1 files changed, 8 insertions, 12 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0e68bdbe020a..1dd948485e48 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3188,24 +3188,20 @@ error:
 static int selinux_mmap_addr(unsigned long addr)
 {
-        int rc = 0;
+        int rc;
-        u32 sid = current_sid();
+        /* do DAC check on address space usage */
+        rc = cap_mmap_addr(addr);
+        if (rc)
+                return rc;
-        /*
-         * notice that we are intentionally putting the SELinux check before
-         * the secondary cap_file_mmap check.  This is such a likely attempt
-         * at bad behaviour/exploit that we always want to get the AVC, even
-         * if DAC would have also denied the operation.
-         */
        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
+                u32 sid = current_sid();
                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
                                  MEMPROTECT__MMAP_ZERO, NULL);
-                if (rc)
-                        return rc;
        }
-        /* do DAC check on address space usage */
+        return rc;
-        return cap_mmap_addr(addr);
 }
 static int selinux_mmap_file(struct file *file, unsigned long reqprot,

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0e68bdbe020a..1dd948485e48 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3188,24 +3188,20 @@ error:
3188		3188
3189	static int selinux_mmap_addr(unsigned long addr)	3189	static int selinux_mmap_addr(unsigned long addr)
3190	{	3190	{
3191	int rc = 0;	3191	int rc;
3192	u32 sid = current_sid();	3192
		3193	/* do DAC check on address space usage */
		3194	rc = cap_mmap_addr(addr);
		3195	if (rc)
		3196	return rc;
3193		3197
3194	/*
3195	* notice that we are intentionally putting the SELinux check before
3196	* the secondary cap_file_mmap check. This is such a likely attempt
3197	* at bad behaviour/exploit that we always want to get the AVC, even
3198	* if DAC would have also denied the operation.
3199	*/
3200	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {	3198	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
		3199	u32 sid = current_sid();
3201	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,	3200	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3202	MEMPROTECT__MMAP_ZERO, NULL);	3201	MEMPROTECT__MMAP_ZERO, NULL);
3203	if (rc)
3204	return rc;
3205	}	3202	}
3206		3203
3207	/* do DAC check on address space usage */	3204	return rc;
3208	return cap_mmap_addr(addr);
3209	}	3205	}
3210		3206
3211	static int selinux_mmap_file(struct file *file, unsigned long reqprot,	3207	static int selinux_mmap_file(struct file *file, unsigned long reqprot,