diff options
author | Eric Paris <eparis@redhat.com> | 2008-01-31 15:11:22 -0500 |
---|---|---|
committer | James Morris <jmorris@localhost.localdomain> | 2008-02-06 08:39:46 -0500 |
commit | a5ecbcb8c13ea8a822d243bf782d0dc9525b4f84 (patch) | |
tree | 902df830bf581642a49bbb1e4f4de5b9f80eeaa1 /security/Kconfig | |
parent | 551e4fb2465b87de9d4aa1669b27d624435443bb (diff) |
security: allow Kconfig to set default mmap_min_addr protection
Since it was decided that low memory protection from userspace couldn't
be turned on by default add a Kconfig option to allow users/distros to
set a default at compile time. This value is still tunable after boot
in /proc/sys/vm/mmap_min_addr
Discussion:
http://www.mail-archive.com/linux-security-module@vger.kernel.org/msg02543.html
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/Kconfig')
-rw-r--r-- | security/Kconfig | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig index 25ffe1b9dc9..5dfc206748c 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
@@ -104,6 +104,24 @@ config SECURITY_ROOTPLUG | |||
104 | 104 | ||
105 | If you are unsure how to answer this question, answer N. | 105 | If you are unsure how to answer this question, answer N. |
106 | 106 | ||
107 | config SECURITY_DEFAULT_MMAP_MIN_ADDR | ||
108 | int "Low address space to protect from user allocation" | ||
109 | depends on SECURITY | ||
110 | default 0 | ||
111 | help | ||
112 | This is the portion of low virtual memory which should be protected | ||
113 | from userspace allocation. Keeping a user from writing to low pages | ||
114 | can help reduce the impact of kernel NULL pointer bugs. | ||
115 | |||
116 | For most users with lots of address space a value of 65536 is | ||
117 | reasonable and should cause no problems. Programs which use vm86 | ||
118 | functionality would either need additional permissions from either | ||
119 | the LSM or the capabilities module or have this protection disabled. | ||
120 | |||
121 | This value can be changed after boot using the | ||
122 | /proc/sys/vm/mmap_min_addr tunable. | ||
123 | |||
124 | |||
107 | source security/selinux/Kconfig | 125 | source security/selinux/Kconfig |
108 | source security/smack/Kconfig | 126 | source security/smack/Kconfig |
109 | 127 | ||