Posted Aug 20, 2009 1:44 UTC (Thu) by jamesmrh (guest, #31622)
Parent article: In brief
FYI, these changes are currently being merged into F11 and F10 (rawhide will pick them up automatically), and new kernels should be out v. soon.
Addressing this at the design level produces the most flexible result:
- the sysctl (mmap_min_addr) cannot be overridden at all by MAC security policy (e.g. SELinux)
- it can only be overridden with CAP_SYS_RAWIO
- if the sysctl is disabled to allow e.g. wine to run, MAC security policy can be used to add further restrictions to ensure that only wine can perform the mapping, and nothing else. i.e. running wine does not mean degrading security for the entire system.