5 files changed, 68 insertions, 3 deletions
diff --git a/security/Kconfig b/security/Kconfig
index d23c839038f0..9c60c346a91d 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
          If you are unsure how to answer this question, answer N.
+config LSM_MMAP_MIN_ADDR
+        int "Low address space for LSM to from user allocation"
+        depends on SECURITY && SECURITY_SELINUX
+        default 65535
+        help
+          This is the portion of low virtual memory which should be protected
+          from userspace allocation.  Keeping a user from writing to low pages
+          can help reduce the impact of kernel NULL pointer bugs.
+          For most ia64, ppc64 and x86 users with lots of address space
+          a value of 65536 is reasonable and should cause no problems.
+          On arm and other archs it should not be higher than 32768.
+          Programs which use vm86 functionality or have some need to map
+          this low address space will need the permission specific to the
+          systems running LSM.
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
diff --git a/security/Makefile b/security/Makefile
index c67557cdaa85..b56e7f9ecbc2 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,7 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK)		+= smack
 subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 # always enable default capabilities
-obj-y           += commoncap.o
+obj-y           += commoncap.o min_addr.o
 # Object file lists
 obj-$(CONFIG_SECURITY)                  += security.o capability.o
diff --git a/security/commoncap.c b/security/commoncap.c
index 3852e9432801..fe30751a6cd9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1005,7 +1005,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
 {
        int ret = 0;
-        if (addr < mmap_min_addr) {
+        if (addr < dac_mmap_min_addr) {
                ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
                                  SECURITY_CAP_AUDIT);
                /* set PF_SUPERPRIV if it turns out we allow the low mmap */
diff --git a/security/min_addr.c b/security/min_addr.c
new file mode 100644
index 000000000000..14cc7b3b8d03
--- /dev/null
+++ b/security/min_addr.c
@@ -0,0 +1,49 @@
+#include <linux/init.h>
+#include <linux/mm.h>
+#include <linux/security.h>
+#include <linux/sysctl.h>
+/* amount of vm to protect from userspace access by both DAC and the LSM*/
+unsigned long mmap_min_addr;
+/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
+unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
+/*
+ * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
+ */
+static void update_mmap_min_addr(void)
+{
+#ifdef CONFIG_LSM_MMAP_MIN_ADDR
+        if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
+                mmap_min_addr = dac_mmap_min_addr;
+        else
+                mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+#else
+        mmap_min_addr = dac_mmap_min_addr;
+#endif
+}
+/*
+ * sysctl handler which just sets dac_mmap_min_addr = the new value and then
+ * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
+ */
+int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
+                          void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+        int ret;
+        ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
+        update_mmap_min_addr();
+        return ret;
+}
+int __init init_mmap_min_addr(void)
+{
+        update_mmap_min_addr();
+        return 0;
+}
+pure_initcall(init_mmap_min_addr);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8a78f584f46e..5dee88362e71 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3040,7 +3040,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
         * at bad behaviour/exploit that we always want to get the AVC, even
         * if DAC would have also denied the operation.
         */
-        if (addr < mmap_min_addr) {
+        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
                                  MEMPROTECT__MMAP_ZERO, NULL);
                if (rc)

diff --git a/security/Kconfig b/security/Kconfig index d23c839038f0..9c60c346a91d 100644 --- a/security/Kconfig +++ b/security/Kconfig
@@ -113,6 +113,22 @@ config SECURITY_ROOTPLUG
113		113
114	If you are unsure how to answer this question, answer N.	114	If you are unsure how to answer this question, answer N.
115		115
		116	config LSM_MMAP_MIN_ADDR
		117	int "Low address space for LSM to from user allocation"
		118	depends on SECURITY && SECURITY_SELINUX
		119	default 65535
		120	help
		121	This is the portion of low virtual memory which should be protected
		122	from userspace allocation. Keeping a user from writing to low pages
		123	can help reduce the impact of kernel NULL pointer bugs.
		124
		125	For most ia64, ppc64 and x86 users with lots of address space
		126	a value of 65536 is reasonable and should cause no problems.
		127	On arm and other archs it should not be higher than 32768.
		128	Programs which use vm86 functionality or have some need to map
		129	this low address space will need the permission specific to the
		130	systems running LSM.
		131
116	source security/selinux/Kconfig	132	source security/selinux/Kconfig
117	source security/smack/Kconfig	133	source security/smack/Kconfig
118	source security/tomoyo/Kconfig	134	source security/tomoyo/Kconfig


