http://bugs.winehq.org/show_bug.cgi?id=19732 Summary: Security: use CAP_SYS_RAWIO during start up to map the memory below mmap_min_addr instead of permanently lowering it at install time Product: Wine Version: 1.1.21 Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs(a)winehq.org ReportedBy: scott(a)open-vote.org Background: In order to work around the mmap_min_addr setting introduced a while back that breaks Wine, many Wine packages now install conf files to /etc/sysctl.d/ that disable mmap_min_addr entirely. This reduces security of the system, as any kernel null pointer dereference bug can root the machine. One such bug was found to be open for 8 years. This launchpad bug gives hints at what we need to do to implement this within Wine properly. ----
From Launchpad:
I would like to see wine and dosemu using filesystem capabilties to temporarily grant themselves CAP_SYS_RAWIO during start up to map the memory below mmap_min_addr, instead of requiring that the entire running system have their mmap_min_addr lowered. Implementing this would involve two halves: setting up the filesystem capabilities when the package installed (postinst most likely), and dropping the capability once the program had allocated memory. Here is a quick example of how to mark an executable with a capability: http://www.friedhoff.org/posixfilecaps.html#Examples%20-%20Substitution%20of... They use numeric values, but it may be more readable to use text version: sudo setcap cap_sys_rawio=ep low-mmap (setcap is in libcap2-bin) Part 2 involves dropping the capability: http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/caps.c;hb=86dee... the pa_drop_caps and shows how to drop capabilities, and pa_have_caps shows how to test for a specific capability. (In the example's case, CAP_SYS_NICE.) (sorry, lost some context for my setcap paste: "low-mmap" is the program I was setting capabilities on. "cap_sys_rawio" is the textual version of the capabilities.) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.