forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/security
History
Kees Cook c907edc64f sysctl: require CAP_SYS_RAWIO to set mmap_min_addr 
commit 0e1a6ef2de upstream.

Currently the mmap_min_addr value can only be bypassed during mmap when
the task has CAP_SYS_RAWIO.  However, the mmap_min_addr sysctl value itself
can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO.
This patch adds a check for the capability before allowing mmap_min_addr to
be changed.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-04-01 15:58:16 -07:00
..
integrity/ima ima: replace GFP_KERNEL with GFP_NOFS 2009-11-19 08:42:01 +11:00
keys Keys: KEYCTL_SESSION_TO_PARENT needs TIF_NOTIFY_RESUME architecture support 2010-01-06 15:04:46 -08:00
selinux netlabel: fix export of SELinux categories > 127 2010-03-15 08:49:34 -07:00
smack seq_file: constify seq_operations 2009-09-23 07:39:29 -07:00
tomoyo KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] 2009-09-02 21:29:22 +10:00
capability.c LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. 2009-09-10 10:11:24 +10:00
commoncap.c Security/SELinux: seperate lsm specific mmap_min_addr 2009-08-17 15:09:11 +10:00
device_cgroup.c cgroups: let ss->can_attach and ss->attach do whole threadgroups at a time 2009-09-24 07:20:58 -07:00
inode.c securityfs: securityfs_remove should handle IS_ERR pointers 2009-05-12 11:06:11 +10:00
Kconfig Merge commit 'v2.6.31-rc8' into x86/txt 2009-09-02 08:17:56 +02:00
lsm_audit.c lsm: Use a compressed IPv6 string format in audit events 2009-09-24 03:50:26 -04:00
Makefile NOMMU: Optimise away the {dac_,}mmap_min_addr tests 2010-01-06 15:04:30 -08:00
min_addr.c sysctl: require CAP_SYS_RAWIO to set mmap_min_addr 2010-04-01 15:58:16 -07:00
root_plug.c rootplug: Remove redundant initialization. 2009-05-27 13:30:46 +10:00
security.c LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. 2009-09-10 10:11:24 +10:00