enable CONFIG_SECURITY_MMAP_MIN_ADDR

Eric Paris eparis at redhat.com
Thu Feb 14 16:09:52 UTC 2008


Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR
Kconfig option.  In the past I tried to get this enabled by default
using sysctl, a fedora kernel patch, and now I've got the Kconfig option
in the upstream kernel.  Lets set this equal to 65536.  I've been
running with this setting on my F8 laptop for some time and haven't seen
any problems (although I do know that dosemu may be an issue for both of
the people in the world who use it, there also may be some virt issues
that I don't know about but which can be very quickly and easily sorted
out)

This sysctl hardens the kernel against null pointer bugs.  Remember the
priv escalation that was all the news last weekend?  Not an issue with
this enabled!

http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/

-Eric




More information about the Fedora-kernel-list mailing list