Currently SELinux enforcement of controls on the ability to map the 0 page is determined by the mmap_min_addr tunable. This patch causes SELinux to ignore the tunable and to always (but ONLY) protect the 0 page. The tunable will now only control the need for CAP_SYS_RAWIO and SELinux permissions will always protect the 0 page based on it's mmap_zero permission. This allows users who need to disable the mmap_min_addr controls (usual reason being they run WINE as a non-root user) to do so and still have SELinux controls preventing confined domains (like a web server) from being able to map the 0 page. Note: the additional SELinux restriction will now ONLY protect the 0 page. CAP_SYS_RAWIO will protect anything between 0 and mmap_min_addr, but SELinux will only protect between 0 and PAGE_SIZE. Reproducible: Didn't try
Created attachment 198709 [details, diff] patch patch found in the lkm
This bug appears to be resolved in the kernel as of 2.6.31 using the CONFIG_LSM_MMAP_MIN_ADDR parameter. Can we close this bug?