Re: [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2

From: Andy Lutomirski
Date: Thu Jun 03 2004 - 18:03:32 EST


Andi Kleen wrote:
On Thu, 3 Jun 2004 14:44:48 +0200
Ingo Molnar <mingo@xxxxxxx> wrote:



- in exec.c, since address-space executability is a security-relevant
item, we must clear the personality when we exec a setuid binary. I
believe this is also a (small) security robustness fix for current
64-bit architectures.


I'm not sure I like that. This means I cannot earily force an i386 uname or 3GB address space on suid programs anymore on x86-64.

While in theory it could be a small security problem I think the utility
is much greater.

It's hard to see how setting NX could cause a security hole. The program
may crash, but it is unlikely to be exploitable.

The whole point of NX, though, is that it prevents certain classes of exploits. If a setuid binary is vulnerable to one of these, then Ingo's patch "fixes" it. Your approach breaks that.

I don't like Ingo's fix either, though. At least it should check CAP_PTRACE or some such. A better fix would be for LSM to pass down a flag indicating a change of security context. I'll throw that in to my caps/apply_creds cleanup, in case that ever gets applied.

--Andy



-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/