memory security
Posted: Jan 13th, '15, 09:58I've been doing some mmap work in freebsd, and that caused me to wonder about something, so I took a look at how the Mageia desktop kernel is compiled.
It seems the flag CONFIG_STRICT_DEVMEM is not set in the kernel, and as a matter of security it probably should be.
This flag restricts userspace programs to accessing device memory only and not main memory (which is also kernel memory). This protects the system against an attack that might directly alter kernel memory. With this flag not set, root can access any memory in the system from userspace. While this is occasionally good for development/debugging work, it is unnecessary and potentially dangerous in a production environment, particularly in a server environment (though I do not know how this is set in the server kernel).
Suggest that CONFIG_STRICT_DEVMEM=Y be set in future kernels.
It seems the flag CONFIG_STRICT_DEVMEM is not set in the kernel, and as a matter of security it probably should be.
This flag restricts userspace programs to accessing device memory only and not main memory (which is also kernel memory). This protects the system against an attack that might directly alter kernel memory. With this flag not set, root can access any memory in the system from userspace. While this is occasionally good for development/debugging work, it is unnecessary and potentially dangerous in a production environment, particularly in a server environment (though I do not know how this is set in the server kernel).
Suggest that CONFIG_STRICT_DEVMEM=Y be set in future kernels.