The minimum address that a process is allowed to mmap when LSM is enabled is 0x10000 (65536). This value is tunable and exported via /proc/sys/vm/mmap_min_addr but it is not honored with the actual minimum value.
It can be easily checked in a system typing: $ cat /proc/sys/vm/mmap_min_addr 4096 # <= Incorrect, it should be 65536 $ echo 1024 > /proc/sys/vm/mmap_min_addr $ cat /proc/sys/vm/mmap_min_addr 1024 # <= Incorrect, it should be 65536 After applying the patch: $ cat /proc/sys/vm/mmap_min_addr 65536 # <= It is correct $ echo 1024 > /proc/sys/vm/mmap_min_addr $ cat /proc/sys/vm/mmap_min_addr 65536 # <= It is correct Signed-off-by: Hector Marco-Gisbert <[email protected]> Acked-by: Ismael Ripoll Ripoll <[email protected]> --- security/min_addr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security/min_addr.c b/security/min_addr.c index f728728..96d1811 100644 --- a/security/min_addr.c +++ b/security/min_addr.c @@ -15,10 +15,12 @@ unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR; static void update_mmap_min_addr(void) { #ifdef CONFIG_LSM_MMAP_MIN_ADDR - if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR) + if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR) { mmap_min_addr = dac_mmap_min_addr; - else + } else { mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR; + dac_mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR; + } #else mmap_min_addr = dac_mmap_min_addr; #endif -- 1.9.1
