aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris2009-07-31 11:54:11 -0500
committerJames Morris2009-08-17 00:09:11 -0500
commit788084aba2ab7348257597496befcbccabdc98a3 (patch)
tree2da42d746d67b16ef705229a1b5a3528ec19c725 /security/Kconfig
parent8cf948e744e0218af604c32edecde10006dc8e9e (diff)
downloadam43-linux-kernel-788084aba2ab7348257597496befcbccabdc98a3.tar.gz
am43-linux-kernel-788084aba2ab7348257597496befcbccabdc98a3.tar.xz
am43-linux-kernel-788084aba2ab7348257597496befcbccabdc98a3.zip
Security/SELinux: seperate lsm specific mmap_min_addr
Currently SELinux enforcement of controls on the ability to map low memory is determined by the mmap_min_addr tunable. This patch causes SELinux to ignore the tunable and instead use a seperate Kconfig option specific to how much space the LSM should protect. The tunable will now only control the need for CAP_SYS_RAWIO and SELinux permissions will always protect the amount of low memory designated by CONFIG_LSM_MMAP_MIN_ADDR. This allows users who need to disable the mmap_min_addr controls (usual reason being they run WINE as a non-root user) to do so and still have SELinux controls preventing confined domains (like a web server) from being able to map some area of low memory. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/Kconfig')
-rw-r--r--security/Kconfig16
1 files changed, 16 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig
index d23c839038f..9c60c346a91 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
113 113
114 If you are unsure how to answer this question, answer N. 114 If you are unsure how to answer this question, answer N.
115 115
116config LSM_MMAP_MIN_ADDR
117 int "Low address space for LSM to from user allocation"
118 depends on SECURITY && SECURITY_SELINUX
119 default 65535
120 help
121 This is the portion of low virtual memory which should be protected
122 from userspace allocation. Keeping a user from writing to low pages
123 can help reduce the impact of kernel NULL pointer bugs.
124
125 For most ia64, ppc64 and x86 users with lots of address space
126 a value of 65536 is reasonable and should cause no problems.
127 On arm and other archs it should not be higher than 32768.
128 Programs which use vm86 functionality or have some need to map
129 this low address space will need the permission specific to the
130 systems running LSM.
131
116source security/selinux/Kconfig 132source security/selinux/Kconfig
117source security/smack/Kconfig 133source security/smack/Kconfig
118source security/tomoyo/Kconfig 134source security/tomoyo/Kconfig