[PATCH] mm: reorder can_do_mlock to fix audit denial

[Jeff Vander Stoep]

A userspace call to mmap(MAP_LOCKED) may result in the successful
locking of memory while also producing a confusing audit log denial.
can_do_mlock checks capable and rlimit. If either of these return
positive can_do_mlock returns true. The capable check leads to an LSM
hook used by apparmour and selinux which produce the audit denial.
Reordering so rlimit is checked first eliminates the denial on success,
only recording a denial when the lock is unsuccessful as a result of
the denial.

Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
---
 mm/mlock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/mlock.c b/mm/mlock.c
index 73cf098..8a54cd2 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -26,10 +26,10 @@
 
 int can_do_mlock(void)
 {
-	if (capable(CAP_IPC_LOCK))
-		return 1;
 	if (rlimit(RLIMIT_MEMLOCK) != 0)
 		return 1;
+	if (capable(CAP_IPC_LOCK))
+		return 1;
 	return 0;
 }
 EXPORT_SYMBOL(can_do_mlock);
-- 
2.2.0.rc0.207.ga3a616c

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/