[PATCH] Honor mmap_min_addr with the actual minimum
From: Hector Marco-Gisbert
Date: Wed Apr 06 2016 - 15:08:50 EST
The minimum address that a process is allowed to mmap when LSM is
enabled is 0x10000 (65536). This value is tunable and exported via
/proc/sys/vm/mmap_min_addr but it is not honored with the actual
minimum value.
It can be easily checked in a system typing:
$ cat /proc/sys/vm/mmap_min_addr
4096 # <= Incorrect, it should be 65536
$ echo 1024 > /proc/sys/vm/mmap_min_addr
$ cat /proc/sys/vm/mmap_min_addr
1024 # <= Incorrect, it should be 65536
After applying the patch:
$ cat /proc/sys/vm/mmap_min_addr
65536 # <= It is correct
$ echo 1024 > /proc/sys/vm/mmap_min_addr
$ cat /proc/sys/vm/mmap_min_addr
65536 # <= It is correct
Signed-off-by: Hector Marco-Gisbert <hecmargi@xxxxxx>
Acked-by: Ismael Ripoll Ripoll <iripoll@xxxxxx>
---
security/min_addr.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/min_addr.c b/security/min_addr.c
index f728728..96d1811 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -15,10 +15,12 @@ unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
static void update_mmap_min_addr(void)
{
#ifdef CONFIG_LSM_MMAP_MIN_ADDR
- if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
+ if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR) {
mmap_min_addr = dac_mmap_min_addr;
- else
+ } else {
mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+ dac_mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+ }
#else
mmap_min_addr = dac_mmap_min_addr;
#endif
--
1.9.1