• Jeff Vander Stoep's avatar
    mm: reorder can_do_mlock to fix audit denial · a5a6579d
    Jeff Vander Stoep authored
    A userspace call to mmap(MAP_LOCKED) may result in the successful locking
    of memory while also producing a confusing audit log denial.  can_do_mlock
    checks capable and rlimit.  If either of these return positive
    can_do_mlock returns true.  The capable check leads to an LSM hook used by
    apparmour and selinux which produce the audit denial.  Reordering so
    rlimit is checked first eliminates the denial on success, only recording a
    denial when the lock is unsuccessful as a result of the denial.
    Signed-off-by: 's avatarJeff Vander Stoep <jeffv@google.com>
    Acked-by: 's avatarNick Kralevich <nnk@google.com>
    Cc: Jeff Vander Stoep <jeffv@google.com>
    Cc: Sasha Levin <sasha.levin@oracle.com>
    Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Paul Cassella <cassella@cray.com>
    Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
    a5a6579d
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt/kvm Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...