Re: [PATCH] Protection for exploiting null dereference using mmap

From: Russell Coker
Date: Wed Jun 06 2007 - 06:23:20 EST

Next message: Andi Kleen: "Re: [Xen-devel] [patch 14/33] xen: xen time implementation"
Previous message: Tejun Heo: "[REPOST PATCH] sata_promise: use TF interface for polling NODATA commands"
In reply to: Stephen Smalley: "Re: [PATCH] Protection for exploiting null dereference using mmap"
Next in thread: Stephen Smalley: "Re: [PATCH] Protection for exploiting null dereference using mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday 06 June 2007 06:34, Eric Paris <eparis@xxxxxxxxxx> wrote:
> This patch uses a new SELinux security class "memprotect." ÂPolicy
> already contains a number of allow rules like Âa_t self:process *
> (unconfined_t being one of them) which mean that putting this check in
> the process class (its best current fit) would make it useless as all

I think it would be best to use the process class and change the "*" rules to
~{ memprotect }.

--
russell@xxxxxxxxxxxx
http://etbe.coker.com.au/ My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: [Xen-devel] [patch 14/33] xen: xen time implementation"
Previous message: Tejun Heo: "[REPOST PATCH] sata_promise: use TF interface for polling NODATA commands"
In reply to: Stephen Smalley: "Re: [PATCH] Protection for exploiting null dereference using mmap"
Next in thread: Stephen Smalley: "Re: [PATCH] Protection for exploiting null dereference using mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]