diff options
| -rw-r--r-- | security/selinux/hooks.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e65677da36bd..8a78f584f46e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3034,9 +3034,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, | |||
| 3034 | int rc = 0; | 3034 | int rc = 0; |
| 3035 | u32 sid = current_sid(); | 3035 | u32 sid = current_sid(); |
| 3036 | 3036 | ||
| 3037 | if (addr < mmap_min_addr) | 3037 | /* |
| 3038 | * notice that we are intentionally putting the SELinux check before | ||
| 3039 | * the secondary cap_file_mmap check. This is such a likely attempt | ||
| 3040 | * at bad behaviour/exploit that we always want to get the AVC, even | ||
| 3041 | * if DAC would have also denied the operation. | ||
| 3042 | */ | ||
| 3043 | if (addr < mmap_min_addr) { | ||
| 3038 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, | 3044 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, |
| 3039 | MEMPROTECT__MMAP_ZERO, NULL); | 3045 | MEMPROTECT__MMAP_ZERO, NULL); |
| 3046 | if (rc) | ||
| 3047 | return rc; | ||
| 3048 | } | ||
| 3049 | |||
| 3050 | /* do DAC check on address space usage */ | ||
| 3051 | rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); | ||
| 3040 | if (rc || addr_only) | 3052 | if (rc || addr_only) |
| 3041 | return rc; | 3053 | return rc; |
| 3042 | 3054 | ||