A userspace call to mmap(MAP_LOCKED) may result in the successful
locking of memory while also producing a confusing audit log denial.
can_do_mlock checks capable and rlimit. If either of these return
positive can_do_mlock returns true. The capable check leads to an LSM
hook used by apparmour and selinux which produce the audit denial.
Reordering so rlimit is checked first eliminates the denial on success,
only recording a denial when the lock is unsuccessful as a result of
the denial.
Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
---
mm/mlock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/mlock.c b/mm/mlock.c
index 73cf098..8a54cd2 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -26,10 +26,10 @@
int can_do_mlock(void)
{
- if (capable(CAP_IPC_LOCK))
- return 1;
if (rlimit(RLIMIT_MEMLOCK) != 0)
return 1;
+ if (capable(CAP_IPC_LOCK))
+ return 1;
return 0;
}
EXPORT_SYMBOL(can_do_mlock);
--
2.2.0.rc0.207.ga3a616c
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>