split cap_mmap_addr() out of cap_file_mmap()

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

split cap_mmap_addr() out of cap_file_mmap()

... switch callers.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Al Viro 14 years ago d007794a cf74d14c

+29 -14

5 changed files

expand all

include

linux

security.h

security

apparmor

lsm.c

commoncap.c

selinux

hooks.c

smack

smack_lsm.c

+2 -1

include/linux/security.h

··· 86 86 extern int cap_inode_removexattr(struct dentry *dentry, const char *name); 87 87 extern int cap_inode_need_killpriv(struct dentry *dentry); 88 88 extern int cap_inode_killpriv(struct dentry *dentry); 89 + extern int cap_mmap_addr(unsigned long addr); 89 90 extern int cap_file_mmap(struct file *file, unsigned long reqprot, 90 91 unsigned long prot, unsigned long flags, 91 92 unsigned long addr, unsigned long addr_only); ··· 2188 2187 unsigned long addr, 2189 2188 unsigned long addr_only) 2190 2189 { 2191 - return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 2190 + return cap_mmap_addr(addr); 2192 2191 } 2193 2192 2194 2193 static inline int security_file_mprotect(struct vm_area_struct *vma,

+1 -1

security/apparmor/lsm.c

··· 497 497 int rc = 0; 498 498 499 499 /* do DAC check */ 500 - rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 500 + rc = cap_mmap_addr(addr); 501 501 if (rc || addr_only) 502 502 return rc; 503 503

+24 -10

security/commoncap.c

··· 958 958 } 959 959 960 960 /* 961 + * cap_mmap_addr - check if able to map given addr 962 + * @addr: address attempting to be mapped 963 + * 964 + * If the process is attempting to map memory below dac_mmap_min_addr they need 965 + * CAP_SYS_RAWIO. The other parameters to this function are unused by the 966 + * capability security module. Returns 0 if this mapping should be allowed 967 + * -EPERM if not. 968 + */ 969 + int cap_mmap_addr(unsigned long addr) 970 + { 971 + int ret = 0; 972 + 973 + if (addr < dac_mmap_min_addr) { 974 + ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO, 975 + SECURITY_CAP_AUDIT); 976 + /* set PF_SUPERPRIV if it turns out we allow the low mmap */ 977 + if (ret == 0) 978 + current->flags |= PF_SUPERPRIV; 979 + } 980 + return ret; 981 + } 982 + 983 + /* 961 984 * cap_file_mmap - check if able to map given addr 962 985 * @file: unused 963 986 * @reqprot: unused ··· 998 975 unsigned long prot, unsigned long flags, 999 976 unsigned long addr, unsigned long addr_only) 1000 977 { 1001 - int ret = 0; 1002 - 1003 - if (addr < dac_mmap_min_addr) { 1004 - ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO, 1005 - SECURITY_CAP_AUDIT); 1006 - /* set PF_SUPERPRIV if it turns out we allow the low mmap */ 1007 - if (ret == 0) 1008 - current->flags |= PF_SUPERPRIV; 1009 - } 1010 - return ret; 978 + return cap_mmap_addr(addr); 1011 979 }

+1 -1

security/selinux/hooks.c

··· 3104 3104 } 3105 3105 3106 3106 /* do DAC check on address space usage */ 3107 - rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 3107 + rc = cap_mmap_addr(addr); 3108 3108 if (rc || addr_only) 3109 3109 return rc; 3110 3110

+1 -1

security/smack/smack_lsm.c

··· 1199 1199 int rc; 1200 1200 1201 1201 /* do DAC check on address space usage */ 1202 - rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 1202 + rc = cap_mmap_addr(addr); 1203 1203 if (rc || addr_only) 1204 1204 return rc; 1205 1205