[CRIU] PR_SET_MM_MAP and capability check

Takashi Iwai tiwai at suse.de
Thu Jun 16 07:08:04 PDT 2016


Hi,

while dealing with a security issue CVE-2016-1583, I noticed that
PR_SET_MM_MAP is executed before the capability check in
kernel/sys.c.  This is one of the things the crasher code in that bug
is abusing.  Now I wonder whether it's safer to move it after the
capability check like other PR_SET_MM_* calls.

My understanding is that it's done for allowing non-root user to C/R.
But, currently C/R by a non-root user doesn't work properly in anyway
(most of NS and other tweaks need CAP_SYS_RESOURCES or CAP_SYS_ADMIN),
and leaving this might be seen as a weak point.


thanks,

Takashi


More information about the CRIU mailing list