-12-08 14:11:09 UTC 
Is there a reproducer for this one?
Comment 5 Eric Paris 2009-12-08 14:14:56 UTC 
No.  One could be written, write an suid app that drops CAP_SYS_RAWIO and then writes a new value into the proc file.  But nothing like that exists today.
Comment 6 Don Zickus 2009-12-14 19:29:33 UTC 
in kernel-2.6.18-180.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please update the appropriate value in the Verified field
(cf_verified) to indicate this fix has been successfully
verified. Include a comment with verification details.
Comment 8 Boris Ranto 2010-03-11 16:36:46 UTC 
Created attachment 399386 [details]
Reproducer for this bug.

This C code drops CAP_SYS_RAWIO and then tries to change the value stored in /proc/sys/vm/mmap_min_addr by the value of his 1. argument. To check whether bug was repaired, one must check whether value in /proc/sys/vm/mmap_min_addr is same before and after running this program with argument that differs from original value of /proc/sys/vm/mmap_min_addr(correct behaviour is no change).
Comment 12 errata-xmlrpc 2010-03-30 07:29:37 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0178.html