aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e65677da36bd..8a78f584f46e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3034,9 +3034,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3034 int rc = 0; 3034 int rc = 0;
3035 u32 sid = current_sid(); 3035 u32 sid = current_sid();
3036 3036
3037 if (addr < mmap_min_addr) 3037 /*
3038 * notice that we are intentionally putting the SELinux check before
3039 * the secondary cap_file_mmap check. This is such a likely attempt
3040 * at bad behaviour/exploit that we always want to get the AVC, even
3041 * if DAC would have also denied the operation.
3042 */
3043 if (addr < mmap_min_addr) {
3038 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3044 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3039 MEMPROTECT__MMAP_ZERO, NULL); 3045 MEMPROTECT__MMAP_ZERO, NULL);
3046 if (rc)
3047 return rc;
3048 }
3049
3050 /* do DAC check on address space usage */
3051 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3040 if (rc || addr_only) 3052 if (rc || addr_only)
3041 return rc; 3053 return rc;
3042 3054