blob: f728728f193bdc0b1a3d578c0f1fa69b016dfabb
1 | #include <linux/init.h> |
2 | #include <linux/mm.h> |
3 | #include <linux/security.h> |
4 | #include <linux/sysctl.h> |
5 | |
6 | /* amount of vm to protect from userspace access by both DAC and the LSM*/ |
7 | unsigned long mmap_min_addr; |
8 | /* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */ |
9 | unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR; |
10 | /* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */ |
11 | |
12 | /* |
13 | * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR) |
14 | */ |
15 | static void update_mmap_min_addr(void) |
16 | { |
17 | #ifdef CONFIG_LSM_MMAP_MIN_ADDR |
18 | if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR) |
19 | mmap_min_addr = dac_mmap_min_addr; |
20 | else |
21 | mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR; |
22 | #else |
23 | mmap_min_addr = dac_mmap_min_addr; |
24 | #endif |
25 | } |
26 | |
27 | /* |
28 | * sysctl handler which just sets dac_mmap_min_addr = the new value and then |
29 | * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly |
30 | */ |
31 | int mmap_min_addr_handler(struct ctl_table *table, int write, |
32 | void __user *buffer, size_t *lenp, loff_t *ppos) |
33 | { |
34 | int ret; |
35 | |
36 | if (write && !capable(CAP_SYS_RAWIO)) |
37 | return -EPERM; |
38 | |
39 | ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); |
40 | |
41 | update_mmap_min_addr(); |
42 | |
43 | return ret; |
44 | } |
45 | |
46 | static int __init init_mmap_min_addr(void) |
47 | { |
48 | update_mmap_min_addr(); |
49 | |
50 | return 0; |
51 | } |
52 | pure_initcall(init_mmap_min_addr); |
53 |