• Jeff Vander Stoep's avatar
    mm: reorder can_do_mlock to fix audit denial · a5a6579d
    Jeff Vander Stoep authored
    A userspace call to mmap(MAP_LOCKED) may result in the successful locking
    of memory while also producing a confusing audit log denial.  can_do_mlock
    checks capable and rlimit.  If either of these return positive
    can_do_mlock returns true.  The capable check leads to an LSM hook used by
    apparmour and selinux which produce the audit denial.  Reordering so
    rlimit is checked first eliminates the denial on success, only recording a
    denial when the lock is unsuccessful as a result of the denial.
    Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
    Acked-by: default avatarNick Kralevich <nnk@google.com>
    Cc: Jeff Vander Stoep <jeffv@google.com>
    Cc: Sasha Levin <sasha.levin@oracle.com>
    Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Paul Cassella <cassella@cray.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
mlock.c 22.8 KB