min_addr.c (1374B)
1// SPDX-License-Identifier: GPL-2.0 2#include <linux/init.h> 3#include <linux/mm.h> 4#include <linux/security.h> 5#include <linux/sysctl.h> 6 7/* amount of vm to protect from userspace access by both DAC and the LSM*/ 8unsigned long mmap_min_addr; 9/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */ 10unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR; 11/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */ 12 13/* 14 * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR) 15 */ 16static void update_mmap_min_addr(void) 17{ 18#ifdef CONFIG_LSM_MMAP_MIN_ADDR 19 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR) 20 mmap_min_addr = dac_mmap_min_addr; 21 else 22 mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR; 23#else 24 mmap_min_addr = dac_mmap_min_addr; 25#endif 26} 27 28/* 29 * sysctl handler which just sets dac_mmap_min_addr = the new value and then 30 * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly 31 */ 32int mmap_min_addr_handler(struct ctl_table *table, int write, 33 void *buffer, size_t *lenp, loff_t *ppos) 34{ 35 int ret; 36 37 if (write && !capable(CAP_SYS_RAWIO)) 38 return -EPERM; 39 40 ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); 41 42 update_mmap_min_addr(); 43 44 return ret; 45} 46 47static int __init init_mmap_min_addr(void) 48{ 49 update_mmap_min_addr(); 50 51 return 0; 52} 53pure_initcall(init_mmap_min_addr);