| |||||||||||||
Incorrect statements:Incorrect statements:Posted Jul 21, 2009 21:37 UTC (Tue) by eparis (subscriber, #33060)Parent article: Fun with NULL pointers, part 2
"One obvious problem is that, when the security module mechanism is configured into the kernel, the administrator-specified limits on the lowest valid user-space virtual address are ignored."
WRONG. Flat wrong. There are differences in what is/was required when using SELinux and not using SELinux, but it was never ignored.
"The mainline now has a patch which causes the map_min_addr sysctl knob to always be in effect; this patch has also been put into the 2.6.27.27 and 2.6.30.2 updates"
This is true, but wrong in context. The knob causes mmap_min_addr to be applied with !CONFIG_SECURITY. But the whole paragraph was about having it set....
(Log in to post comments)
Incorrect statements: Posted Jul 21, 2009 22:06 UTC (Tue) by corbet (editor, #1) [Link] Hmm, I misread the patch and blew it. Not the first time. The text has been tweaked somewhat and is hopefully less fictional now; sorry for the confusion.
Incorrect statements: Posted Jul 21, 2009 23:12 UTC (Tue) by eparis (subscriber, #33060) [Link]
Less fictional (but I still wouldn't call it perfect) *smile*
I did try to specifically address the issue of the differences between SELinux and non-SELinux mmap_min_addr use in a blog I created today.
http://eparis.livejournal.com/606.html
From the point of view of an authenticated and logged in user SELinux is doing a worse job and I clearly want to fix this. From the point of view of a remote attack or in light of people who run dumb things (run wine), SELinux was taking a better approach.
I'm hoping to fix those dumb things.
Incorrect statements: Posted Jul 23, 2009 2:45 UTC (Thu) by spender (subscriber, #23067) [Link]
We have a word for those "dumb things" that grant more privilege than the system normally would: "vulnerability." So where's the CVE?
-Brad
|
|||||||||||||