xref: /OK3568_Linux_fs/kernel/security/min_addr.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun #include <linux/init.h>
3*4882a593Smuzhiyun #include <linux/mm.h>
4*4882a593Smuzhiyun #include <linux/security.h>
5*4882a593Smuzhiyun #include <linux/sysctl.h>
6*4882a593Smuzhiyun 
7*4882a593Smuzhiyun /* amount of vm to protect from userspace access by both DAC and the LSM*/
8*4882a593Smuzhiyun unsigned long mmap_min_addr;
9*4882a593Smuzhiyun /* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
10*4882a593Smuzhiyun unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
11*4882a593Smuzhiyun /* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
12*4882a593Smuzhiyun 
13*4882a593Smuzhiyun /*
14*4882a593Smuzhiyun  * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
15*4882a593Smuzhiyun  */
update_mmap_min_addr(void)16*4882a593Smuzhiyun static void update_mmap_min_addr(void)
17*4882a593Smuzhiyun {
18*4882a593Smuzhiyun #ifdef CONFIG_LSM_MMAP_MIN_ADDR
19*4882a593Smuzhiyun 	if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
20*4882a593Smuzhiyun 		mmap_min_addr = dac_mmap_min_addr;
21*4882a593Smuzhiyun 	else
22*4882a593Smuzhiyun 		mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
23*4882a593Smuzhiyun #else
24*4882a593Smuzhiyun 	mmap_min_addr = dac_mmap_min_addr;
25*4882a593Smuzhiyun #endif
26*4882a593Smuzhiyun }
27*4882a593Smuzhiyun 
28*4882a593Smuzhiyun /*
29*4882a593Smuzhiyun  * sysctl handler which just sets dac_mmap_min_addr = the new value and then
30*4882a593Smuzhiyun  * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
31*4882a593Smuzhiyun  */
mmap_min_addr_handler(struct ctl_table * table,int write,void * buffer,size_t * lenp,loff_t * ppos)32*4882a593Smuzhiyun int mmap_min_addr_handler(struct ctl_table *table, int write,
33*4882a593Smuzhiyun 			  void *buffer, size_t *lenp, loff_t *ppos)
34*4882a593Smuzhiyun {
35*4882a593Smuzhiyun 	int ret;
36*4882a593Smuzhiyun 
37*4882a593Smuzhiyun 	if (write && !capable(CAP_SYS_RAWIO))
38*4882a593Smuzhiyun 		return -EPERM;
39*4882a593Smuzhiyun 
40*4882a593Smuzhiyun 	ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
41*4882a593Smuzhiyun 
42*4882a593Smuzhiyun 	update_mmap_min_addr();
43*4882a593Smuzhiyun 
44*4882a593Smuzhiyun 	return ret;
45*4882a593Smuzhiyun }
46*4882a593Smuzhiyun 
init_mmap_min_addr(void)47*4882a593Smuzhiyun static int __init init_mmap_min_addr(void)
48*4882a593Smuzhiyun {
49*4882a593Smuzhiyun 	update_mmap_min_addr();
50*4882a593Smuzhiyun 
51*4882a593Smuzhiyun 	return 0;
52*4882a593Smuzhiyun }
53*4882a593Smuzhiyun pure_initcall(init_mmap_min_addr);
54