Re: [patch] mlock-as-nonroot revisted

From: Chris Wright
Date: Tue Aug 03 2004 - 21:30:43 EST

Next message: Nigel Cunningham: "MTRR driver model support broken on SMP."
Previous message: Rik van Riel: "Re: [patch] mlock-as-nonroot revisted"
In reply to: Andrea Arcangeli: "Re: [patch] mlock-as-nonroot revisted"
Next in thread: Chris Wright: "Re: [patch] mlock-as-nonroot revisted"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Andrea Arcangeli (andrea@xxxxxxx) wrote:
> diff -purN linux-2.6.7/fs/hugetlbfs/inode.c linux/fs/hugetlbfs/inode.c
> --- linux-2.6.7/fs/hugetlbfs/inode.c 2004-07-29 11:36:55.744448953
> +0200
> +++ linux/fs/hugetlbfs/inode.c 2004-07-29 11:38:04.292595263 +0200
> @@ -722,7 +722,7 @@ struct file *hugetlb_zero_setup(size_t s
> struct qstr quick_string;
> char buf[16];
>
> - if (!capable(CAP_IPC_LOCK))
> + if (!can_do_mlock())
> return ERR_PTR(-EPERM);
>
> if (!is_hugepage_mem_enough(size))
>
> this breaks local security if you set the rlimit to 1 byte (well, 1 byte
> == disable_cap_mlock).

Right, that's true only for SHM_HUGETLB though, which uses
hugetlb_zero_setup. And _that_ bit is what Rik's follow on patch is
trying to fix. The normal hugetlbfs method using mmap() is unaffected,
AFAICT. And has always been pretty open to using all of max_huge_pages.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nigel Cunningham: "MTRR driver model support broken on SMP."
Previous message: Rik van Riel: "Re: [patch] mlock-as-nonroot revisted"
In reply to: Andrea Arcangeli: "Re: [patch] mlock-as-nonroot revisted"
Next in thread: Chris Wright: "Re: [patch] mlock-as-nonroot revisted"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]