From a5ecbcb8c13ea8a822d243bf782d0dc9525b4f84 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Thu, 31 Jan 2008 15:11:22 -0500 Subject: security: allow Kconfig to set default mmap_min_addr protection Since it was decided that low memory protection from userspace couldn't be turned on by default add a Kconfig option to allow users/distros to set a default at compile time. This value is still tunable after boot in /proc/sys/vm/mmap_min_addr Discussion: http://www.mail-archive.com/linux-security-module@vger.kernel.org/msg02543.html Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/Kconfig | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'security/Kconfig') diff --git a/security/Kconfig b/security/Kconfig index 25ffe1b9dc98..5dfc206748cf 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -104,6 +104,24 @@ config SECURITY_ROOTPLUG If you are unsure how to answer this question, answer N. +config SECURITY_DEFAULT_MMAP_MIN_ADDR + int "Low address space to protect from user allocation" + depends on SECURITY + default 0 + help + This is the portion of low virtual memory which should be protected + from userspace allocation. Keeping a user from writing to low pages + can help reduce the impact of kernel NULL pointer bugs. + + For most users with lots of address space a value of 65536 is + reasonable and should cause no problems. Programs which use vm86 + functionality would either need additional permissions from either + the LSM or the capabilities module or have this protection disabled. + + This value can be changed after boot using the + /proc/sys/vm/mmap_min_addr tunable. + + source security/selinux/Kconfig source security/smack/Kconfig -- cgit v1.2.1