mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-24 10:10:54 +07:00
Capabilities: move cap_file_mmap to commoncap.c
Currently we duplicate the mmap_min_addr test in cap_file_mmap and in security_file_mmap if !CONFIG_SECURITY. This patch moves cap_file_mmap into commoncap.c and then calls that function directly from security_file_mmap ifndef CONFIG_SECURITY like all of the other capability checks are done. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
012a5299a2
commit
7c73875e7d
@ -66,6 +66,9 @@ extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
|
|||||||
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
|
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
|
||||||
extern int cap_inode_need_killpriv(struct dentry *dentry);
|
extern int cap_inode_need_killpriv(struct dentry *dentry);
|
||||||
extern int cap_inode_killpriv(struct dentry *dentry);
|
extern int cap_inode_killpriv(struct dentry *dentry);
|
||||||
|
extern int cap_file_mmap(struct file *file, unsigned long reqprot,
|
||||||
|
unsigned long prot, unsigned long flags,
|
||||||
|
unsigned long addr, unsigned long addr_only);
|
||||||
extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
|
extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
|
||||||
extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
|
extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
|
||||||
unsigned long arg4, unsigned long arg5);
|
unsigned long arg4, unsigned long arg5);
|
||||||
@ -2197,9 +2200,7 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
|
|||||||
unsigned long addr,
|
unsigned long addr,
|
||||||
unsigned long addr_only)
|
unsigned long addr_only)
|
||||||
{
|
{
|
||||||
if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
|
return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
|
||||||
return -EACCES;
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_file_mprotect(struct vm_area_struct *vma,
|
static inline int security_file_mprotect(struct vm_area_struct *vma,
|
||||||
|
@ -330,15 +330,6 @@ static int cap_file_ioctl(struct file *file, unsigned int command,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int cap_file_mmap(struct file *file, unsigned long reqprot,
|
|
||||||
unsigned long prot, unsigned long flags,
|
|
||||||
unsigned long addr, unsigned long addr_only)
|
|
||||||
{
|
|
||||||
if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
|
|
||||||
return -EACCES;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
|
static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
|
||||||
unsigned long prot)
|
unsigned long prot)
|
||||||
{
|
{
|
||||||
|
@ -984,3 +984,33 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
|
|||||||
cap_sys_admin = 1;
|
cap_sys_admin = 1;
|
||||||
return __vm_enough_memory(mm, pages, cap_sys_admin);
|
return __vm_enough_memory(mm, pages, cap_sys_admin);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* cap_file_mmap - check if able to map given addr
|
||||||
|
* @file: unused
|
||||||
|
* @reqprot: unused
|
||||||
|
* @prot: unused
|
||||||
|
* @flags: unused
|
||||||
|
* @addr: address attempting to be mapped
|
||||||
|
* @addr_only: unused
|
||||||
|
*
|
||||||
|
* If the process is attempting to map memory below mmap_min_addr they need
|
||||||
|
* CAP_SYS_RAWIO. The other parameters to this function are unused by the
|
||||||
|
* capability security module. Returns 0 if this mapping should be allowed
|
||||||
|
* -EPERM if not.
|
||||||
|
*/
|
||||||
|
int cap_file_mmap(struct file *file, unsigned long reqprot,
|
||||||
|
unsigned long prot, unsigned long flags,
|
||||||
|
unsigned long addr, unsigned long addr_only)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
if (addr < mmap_min_addr) {
|
||||||
|
ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
|
||||||
|
SECURITY_CAP_AUDIT);
|
||||||
|
/* set PF_SUPERPRIV if it turns out we allow the low mmap */
|
||||||
|
if (ret == 0)
|
||||||
|
current->flags |= PF_SUPERPRIV;
|
||||||
|
}
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user