aboutsummaryrefslogtreecommitdiffstats
path: root/mm
diff options
context:
space:
mode:
authorJeff Vander Stoep <jeffv@google.com>2015-03-11 14:32:24 -0700
committerSimon Shields <keepcalm444@gmail.com>2016-03-12 23:12:07 +1100
commit9227d076f1b8d82f78410b1ecc40b77a6a75eee7 (patch)
tree77c8829da478fe401af7e0472bbc99deb7ca60f6 /mm
parentd3819b76e827ba7e4095657397e5aad2382b8724 (diff)
downloadkernel_samsung_smdk4412-9227d076f1b8d82f78410b1ecc40b77a6a75eee7.zip
kernel_samsung_smdk4412-9227d076f1b8d82f78410b1ecc40b77a6a75eee7.tar.gz
kernel_samsung_smdk4412-9227d076f1b8d82f78410b1ecc40b77a6a75eee7.tar.bz2
mm: reorder can_do_mlock to fix audit denial
A userspace call to mmap(MAP_LOCKED) may result in the successful locking of memory while also producing a confusing audit log denial. can_do_mlock checks capable and rlimit. If either of these return positive can_do_mlock returns true. The capable check leads to an LSM hook used by apparmour and selinux which produce the audit denial. Reordering so rlimit is checked first eliminates the denial on success, only recording a denial when the lock is unsuccessful as a result of the denial. Change-Id: I8d300365c8f85b002d6c5375a22abfb1b7579d20 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Cc: Jeff Vander Stoep <jeffv@google.com> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> Cc: Rik van Riel <riel@redhat.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Paul Cassella <cassella@cray.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Diffstat (limited to 'mm')
-rw-r--r--mm/mlock.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/mm/mlock.c b/mm/mlock.c
index 048260c..b41b3b7 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -23,10 +23,10 @@
int can_do_mlock(void)
{
- if (capable(CAP_IPC_LOCK))
- return 1;
if (rlimit(RLIMIT_MEMLOCK) != 0)
return 1;
+ if (capable(CAP_IPC_LOCK))
+ return 1;
return 0;
}
EXPORT_SYMBOL(can_do_mlock);