Security/SELinux: seperate lsm specific mmap_min_addr
Currently SELinux enforcement of controls on the ability to map low memory is determined by the mmap_min_addr tunable. This patch causes SELinux to ignore the tunable and instead use a seperate Kconfig option specific to how much space the LSM should protect. The tunable will now only control the need for CAP_SYS_RAWIO and SELinux permissions will always protect the amount of low memory designated by CONFIG_LSM_MMAP_MIN_ADDR. This allows users who need to disable the mmap_min_addr controls (usual reason being they run WINE as a non-root user) to do so and still have SELinux controls preventing confined domains (like a web server) from being able to map some area of low memory. Signed-off-by:Eric Paris <eparis@redhat.com> Signed-off-by:
James Morris <jmorris@namei.org>
Showing
- include/linux/mm.h 0 additions, 15 deletionsinclude/linux/mm.h
- include/linux/security.h 17 additions, 0 deletionsinclude/linux/security.h
- kernel/sysctl.c 4 additions, 3 deletionskernel/sysctl.c
- mm/Kconfig 3 additions, 3 deletionsmm/Kconfig
- mm/mmap.c 0 additions, 3 deletionsmm/mmap.c
- mm/nommu.c 0 additions, 3 deletionsmm/nommu.c
- security/Kconfig 16 additions, 0 deletionssecurity/Kconfig
- security/Makefile 1 addition, 1 deletionsecurity/Makefile
- security/commoncap.c 1 addition, 1 deletionsecurity/commoncap.c
- security/min_addr.c 49 additions, 0 deletionssecurity/min_addr.c
- security/selinux/hooks.c 1 addition, 1 deletionsecurity/selinux/hooks.c
Loading
Please register or sign in to comment