diff options
author | Eric Paris <eparis@redhat.com> | 2009-07-31 12:54:11 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-08-17 01:09:11 -0400 |
commit | 788084aba2ab7348257597496befcbccabdc98a3 (patch) | |
tree | 2da42d746d67b16ef705229a1b5a3528ec19c725 /kernel | |
parent | 8cf948e744e0218af604c32edecde10006dc8e9e (diff) |
Security/SELinux: seperate lsm specific mmap_min_addr
Currently SELinux enforcement of controls on the ability to map low memory
is determined by the mmap_min_addr tunable. This patch causes SELinux to
ignore the tunable and instead use a seperate Kconfig option specific to how
much space the LSM should protect.
The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
permissions will always protect the amount of low memory designated by
CONFIG_LSM_MMAP_MIN_ADDR.
This allows users who need to disable the mmap_min_addr controls (usual reason
being they run WINE as a non-root user) to do so and still have SELinux
controls preventing confined domains (like a web server) from being able to
map some area of low memory.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/sysctl.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 98e02328c67d..58be76017fd0 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c | |||
@@ -49,6 +49,7 @@ | |||
49 | #include <linux/acpi.h> | 49 | #include <linux/acpi.h> |
50 | #include <linux/reboot.h> | 50 | #include <linux/reboot.h> |
51 | #include <linux/ftrace.h> | 51 | #include <linux/ftrace.h> |
52 | #include <linux/security.h> | ||
52 | #include <linux/slow-work.h> | 53 | #include <linux/slow-work.h> |
53 | #include <linux/perf_counter.h> | 54 | #include <linux/perf_counter.h> |
54 | 55 | ||
@@ -1306,10 +1307,10 @@ static struct ctl_table vm_table[] = { | |||
1306 | { | 1307 | { |
1307 | .ctl_name = CTL_UNNUMBERED, | 1308 | .ctl_name = CTL_UNNUMBERED, |
1308 | .procname = "mmap_min_addr", | 1309 | .procname = "mmap_min_addr", |
1309 | .data = &mmap_min_addr, | 1310 | .data = &dac_mmap_min_addr, |
1310 | .maxlen = sizeof(unsigned long), | 1311 | .maxlen = sizeof(unsigned long), |
1311 | .mode = 0644, | 1312 | .mode = 0644, |
1312 | .proc_handler = &proc_doulongvec_minmax, | 1313 | .proc_handler = &mmap_min_addr_handler, |
1313 | }, | 1314 | }, |
1314 | #ifdef CONFIG_NUMA | 1315 | #ifdef CONFIG_NUMA |
1315 | { | 1316 | { |