diff options
-rw-r--r-- | include/linux/security.h | 3 | ||||
-rw-r--r-- | security/apparmor/lsm.c | 2 | ||||
-rw-r--r-- | security/commoncap.c | 32 | ||||
-rw-r--r-- | security/selinux/hooks.c | 2 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 2 |
5 files changed, 28 insertions, 13 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index ab0e091ce5fa..4ad59c9fa731 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -86,6 +86,7 @@ extern int cap_inode_setxattr(struct dentry *dentry, const char *name, | |||
86 | extern int cap_inode_removexattr(struct dentry *dentry, const char *name); | 86 | extern int cap_inode_removexattr(struct dentry *dentry, const char *name); |
87 | extern int cap_inode_need_killpriv(struct dentry *dentry); | 87 | extern int cap_inode_need_killpriv(struct dentry *dentry); |
88 | extern int cap_inode_killpriv(struct dentry *dentry); | 88 | extern int cap_inode_killpriv(struct dentry *dentry); |
89 | extern int cap_mmap_addr(unsigned long addr); | ||
89 | extern int cap_file_mmap(struct file *file, unsigned long reqprot, | 90 | extern int cap_file_mmap(struct file *file, unsigned long reqprot, |
90 | unsigned long prot, unsigned long flags, | 91 | unsigned long prot, unsigned long flags, |
91 | unsigned long addr, unsigned long addr_only); | 92 | unsigned long addr, unsigned long addr_only); |
@@ -2187,7 +2188,7 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot, | |||
2187 | unsigned long addr, | 2188 | unsigned long addr, |
2188 | unsigned long addr_only) | 2189 | unsigned long addr_only) |
2189 | { | 2190 | { |
2190 | return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); | 2191 | return cap_mmap_addr(addr); |
2191 | } | 2192 | } |
2192 | 2193 | ||
2193 | static inline int security_file_mprotect(struct vm_area_struct *vma, | 2194 | static inline int security_file_mprotect(struct vm_area_struct *vma, |
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 032daab449b0..8430d8937afb 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
@@ -497,7 +497,7 @@ static int apparmor_file_mmap(struct file *file, unsigned long reqprot, | |||
497 | int rc = 0; | 497 | int rc = 0; |
498 | 498 | ||
499 | /* do DAC check */ | 499 | /* do DAC check */ |
500 | rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); | 500 | rc = cap_mmap_addr(addr); |
501 | if (rc || addr_only) | 501 | if (rc || addr_only) |
502 | return rc; | 502 | return rc; |
503 | 503 | ||
diff --git a/security/commoncap.c b/security/commoncap.c index e771cb1b2d79..ebac3618896e 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -958,22 +958,15 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages) | |||
958 | } | 958 | } |
959 | 959 | ||
960 | /* | 960 | /* |
961 | * cap_file_mmap - check if able to map given addr | 961 | * cap_mmap_addr - check if able to map given addr |
962 | * @file: unused | ||
963 | * @reqprot: unused | ||
964 | * @prot: unused | ||
965 | * @flags: unused | ||
966 | * @addr: address attempting to be mapped | 962 | * @addr: address attempting to be mapped |
967 | * @addr_only: unused | ||
968 | * | 963 | * |
969 | * If the process is attempting to map memory below dac_mmap_min_addr they need | 964 | * If the process is attempting to map memory below dac_mmap_min_addr they need |
970 | * CAP_SYS_RAWIO. The other parameters to this function are unused by the | 965 | * CAP_SYS_RAWIO. The other parameters to this function are unused by the |
971 | * capability security module. Returns 0 if this mapping should be allowed | 966 | * capability security module. Returns 0 if this mapping should be allowed |
972 | * -EPERM if not. | 967 | * -EPERM if not. |
973 | */ | 968 | */ |
974 | int cap_file_mmap(struct file *file, unsigned long reqprot, | 969 | int cap_mmap_addr(unsigned long addr) |
975 | unsigned long prot, unsigned long flags, | ||
976 | unsigned long addr, unsigned long addr_only) | ||
977 | { | 970 | { |
978 | int ret = 0; | 971 | int ret = 0; |
979 | 972 | ||
@@ -986,3 +979,24 @@ int cap_file_mmap(struct file *file, unsigned long reqprot, | |||
986 | } | 979 | } |
987 | return ret; | 980 | return ret; |
988 | } | 981 | } |
982 | |||
983 | /* | ||
984 | * cap_file_mmap - check if able to map given addr | ||
985 | * @file: unused | ||
986 | * @reqprot: unused | ||
987 | * @prot: unused | ||
988 | * @flags: unused | ||
989 | * @addr: address attempting to be mapped | ||
990 | * @addr_only: unused | ||
991 | * | ||
992 | * If the process is attempting to map memory below dac_mmap_min_addr they need | ||
993 | * CAP_SYS_RAWIO. The other parameters to this function are unused by the | ||
994 | * capability security module. Returns 0 if this mapping should be allowed | ||
995 | * -EPERM if not. | ||
996 | */ | ||
997 | int cap_file_mmap(struct file *file, unsigned long reqprot, | ||
998 | unsigned long prot, unsigned long flags, | ||
999 | unsigned long addr, unsigned long addr_only) | ||
1000 | { | ||
1001 | return cap_mmap_addr(addr); | ||
1002 | } | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fa2341b68331..25c125eaa3d8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3104,7 +3104,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, | |||
3104 | } | 3104 | } |
3105 | 3105 | ||
3106 | /* do DAC check on address space usage */ | 3106 | /* do DAC check on address space usage */ |
3107 | rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); | 3107 | rc = cap_mmap_addr(addr); |
3108 | if (rc || addr_only) | 3108 | if (rc || addr_only) |
3109 | return rc; | 3109 | return rc; |
3110 | 3110 | ||
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index d583c0545808..a62197718768 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -1199,7 +1199,7 @@ static int smack_file_mmap(struct file *file, | |||
1199 | int rc; | 1199 | int rc; |
1200 | 1200 | ||
1201 | /* do DAC check on address space usage */ | 1201 | /* do DAC check on address space usage */ |
1202 | rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); | 1202 | rc = cap_mmap_addr(addr); |
1203 | if (rc || addr_only) | 1203 | if (rc || addr_only) |
1204 | return rc; | 1204 | return rc; |
1205 | 1205 | ||