diff options
| author | David S. Miller <davem@davemloft.net> | 2009-09-04 02:22:21 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-09-04 02:22:21 -0700 |
| commit | a29889a5369d2604c2053bcd051519a2445d8a70 (patch) | |
| tree | b17e8258894d079b4168994d9438ba7d6e7d1523 /security/selinux/hooks.c | |
| parent | e7a088f935180b90cfe6ab0aaae8a556f46885fe (diff) | |
| parent | 37d0892c5a94e208cf863e3b7bac014edee4346d (diff) | |
| download | kernel-crypto-a29889a5369d2604c2053bcd051519a2445d8a70.tar.gz kernel-crypto-a29889a5369d2604c2053bcd051519a2445d8a70.tar.xz kernel-crypto-a29889a5369d2604c2053bcd051519a2445d8a70.zip | |
Merge branch 'master' of /home/davem/src/GIT/linux-2.6/
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1e8cfc4c2ed..8d8b69c5664 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3030,9 +3030,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, int rc = 0; u32 sid = current_sid(); - if (addr < mmap_min_addr) + /* + * notice that we are intentionally putting the SELinux check before + * the secondary cap_file_mmap check. This is such a likely attempt + * at bad behaviour/exploit that we always want to get the AVC, even + * if DAC would have also denied the operation. + */ + if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, NULL); + if (rc) + return rc; + } + + /* do DAC check on address space usage */ + rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); if (rc || addr_only) return rc; |