[PATCH] mm: reorder can_do_mlock to fix audit denial

[PATCH] mm: reorder can_do_mlock to fix audit denial

[Jeff Vander Stoep]

A userspace call to mmap(MAP_LOCKED) may result in the successful
locking of memory while also producing a confusing audit log denial.
can_do_mlock checks capable and rlimit. If either of these return
positive can_do_mlock returns true. The capable check leads to an LSM
hook used by apparmour and selinux which produce the audit denial.
Reordering so rlimit is checked first eliminates the denial on success,
only recording a denial when the lock is unsuccessful as a result of
the denial.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
 mm/mlock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/mlock.c b/mm/mlock.c
index 73cf098..8a54cd2 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -26,10 +26,10 @@
 
 int can_do_mlock(void)
 {
-	if (capable(CAP_IPC_LOCK))
-		return 1;
 	if (rlimit(RLIMIT_MEMLOCK) != 0)
 		return 1;
+	if (capable(CAP_IPC_LOCK))
+		return 1;
 	return 0;
 }
 EXPORT_SYMBOL(can_do_mlock);
-- 
2.2.0.rc0.207.ga3a616c

[PATCH] mm: reorder can_do_mlock to fix audit denial

[Jeff Vander Stoep]

A userspace call to mmap(MAP_LOCKED) may result in the successful
locking of memory while also producing a confusing audit log denial.
can_do_mlock checks capable and rlimit. If either of these return
positive can_do_mlock returns true. The capable check leads to an LSM
hook used by apparmour and selinux which produce the audit denial.
Reordering so rlimit is checked first eliminates the denial on success,
only recording a denial when the lock is unsuccessful as a result of
the denial.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
 mm/mlock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/mlock.c b/mm/mlock.c
index 73cf098..8a54cd2 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -26,10 +26,10 @@
 
 int can_do_mlock(void)
 {
-	if (capable(CAP_IPC_LOCK))
-		return 1;
 	if (rlimit(RLIMIT_MEMLOCK) != 0)
 		return 1;
+	if (capable(CAP_IPC_LOCK))
+		return 1;
 	return 0;
 }
 EXPORT_SYMBOL(can_do_mlock);
-- 
2.2.0.rc0.207.ga3a616c

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH] mm: reorder can_do_mlock to fix audit denial

[Nick Kralevich]

On Mon, Mar 2, 2015 at 9:20 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> A userspace call to mmap(MAP_LOCKED) may result in the successful
> locking of memory while also producing a confusing audit log denial.
> can_do_mlock checks capable and rlimit. If either of these return
> positive can_do_mlock returns true. The capable check leads to an LSM
> hook used by apparmour and selinux which produce the audit denial.
> Reordering so rlimit is checked first eliminates the denial on success,
> only recording a denial when the lock is unsuccessful as a result of
> the denial.
>

Acked-By: Nick Kralevich <nnk@google.com>

> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
>  mm/mlock.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/mlock.c b/mm/mlock.c
> index 73cf098..8a54cd2 100644
> --- a/mm/mlock.c
> +++ b/mm/mlock.c
> @@ -26,10 +26,10 @@
>
>  int can_do_mlock(void)
>  {
> -       if (capable(CAP_IPC_LOCK))
> -               return 1;
>         if (rlimit(RLIMIT_MEMLOCK) != 0)
>                 return 1;
> +       if (capable(CAP_IPC_LOCK))
> +               return 1;
>         return 0;
>  }
>  EXPORT_SYMBOL(can_do_mlock);
> --
> 2.2.0.rc0.207.ga3a616c
>



-- 
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037

Re: [PATCH] mm: reorder can_do_mlock to fix audit denial

[Nick Kralevich]

On Mon, Mar 2, 2015 at 9:20 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> A userspace call to mmap(MAP_LOCKED) may result in the successful
> locking of memory while also producing a confusing audit log denial.
> can_do_mlock checks capable and rlimit. If either of these return
> positive can_do_mlock returns true. The capable check leads to an LSM
> hook used by apparmour and selinux which produce the audit denial.
> Reordering so rlimit is checked first eliminates the denial on success,
> only recording a denial when the lock is unsuccessful as a result of
> the denial.
>

