Commit:     ab5a91a8364c3d6fc617abc47cc81d162c01d90a
Parent:     d313f948309ab22797316e789a7ff8fa358176b6
Author:     Eric Paris <[EMAIL PROTECTED]>
AuthorDate: Mon Nov 26 18:47:46 2007 -0500
Committer:  James Morris <[EMAIL PROTECTED]>
CommitDate: Thu Dec 6 00:24:30 2007 +1100

    Security: allow capable check to permit mmap or low vm space
    On a kernel with CONFIG_SECURITY but without an LSM which implements
    security_file_mmap it is impossible for an application to mmap addresses
    lower than mmap_min_addr.  Based on a suggestion from a developer in the
    openwall community this patch adds a check for CAP_SYS_RAWIO.  It is
    assumed that any process with this capability can harm the system a lot
    more easily than writing some stuff on the zero page and then trying to
    get the kernel to trip over itself.  It also means that programs like X
    on i686 which use vm86 emulation can work even with mmap_min_addr set.
    Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
    Signed-off-by: James Morris <[EMAIL PROTECTED]>
 security/dummy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/security/dummy.c b/security/dummy.c
index 6d895ad..3ccfbbe 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -426,7 +426,7 @@ static int dummy_file_mmap (struct file *file, unsigned 
long reqprot,
                            unsigned long addr,
                            unsigned long addr_only)
-       if (addr < mmap_min_addr)
+       if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
                return -EACCES;
        return 0;
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to