diff options
author | Eric Paris <eparis@redhat.com> | 2009-07-31 12:53:58 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-08-05 19:02:17 -0400 |
commit | 7c73875e7dda627040b12c19b01db634fa7f0fd1 (patch) | |
tree | f8f4df20bdcafb1bd981c8a7b0797d13b2625b27 /security/commoncap.c | |
parent | 012a5299a29672039f42944a37984558393ef769 (diff) |
Capabilities: move cap_file_mmap to commoncap.c
Currently we duplicate the mmap_min_addr test in cap_file_mmap and in
security_file_mmap if !CONFIG_SECURITY. This patch moves cap_file_mmap
into commoncap.c and then calls that function directly from
security_file_mmap ifndef CONFIG_SECURITY like all of the other capability
checks are done.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/commoncap.c')
-rw-r--r-- | security/commoncap.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index aa97704564d4..3852e9432801 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -984,3 +984,33 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages) | |||
984 | cap_sys_admin = 1; | 984 | cap_sys_admin = 1; |
985 | return __vm_enough_memory(mm, pages, cap_sys_admin); | 985 | return __vm_enough_memory(mm, pages, cap_sys_admin); |
986 | } | 986 | } |
987 | |||
988 | /* | ||
989 | * cap_file_mmap - check if able to map given addr | ||
990 | * @file: unused | ||
991 | * @reqprot: unused | ||
992 | * @prot: unused | ||
993 | * @flags: unused | ||
994 | * @addr: address attempting to be mapped | ||
995 | * @addr_only: unused | ||
996 | * | ||
997 | * If the process is attempting to map memory below mmap_min_addr they need | ||
998 | * CAP_SYS_RAWIO. The other parameters to this function are unused by the | ||
999 | * capability security module. Returns 0 if this mapping should be allowed | ||
1000 | * -EPERM if not. | ||
1001 | */ | ||
1002 | int cap_file_mmap(struct file *file, unsigned long reqprot, | ||
1003 | unsigned long prot, unsigned long flags, | ||
1004 | unsigned long addr, unsigned long addr_only) | ||
1005 | { | ||
1006 | int ret = 0; | ||
1007 | |||
1008 | if (addr < mmap_min_addr) { | ||
1009 | ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO, | ||
1010 | SECURITY_CAP_AUDIT); | ||
1011 | /* set PF_SUPERPRIV if it turns out we allow the low mmap */ | ||
1012 | if (ret == 0) | ||
1013 | current->flags |= PF_SUPERPRIV; | ||
1014 | } | ||
1015 | return ret; | ||
1016 | } | ||