aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorChristoph Lameter <cl@linux-foundation.org>2009-06-03 16:04:31 -0400
committerJames Morris <jmorris@namei.org>2009-06-03 22:07:48 -0400
commite0a94c2a63f2644826069044649669b5e7ca75d3 (patch)
treedebf8a9af6ac23dadd116dc1cd1f9dcefe9629c6 /security
parent7d2948b1248109dbc7f4aaf9867c54b1912d494c (diff)
security: use mmap_min_addr indepedently of security models
This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY. It also sets a default mmap_min_addr of 4096. mmapping of addresses below 4096 will only be possible for processes with CAP_SYS_RAWIO. Signed-off-by: Christoph Lameter <cl@linux-foundation.org> Acked-by: Eric Paris <eparis@redhat.com> Looks-ok-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig22
-rw-r--r--security/security.c3
2 files changed, 1 insertions, 24 deletions
diff --git a/security/Kconfig b/security/Kconfig
index bb244774e9d7..d23c839038f0 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -110,28 +110,8 @@ config SECURITY_ROOTPLUG
110 110
111 See <http://www.linuxjournal.com/article.php?sid=6279> for 111 See <http://www.linuxjournal.com/article.php?sid=6279> for
112 more information about this module. 112 more information about this module.
113
114 If you are unsure how to answer this question, answer N.
115
116config SECURITY_DEFAULT_MMAP_MIN_ADDR
117 int "Low address space to protect from user allocation"
118 depends on SECURITY
119 default 0
120 help
121 This is the portion of low virtual memory which should be protected
122 from userspace allocation. Keeping a user from writing to low pages
123 can help reduce the impact of kernel NULL pointer bugs.
124
125 For most ia64, ppc64 and x86 users with lots of address space
126 a value of 65536 is reasonable and should cause no problems.
127 On arm and other archs it should not be higher than 32768.
128 Programs which use vm86 functionality would either need additional
129 permissions from either the LSM or the capabilities module or have
130 this protection disabled.
131
132 This value can be changed after boot using the
133 /proc/sys/vm/mmap_min_addr tunable.
134 113
114 If you are unsure how to answer this question, answer N.
135 115
136source security/selinux/Kconfig 116source security/selinux/Kconfig
137source security/smack/Kconfig 117source security/smack/Kconfig
diff --git a/security/security.c b/security/security.c
index 5284255c5cdf..dc7674fbfc7a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct security_operations *ops);
26 26
27struct security_operations *security_ops; /* Initialized to NULL */ 27struct security_operations *security_ops; /* Initialized to NULL */
28 28
29/* amount of vm to protect from userspace access */
30unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
31
32static inline int verify(struct security_operations *ops) 29static inline int verify(struct security_operations *ops)
33{ 30{
34 /* verify the security_operations structure exists */ 31 /* verify the security_operations structure exists */