Incorrect statements:

Posted Jul 21, 2009 21:37 UTC (Tue) by eparis (guest, #33060)
Parent article: Fun with NULL pointers, part 2

"One obvious problem is that, when the security module mechanism is configured into the kernel, the administrator-specified limits on the lowest valid user-space virtual address are ignored."

WRONG. Flat wrong. There are differences in what is/was required when using SELinux and not using SELinux, but it was never ignored.

"The mainline now has a patch which causes the map_min_addr sysctl knob to always be in effect; this patch has also been put into the 2.6.27.27 and 2.6.30.2 updates"

This is true, but wrong in context. The knob causes mmap_min_addr to be applied with !CONFIG_SECURITY. But the whole paragraph was about having it set....

to post comments

Incorrect statements:

Posted Jul 21, 2009 22:06 UTC (Tue) by corbet (editor, #1) [Link] (2 responses)

Hmm, I misread the patch and blew it. Not the first time. The text has been tweaked somewhat and is hopefully less fictional now; sorry for the confusion.

Incorrect statements:

Posted Jul 21, 2009 23:12 UTC (Tue) by eparis (guest, #33060) [Link] (1 responses)

Less fictional (but I still wouldn't call it perfect) *smile*

I did try to specifically address the issue of the differences between SELinux and non-SELinux mmap_min_addr use in a blog I created today.

http://eparis.livejournal.com/606.html

From the point of view of an authenticated and logged in user SELinux is doing a worse job and I clearly want to fix this. From the point of view of a remote attack or in light of people who run dumb things (run wine), SELinux was taking a better approach.

I'm hoping to fix those dumb things.

Incorrect statements:

Posted Jul 23, 2009 2:45 UTC (Thu) by spender (guest, #23067) [Link]

We have a word for those "dumb things" that grant more privilege than the system normally would: "vulnerability." So where's the CVE?

-Brad