• Eric Paris's avatar
    Security: allow capable check to permit mmap or low vm space · ab5a91a8
    Eric Paris authored
    On a kernel with CONFIG_SECURITY but without an LSM which implements
    security_file_mmap it is impossible for an application to mmap addresses
    lower than mmap_min_addr.  Based on a suggestion from a developer in the
    openwall community this patch adds a check for CAP_SYS_RAWIO.  It is
    assumed that any process with this capability can harm the system a lot
    more easily than writing some stuff on the zero page and then trying to
    get the kernel to trip over itself.  It also means that programs like X
    on i686 which use vm86 emulation can work even with mmap_min_addr set.
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    ab5a91a8
dummy.c 26 KB