Capabilities: move cap_file_mmap to commoncap.c
Currently we duplicate the mmap_min_addr test in cap_file_mmap and in security_file_mmap if !CONFIG_SECURITY. This patch moves cap_file_mmap into commoncap.c and then calls that function directly from security_file_mmap ifndef CONFIG_SECURITY like all of the other capability checks are done. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
894ef820b1
commit
9c0d90103c
3 changed files with 34 additions and 12 deletions
|
@ -66,6 +66,9 @@ extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
|
|||
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
|
||||
extern int cap_inode_need_killpriv(struct dentry *dentry);
|
||||
extern int cap_inode_killpriv(struct dentry *dentry);
|
||||
extern int cap_file_mmap(struct file *file, unsigned long reqprot,
|
||||
unsigned long prot, unsigned long flags,
|
||||
unsigned long addr, unsigned long addr_only);
|
||||
extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
|
||||
extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
|
||||
unsigned long arg4, unsigned long arg5);
|
||||
|
@ -2197,9 +2200,7 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
|
|||
unsigned long addr,
|
||||
unsigned long addr_only)
|
||||
{
|
||||
if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
|
||||
return -EACCES;
|
||||
return 0;
|
||||
return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
|
||||
}
|
||||
|
||||
static inline int security_file_mprotect(struct vm_area_struct *vma,
|
||||
|
|
|
@ -330,15 +330,6 @@ static int cap_file_ioctl(struct file *file, unsigned int command,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int cap_file_mmap(struct file *file, unsigned long reqprot,
|
||||
unsigned long prot, unsigned long flags,
|
||||
unsigned long addr, unsigned long addr_only)
|
||||
{
|
||||
if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
|
||||
return -EACCES;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
|
||||
unsigned long prot)
|
||||
{
|
||||
|
|
|
@ -984,3 +984,33 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
|
|||
cap_sys_admin = 1;
|
||||
return __vm_enough_memory(mm, pages, cap_sys_admin);
|
||||
}
|
||||
|
||||
/*
|
||||
* cap_file_mmap - check if able to map given addr
|
||||
* @file: unused
|
||||
* @reqprot: unused
|
||||
* @prot: unused
|
||||
* @flags: unused
|
||||
* @addr: address attempting to be mapped
|
||||
* @addr_only: unused
|
||||
*
|
||||
* If the process is attempting to map memory below mmap_min_addr they need
|
||||
* CAP_SYS_RAWIO. The other parameters to this function are unused by the
|
||||
* capability security module. Returns 0 if this mapping should be allowed
|
||||
* -EPERM if not.
|
||||
*/
|
||||
int cap_file_mmap(struct file *file, unsigned long reqprot,
|
||||
unsigned long prot, unsigned long flags,
|
||||
unsigned long addr, unsigned long addr_only)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
if (addr < mmap_min_addr) {
|
||||
ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
|
||||
SECURITY_CAP_AUDIT);
|
||||
/* set PF_SUPERPRIV if it turns out we allow the low mmap */
|
||||
if (ret == 0)
|
||||
current->flags |= PF_SUPERPRIV;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue