On Mon, Mar 2, 2015 at 9:20 AM, Jeff Vander Stoep <je...@google.com> wrote: > A userspace call to mmap(MAP_LOCKED) may result in the successful > locking of memory while also producing a confusing audit log denial. > can_do_mlock checks capable and rlimit. If either of these return > positive can_do_mlock returns true. The capable check leads to an LSM > hook used by apparmour and selinux which produce the audit denial. > Reordering so rlimit is checked first eliminates the denial on success, > only recording a denial when the lock is unsuccessful as a result of > the denial. >
Acked-By: Nick Kralevich <n...@google.com> > Signed-off-by: Jeff Vander Stoep <je...@google.com> > --- > mm/mlock.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/mm/mlock.c b/mm/mlock.c > index 73cf098..8a54cd2 100644 > --- a/mm/mlock.c > +++ b/mm/mlock.c > @@ -26,10 +26,10 @@ > > int can_do_mlock(void) > { > - if (capable(CAP_IPC_LOCK)) > - return 1; > if (rlimit(RLIMIT_MEMLOCK) != 0) > return 1; > + if (capable(CAP_IPC_LOCK)) > + return 1; > return 0; > } > EXPORT_SYMBOL(can_do_mlock); > -- > 2.2.0.rc0.207.ga3a616c > -- Nick Kralevich | Android Security | n...@google.com | 650.214.4037 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/