sysctl: require CAP_SYS_RAWIO to set mmap_min_addr

commit 0e1a6ef2dea88101b056b6d9984f3325c5efced3 upstream. Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Kees Cook <kees.cook@canonical.com> 2009-11-08 09:37:00 -0800
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-04-01 15:58:16 -0700
commit: c907edc64f5ccc35c81b44fd0444646ba97edfc4 (patch)
tree: df962f81b6173507572b6ada5f9ffc8aadea3770 /security
parent: a6c4c1c5057d956af87679861f5eeb80c72e3a5e (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/security/min_addr.c b/security/min_addr.c
index c844eed7915d..fc43c9d37084 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write,
 {
 	int ret;
 
+	if (!capable(CAP_SYS_RAWIO))
+		return -EPERM;
+
 	ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
 
 	update_mmap_min_addr();
author	Kees Cook <kees.cook@canonical.com>	2009-11-08 09:37:00 -0800
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-04-01 15:58:16 -0700
commit	c907edc64f5ccc35c81b44fd0444646ba97edfc4 (patch)
tree	df962f81b6173507572b6ada5f9ffc8aadea3770 /security
parent	a6c4c1c5057d956af87679861f5eeb80c72e3a5e (diff)