1 files changed, 49 insertions, 0 deletions
diff --git a/security/min_addr.c b/security/min_addr.c
new file mode 100644
index 000000000000..14cc7b3b8d03
--- /dev/null
+++ b/security/min_addr.c
@@ -0,0 +1,49 @@
+#include <linux/init.h>
+#include <linux/mm.h>
+#include <linux/security.h>
+#include <linux/sysctl.h>
+/* amount of vm to protect from userspace access by both DAC and the LSM*/
+unsigned long mmap_min_addr;
+/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
+unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
+/*
+ * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
+ */
+static void update_mmap_min_addr(void)
+{
+#ifdef CONFIG_LSM_MMAP_MIN_ADDR
+        if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
+                mmap_min_addr = dac_mmap_min_addr;
+        else
+                mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+#else
+        mmap_min_addr = dac_mmap_min_addr;
+#endif
+}
+/*
+ * sysctl handler which just sets dac_mmap_min_addr = the new value and then
+ * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
+ */
+int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
+                          void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+        int ret;
+        ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
+        update_mmap_min_addr();
+        return ret;
+}
+int __init init_mmap_min_addr(void)
+{
+        update_mmap_min_addr();
+        return 0;
+}
+pure_initcall(init_mmap_min_addr);

diff --git a/security/min_addr.c b/security/min_addr.c new file mode 100644 index 000000000000..14cc7b3b8d03 --- /dev/null +++ b/security/min_addr.c
@@ -0,0 +1,49 @@
	1	#include <linux/init.h>
	2	#include <linux/mm.h>
	3	#include <linux/security.h>
	4	#include <linux/sysctl.h>
	5
	6	/* amount of vm to protect from userspace access by both DAC and the LSM*/
	7	unsigned long mmap_min_addr;
	8	/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
	9	unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
	10	/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
	11
	12	/*
	13	* Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
	14	*/
	15	static void update_mmap_min_addr(void)
	16	{
	17	#ifdef CONFIG_LSM_MMAP_MIN_ADDR
	18	if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
	19	mmap_min_addr = dac_mmap_min_addr;
	20	else
	21	mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
	22	#else
	23	mmap_min_addr = dac_mmap_min_addr;
	24	#endif
	25	}
	26
	27	/*
	28	* sysctl handler which just sets dac_mmap_min_addr = the new value and then
	29	* calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
	30	*/
	31	int mmap_min_addr_handler(struct ctl_table table, int write, struct file filp,
	32	void __user buffer, size_t lenp, loff_t *ppos)
	33	{
	34	int ret;
	35
	36	ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
	37
	38	update_mmap_min_addr();
	39
	40	return ret;
	41	}
	42
	43	int __init init_mmap_min_addr(void)
	44	{
	45	update_mmap_min_addr();
	46
	47	return 0;
	48	}
	49	pure_initcall(init_mmap_min_addr);