Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Another kernel NULL pointer vulnerability
Posted Aug 14, 2009 5:36 UTC (Fri) by spender (subscriber, #23067)
Posted Aug 14, 2009 11:09 UTC (Fri) by jamesmrh (guest, #31622)
Eric Paris posted on the topic here:
(see comments for further thoughts from Brad).
Note that the LSM and SELinux logic has been reworked upstream by Eric. The primary patch of interest is:
This will allow finer control over the ability to perform low mappings with better separation of DAC and MAC controls & will be pushed to Linus for 2.6.32.
Posted Aug 14, 2009 17:43 UTC (Fri) by MarkWilliamson (guest, #30166)
I had the impression from previous LWN articles that there was also a bug or, at least, an "unintended feature" in the LSM infrastructure (not specifically SELinux, then), which disabled the normal Linux checking for minimum mmap-able address when an LSM was installed.
So one *aspect* of the problem is affected by the presence of SELinux (or other LSMs), even though SELinux itself may not contain the bug. Is that correct too?
Posted Aug 14, 2009 18:00 UTC (Fri) by spender (subscriber, #23067)
Posted Aug 15, 2009 11:39 UTC (Sat) by trasz (guest, #45786)
Posted Aug 15, 2009 9:36 UTC (Sat) by jamesmrh (guest, #31622)
The SELinux policy in RHEL5 for unconfined domains (i.e. local logged in users) has no check. Eric's changes will allow the MAC and DAC checks to be properly separated, so SELinux policy can't override DAC in this case. (See Eric's blog entry, it has a much more thorough explanation).
Posted Aug 15, 2009 14:34 UTC (Sat) by jimmybgood (guest, #26142)
Having patched my kernel to 22.214.171.124 in July, this exploit would not run, with vm reporting that the page couldn't be mapped.
The problem is that SELinux is too difficult to configure forcing even quite knowledgeable sysadmins to rely on canned distro configurations, which may or may not be suitable for their particular need. In many situations (where WINE was needed), SELinux _was_ doing the right thing.
The same can be said of the hal, console-kit and policykit consortium. I'd feel more comfortable with an X server running as root, than the new unprivileged X, with hal and friends. The only way I can configure hal is to google a magic invocation and cross my fingers. I'll bet we'll see major exploits using hal, ck and/or pk coming soon.
I'm not sure what the solution is. My work around is to avoid any security solution that I can't comfortably configure and feel that I understand fully what I'm doing. That's never been the case with SELinux. I know there's a parser that will look at the logs and give you a configuration snippet, but I don't know how it works and so I don't trust it.
Posted Aug 15, 2009 16:15 UTC (Sat) by nix (subscriber, #2304)
Posted Aug 14, 2009 18:07 UTC (Fri) by spender (subscriber, #23067)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds