Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 512643

Summary: kernel: security: use mmap_min_addr independently of security models [mrg-1]
Product: Red Hat Enterprise MRG Reporter: Eugene Teo (Security Response) <eteo>
Component: realtime-kernelAssignee: Red Hat Real Time Maintenance <rt-maint>
Status: CLOSED WONTFIX QA Contact: David Sommerseth <davids>
Severity: high Docs Contact:
Priority: high    
Version: DevelopmentCC: bhu, eparis, jmorris, lgoncalv, lwang, ovasik, security-response-team, williams
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 512638 Environment:
Last Closed: 2009-07-21 02:06:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 512638    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-07-20 06:06:39 UTC 
+++ This bug was initially created as a clone of Bug #512638 +++

Description of problem:
This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY. It also sets a default mmap_min_addr of 4096.

mmapping of addresses below 4096 will only be possible for processes with CAP_SYS_RAWIO.

Upstream commit:
http://git.kernel.org/linus/e0a94c2a63f2644826069044649669b5e7ca75d3
Comment 1 Eric Paris 2009-07-20 17:31:57 UTC 
Doesn't mrg build with CONFIG_SECURITY?  If so, this patch is meaningless (unless we care about people rebuilding with different kconfig options)  I say it should be WONTFIX
Comment 2 David Sommerseth 2009-07-20 21:02:20 UTC 
How I see this patch, it also adds an additional check include/linux/security.h in security_file_mmap(...) which is not present even if CONFIG_SECURITY is enabled.  So this patch will still add a missing piece to be complete.

I vote for inclusion into MRG.
Comment 3 Eric Paris 2009-07-20 21:08:58 UTC 
But you would be wrong   :(

With CONFIG_SECURITY you are either going to get security_file_mmap() defined in security/security.c which points to security_ops->file_mmap().  Now file_mmap is going to be either selinux_file_mmap() or cap_file_mmap().  Both of which provide their checks on mmap of low memory.

this patch is a waste of time as long as we don't allow users to recompile their kernels.
Comment 4 Eugene Teo (Security Response) 2009-07-21 02:06:35 UTC 
nt