split cap_mmap_addr() out of cap_file_mmap()
... switch callers.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
diff --git a/include/linux/security.h b/include/linux/security.h
index ab0e091..4ad59c9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -86,6 +86,7 @@
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
extern int cap_inode_need_killpriv(struct dentry *dentry);
extern int cap_inode_killpriv(struct dentry *dentry);
+extern int cap_mmap_addr(unsigned long addr);
extern int cap_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags,
unsigned long addr, unsigned long addr_only);
@@ -2187,7 +2188,7 @@
unsigned long addr,
unsigned long addr_only)
{
- return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ return cap_mmap_addr(addr);
}
static inline int security_file_mprotect(struct vm_area_struct *vma,
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 032daab..8430d89 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -497,7 +497,7 @@
int rc = 0;
/* do DAC check */
- rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ rc = cap_mmap_addr(addr);
if (rc || addr_only)
return rc;
diff --git a/security/commoncap.c b/security/commoncap.c
index e771cb1..ebac361 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -958,6 +958,29 @@
}
/*
+ * cap_mmap_addr - check if able to map given addr
+ * @addr: address attempting to be mapped
+ *
+ * If the process is attempting to map memory below dac_mmap_min_addr they need
+ * CAP_SYS_RAWIO. The other parameters to this function are unused by the
+ * capability security module. Returns 0 if this mapping should be allowed
+ * -EPERM if not.
+ */
+int cap_mmap_addr(unsigned long addr)
+{
+ int ret = 0;
+
+ if (addr < dac_mmap_min_addr) {
+ ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
+ SECURITY_CAP_AUDIT);
+ /* set PF_SUPERPRIV if it turns out we allow the low mmap */
+ if (ret == 0)
+ current->flags |= PF_SUPERPRIV;
+ }
+ return ret;
+}
+
+/*
* cap_file_mmap - check if able to map given addr
* @file: unused
* @reqprot: unused
@@ -975,14 +998,5 @@
unsigned long prot, unsigned long flags,
unsigned long addr, unsigned long addr_only)
{
- int ret = 0;
-
- if (addr < dac_mmap_min_addr) {
- ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
- SECURITY_CAP_AUDIT);
- /* set PF_SUPERPRIV if it turns out we allow the low mmap */
- if (ret == 0)
- current->flags |= PF_SUPERPRIV;
- }
- return ret;
+ return cap_mmap_addr(addr);
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fa2341b..25c125e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3104,7 +3104,7 @@
}
/* do DAC check on address space usage */
- rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ rc = cap_mmap_addr(addr);
if (rc || addr_only)
return rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index d583c05..a621977 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1199,7 +1199,7 @@
int rc;
/* do DAC check on address space usage */
- rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ rc = cap_mmap_addr(addr);
if (rc || addr_only)
return rc;