aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/security.h3
-rw-r--r--security/apparmor/lsm.c2
-rw-r--r--security/commoncap.c32
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/smack/smack_lsm.c2
5 files changed, 28 insertions, 13 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index ab0e091ce5fa..4ad59c9fa731 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -86,6 +86,7 @@ extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
86extern int cap_inode_removexattr(struct dentry *dentry, const char *name); 86extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
87extern int cap_inode_need_killpriv(struct dentry *dentry); 87extern int cap_inode_need_killpriv(struct dentry *dentry);
88extern int cap_inode_killpriv(struct dentry *dentry); 88extern int cap_inode_killpriv(struct dentry *dentry);
89extern int cap_mmap_addr(unsigned long addr);
89extern int cap_file_mmap(struct file *file, unsigned long reqprot, 90extern int cap_file_mmap(struct file *file, unsigned long reqprot,
90 unsigned long prot, unsigned long flags, 91 unsigned long prot, unsigned long flags,
91 unsigned long addr, unsigned long addr_only); 92 unsigned long addr, unsigned long addr_only);
@@ -2187,7 +2188,7 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
2187 unsigned long addr, 2188 unsigned long addr,
2188 unsigned long addr_only) 2189 unsigned long addr_only)
2189{ 2190{
2190 return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 2191 return cap_mmap_addr(addr);
2191} 2192}
2192 2193
2193static inline int security_file_mprotect(struct vm_area_struct *vma, 2194static inline int security_file_mprotect(struct vm_area_struct *vma,
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 032daab449b0..8430d8937afb 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -497,7 +497,7 @@ static int apparmor_file_mmap(struct file *file, unsigned long reqprot,
497 int rc = 0; 497 int rc = 0;
498 498
499 /* do DAC check */ 499 /* do DAC check */
500 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 500 rc = cap_mmap_addr(addr);
501 if (rc || addr_only) 501 if (rc || addr_only)
502 return rc; 502 return rc;
503 503
diff --git a/security/commoncap.c b/security/commoncap.c
index e771cb1b2d79..ebac3618896e 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -958,22 +958,15 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
958} 958}
959 959
960/* 960/*
961 * cap_file_mmap - check if able to map given addr 961 * cap_mmap_addr - check if able to map given addr
962 * @file: unused
963 * @reqprot: unused
964 * @prot: unused
965 * @flags: unused
966 * @addr: address attempting to be mapped 962 * @addr: address attempting to be mapped
967 * @addr_only: unused
968 * 963 *
969 * If the process is attempting to map memory below dac_mmap_min_addr they need 964 * If the process is attempting to map memory below dac_mmap_min_addr they need
970 * CAP_SYS_RAWIO. The other parameters to this function are unused by the 965 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
971 * capability security module. Returns 0 if this mapping should be allowed 966 * capability security module. Returns 0 if this mapping should be allowed
972 * -EPERM if not. 967 * -EPERM if not.
973 */ 968 */
974int cap_file_mmap(struct file *file, unsigned long reqprot, 969int cap_mmap_addr(unsigned long addr)
975 unsigned long prot, unsigned long flags,
976 unsigned long addr, unsigned long addr_only)
977{ 970{
978 int ret = 0; 971 int ret = 0;
979 972
@@ -986,3 +979,24 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
986 } 979 }
987 return ret; 980 return ret;
988} 981}
982
983/*
984 * cap_file_mmap - check if able to map given addr
985 * @file: unused
986 * @reqprot: unused
987 * @prot: unused
988 * @flags: unused
989 * @addr: address attempting to be mapped
990 * @addr_only: unused
991 *
992 * If the process is attempting to map memory below dac_mmap_min_addr they need
993 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
994 * capability security module. Returns 0 if this mapping should be allowed
995 * -EPERM if not.
996 */
997int cap_file_mmap(struct file *file, unsigned long reqprot,
998 unsigned long prot, unsigned long flags,
999 unsigned long addr, unsigned long addr_only)
1000{
1001 return cap_mmap_addr(addr);
1002}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fa2341b68331..25c125eaa3d8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3104,7 +3104,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3104 } 3104 }
3105 3105
3106 /* do DAC check on address space usage */ 3106 /* do DAC check on address space usage */
3107 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 3107 rc = cap_mmap_addr(addr);
3108 if (rc || addr_only) 3108 if (rc || addr_only)
3109 return rc; 3109 return rc;
3110 3110
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index d583c0545808..a62197718768 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1199,7 +1199,7 @@ static int smack_file_mmap(struct file *file,
1199 int rc; 1199 int rc;
1200 1200
1201 /* do DAC check on address space usage */ 1201 /* do DAC check on address space usage */
1202 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 1202 rc = cap_mmap_addr(addr);
1203 if (rc || addr_only) 1203 if (rc || addr_only)
1204 return rc; 1204 return rc;
1205 1205