Re: [PATCH -v2 1/2] VM/SELinux: require CAP_SYS_RAWIO for allmmap_zero operations

From: James Morris
Date: Wed Jul 22 2009 - 09:55:41 EST

Next message: Albin Tonnerre: "[PATCH 1/5] lib/decompress_*: only include <linux/slab.h> if STATIC is not defined"
Previous message: Michael Tokarev: "Re: [resend, trivial] fix missing printk space"
In reply to: James Morris: "Re: [PATCH -v2 1/2] VM/SELinux: require CAP_SYS_RAWIO for allmmap_zero operations"
Next in thread: Christoph Lameter: "Re: [PATCH -v2 1/2] VM/SELinux: require CAP_SYS_RAWIO for allmmap_zero operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 21 Jul 2009, Eric Paris wrote:

> error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
> if (error)
> return error;
> +
> + if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
> + return -EACCES;
> +

These DAC checks should happen before the LSM hook, in keeping with the
general design goal of LSM of "DAC before MAC", so that application
behavior remains as consistent as possible.

- James
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Albin Tonnerre: "[PATCH 1/5] lib/decompress_*: only include <linux/slab.h> if STATIC is not defined"
Previous message: Michael Tokarev: "Re: [resend, trivial] fix missing printk space"
In reply to: James Morris: "Re: [PATCH -v2 1/2] VM/SELinux: require CAP_SYS_RAWIO for allmmap_zero operations"
Next in thread: Christoph Lameter: "Re: [PATCH -v2 1/2] VM/SELinux: require CAP_SYS_RAWIO for allmmap_zero operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]