The patch titled
Subject: mm: reorder can_do_mlock to fix audit denial
has been removed from the -mm tree. Its filename was
mm-reorder-can_do_mlock-to-fix-audit-denial.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
From: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
Subject: mm: reorder can_do_mlock to fix audit denial
A userspace call to mmap(MAP_LOCKED) may result in the successful locking
of memory while also producing a confusing audit log denial. can_do_mlock
checks capable and rlimit. If either of these return positive
can_do_mlock returns true. The capable check leads to an LSM hook used by
apparmour and selinux which produce the audit denial. Reordering so
rlimit is checked first eliminates the denial on success, only recording a
denial when the lock is unsuccessful as a result of the denial.
Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
Acked-by: Nick Kralevich <nnk@xxxxxxxxxx>
Cc: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
Cc: Sasha Levin <sasha.levin@xxxxxxxxxx>
Cc: "Paul E. McKenney" <paulmck@xxxxxxxxxxxxxxxxxx>
Cc: Rik van Riel <riel@xxxxxxxxxx>
Cc: Vlastimil Babka <vbabka@xxxxxxx>
Cc: Paul Cassella <cassella@xxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
mm/mlock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff -puN mm/mlock.c~mm-reorder-can_do_mlock-to-fix-audit-denial mm/mlock.c
--- a/mm/mlock.c~mm-reorder-can_do_mlock-to-fix-audit-denial
+++ a/mm/mlock.c
@@ -26,10 +26,10 @@
int can_do_mlock(void)
{
- if (capable(CAP_IPC_LOCK))
- return 1;
if (rlimit(RLIMIT_MEMLOCK) != 0)
return 1;
+ if (capable(CAP_IPC_LOCK))
+ return 1;
return 0;
}
EXPORT_SYMBOL(can_do_mlock);
_
Patches currently in -mm which might be from jeffv@xxxxxxxxxx are
linux-next.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
