memory security

This forum is dedicated to new ideas, suggestions and proposals.

memory security

Postby jiml8 » Jan 13th, '15, 09:58

I've been doing some mmap work in freebsd, and that caused me to wonder about something, so I took a look at how the Mageia desktop kernel is compiled.

It seems the flag CONFIG_STRICT_DEVMEM is not set in the kernel, and as a matter of security it probably should be.

This flag restricts userspace programs to accessing device memory only and not main memory (which is also kernel memory). This protects the system against an attack that might directly alter kernel memory. With this flag not set, root can access any memory in the system from userspace. While this is occasionally good for development/debugging work, it is unnecessary and potentially dangerous in a production environment, particularly in a server environment (though I do not know how this is set in the server kernel).

Suggest that CONFIG_STRICT_DEVMEM=Y be set in future kernels.
jiml8
 
Posts: 1188
Joined: Jul 7th, '13, 18:09

Re: memory security

Postby doktor5000 » Jan 13th, '15, 19:16

jiml8 wrote:Suggest that CONFIG_STRICT_DEVMEM=Y be set in future kernels.

If you want this to be taken into account by our kernel maintainer, please either submit it as feature request via bugzilla, or discuss it first on the dev mailing list: https://ml.mageia.org/wwsympa-wrapper.fcgi/info/dev
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16794
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany


Return to Ideas and suggestions

Who is online

Users browsing this forum: No registered users and 1 guest