diff --git a/security/Makefile b/security/Makefile index c67557cdaa85..b56e7f9ecbc2 100644 --- a/security/Makefile +++ b/security/Makefile
@@ -8,7 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
8	subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo	8	subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
9		9
10	# always enable default capabilities	10	# always enable default capabilities
11	obj-y += commoncap.o	11	obj-y += commoncap.o min_addr.o
12		12
13	# Object file lists	13	# Object file lists
14	obj-$(CONFIG_SECURITY) += security.o capability.o	14	obj-$(CONFIG_SECURITY) += security.o capability.o


diff --git a/security/commoncap.c b/security/commoncap.c index 3852e9432801..fe30751a6cd9 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -1005,7 +1005,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
1005	{	1005	{
1006	int ret = 0;	1006	int ret = 0;
1007		1007
1008	if (addr < mmap_min_addr) {	1008	if (addr < dac_mmap_min_addr) {
1009	ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,	1009	ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
1010	SECURITY_CAP_AUDIT);	1010	SECURITY_CAP_AUDIT);
1011	/* set PF_SUPERPRIV if it turns out we allow the low mmap */	1011	/* set PF_SUPERPRIV if it turns out we allow the low mmap */


diff --git a/security/min_addr.c b/security/min_addr.c new file mode 100644 index 000000000000..14cc7b3b8d03 --- /dev/null +++ b/security/min_addr.c
@@ -0,0 +1,49 @@
		1	#include <linux/init.h>
		2	#include <linux/mm.h>
		3	#include <linux/security.h>
		4	#include <linux/sysctl.h>
		5
		6	/* amount of vm to protect from userspace access by both DAC and the LSM*/
		7	unsigned long mmap_min_addr;
		8	/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
		9	unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
		10	/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
		11
		12	/*
		13	* Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
		14	*/
		15	static void update_mmap_min_addr(void)
		16	{
		17	#ifdef CONFIG_LSM_MMAP_MIN_ADDR
		18	if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
		19	mmap_min_addr = dac_mmap_min_addr;
		20	else
		21	mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
		22	#else
		23	mmap_min_addr = dac_mmap_min_addr;
		24	#endif
		25	}
		26
		27	/*
		28	* sysctl handler which just sets dac_mmap_min_addr = the new value and then
		29	* calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
		30	*/
		31	int mmap_min_addr_handler(struct ctl_table table, int write, struct file filp,
		32	void __user buffer, size_t lenp, loff_t *ppos)
		33	{
		34	int ret;
		35
		36	ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
		37
		38	update_mmap_min_addr();
		39
		40	return ret;
		41	}
		42
		43	int __init init_mmap_min_addr(void)
		44	{
		45	update_mmap_min_addr();
		46
		47	return 0;
		48	}
		49	pure_initcall(init_mmap_min_addr);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8a78f584f46e..5dee88362e71 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3040,7 +3040,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3040	* at bad behaviour/exploit that we always want to get the AVC, even	3040	* at bad behaviour/exploit that we always want to get the AVC, even
3041	* if DAC would have also denied the operation.	3041	* if DAC would have also denied the operation.
3042	*/	3042	*/
3043	if (addr < mmap_min_addr) {	3043	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3044	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,	3044	rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3045	MEMPROTECT__MMAP_ZERO, NULL);	3045	MEMPROTECT__MMAP_ZERO, NULL);
3046	if (rc)	3046	if (rc)