Re: [PATCH] mm: reorder can_do_mlock to fix audit denial

From: Jeffrey Vander Stoep
Date: Mon Mar 02 2015 - 19:49:10 EST

Next message: Scott Branden: "Re: [PATCH v2 2/2] hwrng: iproc-rng200 - Add Broadcom IPROC RNG driver"
Previous message: Sebastian Reichel: "[PATCHv2 1/2] HSI: cmt_speech: Add cmt-speech driver"
In reply to: Andrew Morton: "Re: [PATCH] mm: reorder can_do_mlock to fix audit denial"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, minor issue.

I appreciate the advice.

On Mon, Mar 2, 2015 at 4:42 PM, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Mon, 2 Mar 2015 09:20:32 -0800 Jeff Vander Stoep <jeffv@xxxxxxxxxx> wrote:
>
>> A userspace call to mmap(MAP_LOCKED) may result in the successful
>> locking of memory while also producing a confusing audit log denial.
>> can_do_mlock checks capable and rlimit. If either of these return
>> positive can_do_mlock returns true. The capable check leads to an LSM
>> hook used by apparmour and selinux which produce the audit denial.
>> Reordering so rlimit is checked first eliminates the denial on success,
>> only recording a denial when the lock is unsuccessful as a result of
>> the denial.
>
> I'm assuming that this is a minor issue - a bogus audit log, no other
> consequences. And based on this I queued the patch for 4.0 with no
> -stable backport.
>
> All of this might have been wrong - the changelog wasn't very helpful
> in making such decisions (hint).
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Scott Branden: "Re: [PATCH v2 2/2] hwrng: iproc-rng200 - Add Broadcom IPROC RNG driver"
Previous message: Sebastian Reichel: "[PATCHv2 1/2] HSI: cmt_speech: Add cmt-speech driver"
In reply to: Andrew Morton: "Re: [PATCH] mm: reorder can_do_mlock to fix audit denial"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]