| hooks.c (84336d1a77ccd2c06a730ddd38e695c2324a7386) | hooks.c (a2551df7ec568d87793d2eea4ca744e86318f205) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 3026 unchanged lines hidden (view full) --- 3035 u32 sid = current_sid(); 3036 3037 /* 3038 * notice that we are intentionally putting the SELinux check before 3039 * the secondary cap_file_mmap check. This is such a likely attempt 3040 * at bad behaviour/exploit that we always want to get the AVC, even 3041 * if DAC would have also denied the operation. 3042 */ | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 3026 unchanged lines hidden (view full) --- 3035 u32 sid = current_sid(); 3036 3037 /* 3038 * notice that we are intentionally putting the SELinux check before 3039 * the secondary cap_file_mmap check. This is such a likely attempt 3040 * at bad behaviour/exploit that we always want to get the AVC, even 3041 * if DAC would have also denied the operation. 3042 */ |
| 3043 if (addr < mmap_min_addr) { | 3043 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { |
| 3044 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3045 MEMPROTECT__MMAP_ZERO, NULL); 3046 if (rc) 3047 return rc; 3048 } 3049 3050 /* do DAC check on address space usage */ 3051 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); --- 2661 unchanged lines hidden --- | 3044 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3045 MEMPROTECT__MMAP_ZERO, NULL); 3046 if (rc) 3047 return rc; 3048 } 3049 3050 /* do DAC check on address space usage */ 3051 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); --- 2661 unchanged lines hidden --- |