mmap_min_addr and security modules

Posted Jul 20, 2009 21:47 UTC (Mon) by fjpop (guest, #30115)
Parent article: Fun with NULL pointers, part 1

> But, for unknown reasons, the mmap() code in the 2.6.30 kernel
> explicitly declines to enforce mmap_min_addr if the security module
> mechanism has been configured into the kernel. That job, instead, is
> left to the specific security module being used.

There are plenty of systems where CONFIG_SECURITY_SELINUX is set, but
where selinux is either not installed or not activated.

So if the quoted text is correct, then all those systems would be missing
an apparently useful (basic?) security check. Or is the text imprecise
and does the kernel check if a security module is active before ignoring
mmap_min_addr?

mmap_min_addr and security modules

Posted Jul 20, 2009 21:53 UTC (Mon) by corbet (editor, #1) [Link] (1 responses)

The code which performs the check was:

static inline unsigned long round_hint_to_min(unsigned long hint)
{
#ifdef CONFIG_SECURITY
	hint &= PAGE_MASK;
	if (((void *)hint != NULL) &&
	    (hint < mmap_min_addr))
		return PAGE_ALIGN(mmap_min_addr);
#endif
	return hint;
}

So it was taken out at compile time; the presence of an actual security module is not really relevant.

mmap_min_addr and security modules

Posted Jul 20, 2009 22:15 UTC (Mon) by spender (guest, #23067) [Link]

That's not the right check. security_file_mmap (which is either set by the capabilities module or overriden by the SELinux module) is what implements the final check. The one you pasted doesn't even apply for MAP_FIXED but is just to ensure that the allocator doesn't choose an address below mmap_min_addr when only a hint is specified.

If SELinux is compiled into the kernel, it needs to be disabled at boot via the kernel command-line, otherwise it registers its hooks with LSM and overrides that of the capabilities module for security_file_mmap which performs the mmap_min_addr check.

-Brad