[Bug 401950] Re: mmap_min_addr should be handled via CAP_SYS_RAWIO
Kees Cook
kees at ubuntu.com
Tue Jul 21 00:05:24 UTC 2009
Implementing this would involve two halves: setting up the filesystem
capabilities when the package installed (postinst most likely), and
dropping the capability once the program had allocated memory.
Here is a quick example of how to mark an executable with a capability:
http://www.friedhoff.org/posixfilecaps.html#Examples%20-%20Substitution%20of%20suid-0%20privilege%20with%20POSIX%20Capabilities%20privilege
They use numeric values, but it may be more readable to use text
version:
sudo setcap cap_sys_rawio=ep low-mmap
(setcap is in libcap2-bin)
Part 2 involves dropping the capability:
http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/caps.c;hb=86dee05aec330a0c2886c0327712153793ca46c4
the pa_drop_caps and shows how to drop capabilities, and pa_have_caps
shows how to test for a specific capability. (In the example's case,
CAP_SYS_NICE.)
--
mmap_min_addr should be handled via CAP_SYS_RAWIO
https://bugs.launchpad.net/bugs/401950
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list