Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 534019

Summary: kernel: sysctl: require CAP_SYS_RAWIO to set mmap_min_addr [mrg-1]
Product: Red Hat Enterprise MRG Reporter: Eugene Teo (Security Response) <eteo>
Component: realtime-kernelAssignee: Clark Williams <williams>
Status: CLOSED ERRATA QA Contact: David Sommerseth <davids>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.2CC: bhu, eteo, jkacur, lbrindle, lgoncalv, mmcallis, ovasik, williams
Target Milestone: 1.2   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Not in relnote RT Bug fix The "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The sysctl value for mmap_min_addr could be changed by a process or user that has an effective user ID (euid) of 0, even if the process or user does not have the CAP_SYS_RAWIO capability. This update adds a capability check for the CAP_SYS_RAWIO capability before allowing the mmap_min_addr value to be changed.
 Story Points: ---
Clone Of: 534018 Environment:
Last Closed: 2009-12-03 11:28:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 534018    
Bug Blocks: 527551    

Description Eugene Teo (Security Response) 2009-11-10 06:15:58 UTC 
+++ This bug was initially created as a clone of Bug #534018 +++

Description of problem:
Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO.  However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed.

http://marc.info/?l=linux-security-module&m=125770306901859&w=2
http://marc.info/?l=linux-security-module&m=125771613220062&w=2

Proposed patch:
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=0e1a6ef2dea88101b056b6d9984f3325c5efced3
Comment 3 David Sommerseth 2009-11-18 21:54:12 UTC 
Verified by code review.  Found upstream patch implemented in 2.6.24.7-139.el5rt.

CVS: check-for-CAP_SYS_RAWIO-before-allowing-mmap_min_add.patch
mrg-rt-v1.git: b68cc1dbbbedef3428d63871b16fa36e41fcd6f2

Will try to validate this one with a reproducer.
Comment 6 Lana Brindley 2009-11-30 22:47:07 UTC 
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
RT Bug fix (security)

C: the "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The
sysctl value for mmap_min_addr could be changed by a process or user who has an effective user ID (euid) of 0, even if they do not have the
CAP_SYS_RAWIO capability.
C: This is a breach of security
F: a check for the CAP_SYS_RAWIO capability has been added.
R: The mmap_min_addr value can only be changed if the capability check passes.

The "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The
sysctl value for mmap_min_addr could be changed by a process or user who has an effective user ID (euid) of 0, even if they do not have the
CAP_SYS_RAWIO capability. This update adds a check for the CAP_SYS_RAWIO capability before allowing the mmap_min_addr value to be
changed.
Comment 7 Eugene Teo (Security Response) 2009-12-02 01:04:07 UTC 
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,4 +1,4 @@
-RT Bug fix (security)
+RT Bug fix
 
 C: the "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The
 sysctl value for mmap_min_addr could be changed by a process or user who has an effective user ID (euid) of 0, even if they do not have the
Comment 8 Lana Brindley 2009-12-02 01:19:01 UTC 
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,3 +1,5 @@
+Not in relnote
+
 RT Bug fix
 
 C: the "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The
Comment 11 errata-xmlrpc 2009-12-03 11:28:06 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1635.html