diff options
authorJeff Vander Stoep <jeffv@google.com>2015-03-11 14:32:24 -0700
committerJeff Vander Stoep <jeffv@google.com>2015-11-03 12:53:24 -0800
commit8dd51538abd93e052b2dd235d9b3336827d17414 (patch)
parent829d8c9e1dc01dca8d68857d8f974a7d36d73d6c (diff)
mm: reorder can_do_mlock to fix audit denial
(cherry picked from commit a5a6579db33af91f4f5134e14be758dc71c1b694) A userspace call to mmap(MAP_LOCKED) may result in the successful locking of memory while also producing a confusing audit log denial. can_do_mlock checks capable and rlimit. If either of these return positive can_do_mlock returns true. The capable check leads to an LSM hook used by apparmour and selinux which produce the audit denial. Reordering so rlimit is checked first eliminates the denial on success, only recording a denial when the lock is unsuccessful as a result of the denial. Change-Id: I83e0b9d44755633fd09d062e8e2be25e5f7526e6 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Cc: Jeff Vander Stoep <jeffv@google.com> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> Cc: Rik van Riel <riel@redhat.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Paul Cassella <cassella@cray.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
1 files changed, 2 insertions, 2 deletions
diff --git a/mm/mlock.c b/mm/mlock.c
index 1d0d2392ffad..6eee8a67a273 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -26,10 +26,10 @@
int can_do_mlock(void)
- if (capable(CAP_IPC_LOCK))
- return 1;
if (rlimit(RLIMIT_MEMLOCK) != 0)
return 1;
+ if (capable(CAP_IPC_LOCK))
+ return 1;
return 0;