diff options
author | Eric Paris <eparis@redhat.com> | 2010-10-13 17:50:31 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-10-21 10:12:59 +1100 |
commit | 845ca30fe9691f1bab7cfbf30b6d11c944eb4abd (patch) | |
tree | eabf2b17957c2214375f870387eaab6c43d9e931 /security/selinux | |
parent | cee74f47a6baba0ac457e87687fdcf0abd599f0a (diff) |
selinux: implement mmap on /selinux/policy
/selinux/policy allows a user to copy the policy back out of the kernel.
This patch allows userspace to actually mmap that file and use it directly.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/selinuxfs.c | 44 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 2 |
2 files changed, 45 insertions, 1 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 8eb102c72606..87e0556bae70 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -439,9 +439,53 @@ out: return ret; } +static int sel_mmap_policy_fault(struct vm_area_struct *vma, + struct vm_fault *vmf) +{ + struct policy_load_memory *plm = vma->vm_file->private_data; + unsigned long offset; + struct page *page; + + if (vmf->flags & (FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE)) + return VM_FAULT_SIGBUS; + + offset = vmf->pgoff << PAGE_SHIFT; + if (offset >= roundup(plm->len, PAGE_SIZE)) + return VM_FAULT_SIGBUS; + + page = vmalloc_to_page(plm->data + offset); + get_page(page); + + vmf->page = page; + + return 0; +} + +static struct vm_operations_struct sel_mmap_policy_ops = { + .fault = sel_mmap_policy_fault, + .page_mkwrite = sel_mmap_policy_fault, +}; + +int sel_mmap_policy(struct file *filp, struct vm_area_struct *vma) +{ + if (vma->vm_flags & VM_SHARED) { + /* do not allow mprotect to make mapping writable */ + vma->vm_flags &= ~VM_MAYWRITE; + + if (vma->vm_flags & VM_WRITE) + return -EACCES; + } + + vma->vm_flags |= VM_RESERVED; + vma->vm_ops = &sel_mmap_policy_ops; + + return 0; +} + static const struct file_operations sel_policy_ops = { .open = sel_open_policy, .read = sel_read_policy, + .mmap = sel_mmap_policy, .release = sel_release_policy, }; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 7565d16aac31..3a1739b33b78 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3169,7 +3169,7 @@ int security_read_policy(void **data, ssize_t *len) *len = security_policydb_len(); - *data = vmalloc(*len); + *data = vmalloc_user(*len); if (!*data) return -ENOMEM; |