Restrict mapping low memory.

Label /proc/sys/vm/mmap_min_addr with proc_security to prevent writing it by any domain other than init. Also remove memprotect mmap_zero permission from unconfineddomain so that it cannot pass the SELinux check over mapping low memory. Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Restrict mapping low memory.
Label /proc/sys/vm/mmap_min_addr with proc_security to prevent writing it by any domain other than init. Also remove memprotect mmap_zero permission from unconfineddomain so that it cannot pass the SELinux check over mapping low memory. Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
e6a7b37d · Stephen Smalley · Nick Kralevich · 95e0842e · e6a7b37d · e6a7b37d
Commit e6a7b37d authored 11 years ago by Stephen Smalley Committed by Nick Kralevich 11 years ago
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -15,6 +15,7 @@ genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0

--- a/unconfined.te
+++ b/unconfined.te
@@ -19,7 +19,6 @@
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce };
 allow unconfineddomain kernel:system *;
-allow unconfineddomain self:memprotect *;
 allow unconfineddomain domain:process ~ptrace;
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;