sysctl: require CAP_SYS_RAWIO to set mmap_min_addr

Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Kees Cook <kees.cook@canonical.com> 2009-11-08 09:37:00 -0800
committer: James Morris <jmorris@namei.org> 2009-11-09 08:34:22 +1100
commit: 0e1a6ef2dea88101b056b6d9984f3325c5efced3 (patch)
tree: bef312c242dd472ca00f0dc8bcebee4f094a85e3 /security/min_addr.c
parent: 31bde71c202722a76686c3cf69a254c8a912275a (diff)
download: linux-3.10-0e1a6ef2dea88101b056b6d9984f3325c5efced3.tar.gz
linux-3.10-0e1a6ef2dea88101b056b6d9984f3325c5efced3.tar.bz2
linux-3.10-0e1a6ef2dea88101b056b6d9984f3325c5efced3.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/security/min_addr.c b/security/min_addr.c
index c844eed7915..fc43c9d3708 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write,
 {
 	int ret;
 
+	if (!capable(CAP_SYS_RAWIO))
+		return -EPERM;
+
 	ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
 
 	update_mmap_min_addr();
author	Kees Cook <kees.cook@canonical.com>	2009-11-08 09:37:00 -0800
committer	James Morris <jmorris@namei.org>	2009-11-09 08:34:22 +1100
commit	0e1a6ef2dea88101b056b6d9984f3325c5efced3 (patch)
tree	bef312c242dd472ca00f0dc8bcebee4f094a85e3 /security/min_addr.c
parent	31bde71c202722a76686c3cf69a254c8a912275a (diff)
download	linux-3.10-0e1a6ef2dea88101b056b6d9984f3325c5efced3.tar.gz linux-3.10-0e1a6ef2dea88101b056b6d9984f3325c5efced3.tar.bz2 linux-3.10-0e1a6ef2dea88101b056b6d9984f3325c5efced3.zip