Description of problem: Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed. http://marc.info/?l=linux-security-module&m=125770306901859&w=2 http://marc.info/?l=linux-security-module&m=125771613220062&w=2 Proposed patch: http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=0e1a6ef2dea88101b056b6d9984f3325c5efced3
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Is there a reproducer for this one?
No. One could be written, write an suid app that drops CAP_SYS_RAWIO and then writes a new value into the proc file. But nothing like that exists today.
in kernel-2.6.18-180.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please update the appropriate value in the Verified field (cf_verified) to indicate this fix has been successfully verified. Include a comment with verification details.
Created attachment 399386 [details] Reproducer for this bug. This C code drops CAP_SYS_RAWIO and then tries to change the value stored in /proc/sys/vm/mmap_min_addr by the value of his 1. argument. To check whether bug was repaired, one must check whether value in /proc/sys/vm/mmap_min_addr is same before and after running this program with argument that differs from original value of /proc/sys/vm/mmap_min_addr(correct behaviour is no change).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0178.html