Acked-By: Nick Kralevich <nnk@google.com>

> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
>  mm/mlock.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/mlock.c b/mm/mlock.c
> index 73cf098..8a54cd2 100644
> --- a/mm/mlock.c
> +++ b/mm/mlock.c
> @@ -26,10 +26,10 @@
>
>  int can_do_mlock(void)
>  {
> -       if (capable(CAP_IPC_LOCK))
> -               return 1;
>         if (rlimit(RLIMIT_MEMLOCK) != 0)
>                 return 1;
> +       if (capable(CAP_IPC_LOCK))
> +               return 1;
>         return 0;
>  }
>  EXPORT_SYMBOL(can_do_mlock);
> --
> 2.2.0.rc0.207.ga3a616c
>



-- 
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH] mm: reorder can_do_mlock to fix audit denial

[Andrew Morton]

On Mon,  2 Mar 2015 09:20:32 -0800 Jeff Vander Stoep <jeffv@google.com> wrote:

> A userspace call to mmap(MAP_LOCKED) may result in the successful
> locking of memory while also producing a confusing audit log denial.
> can_do_mlock checks capable and rlimit. If either of these return
> positive can_do_mlock returns true. The capable check leads to an LSM
> hook used by apparmour and selinux which produce the audit denial.
> Reordering so rlimit is checked first eliminates the denial on success,
> only recording a denial when the lock is unsuccessful as a result of
> the denial.

I'm assuming that this is a minor issue - a bogus audit log, no other
consequences.  And based on this I queued the patch for 4.0 with no
-stable backport.

All of this might have been wrong - the changelog wasn't very helpful
in making such decisions (hint).

Re: [PATCH] mm: reorder can_do_mlock to fix audit denial

[Andrew Morton]

On Mon,  2 Mar 2015 09:20:32 -0800 Jeff Vander Stoep <jeffv@google.com> wrote:

> A userspace call to mmap(MAP_LOCKED) may result in the successful
> locking of memory while also producing a confusing audit log denial.
> can_do_mlock checks capable and rlimit. If either of these return
> positive can_do_mlock returns true. The capable check leads to an LSM
> hook used by apparmour and selinux which produce the audit denial.
> Reordering so rlimit is checked first eliminates the denial on success,
> only recording a denial when the lock is unsuccessful as a result of
> the denial.

I'm assuming that this is a minor issue - a bogus audit log, no other
consequences.  And based on this I queued the patch for 4.0 with no
-stable backport.

All of this might have been wrong - the changelog wasn't very helpful
in making such decisions (hint).

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH] mm: reorder can_do_mlock to fix audit denial

[Jeffrey Vander Stoep]

Yes, minor issue.

I appreciate the advice.

On Mon, Mar 2, 2015 at 4:42 PM, Andrew Morton <akpm@linux-foundation.org> wrote:
> On Mon,  2 Mar 2015 09:20:32 -0800 Jeff Vander Stoep <jeffv@google.com> wrote:
>
>> A userspace call to mmap(MAP_LOCKED) may result in the successful
>> locking of memory while also producing a confusing audit log denial.
>> can_do_mlock checks capable and rlimit. If either of these return
>> positive can_do_mlock returns true. The capable check leads to an LSM
>> hook used by apparmour and selinux which produce the audit denial.
>> Reordering so rlimit is checked first eliminates the denial on success,
>> only recording a denial when the lock is unsuccessful as a result of
>> the denial.
>
> I'm assuming that this is a minor issue - a bogus audit log, no other
> consequences.  And based on this I queued the patch for 4.0 with no
> -stable backport.
>
> All of this might have been wrong - the changelog wasn't very helpful
> in making such decisions (hint).

Re: [PATCH] mm: reorder can_do_mlock to fix audit denial

[Jeffrey Vander Stoep]

Yes, minor issue.

I appreciate the advice.

On Mon, Mar 2, 2015 at 4:42 PM, Andrew Morton <akpm@linux-foundation.org> wrote:
> On Mon,  2 Mar 2015 09:20:32 -0800 Jeff Vander Stoep <jeffv@google.com> wrote:
>
>> A userspace call to mmap(MAP_LOCKED) may result in the successful
>> locking of memory while also producing a confusing audit log denial.
>> can_do_mlock checks capable and rlimit. If either of these return
>> positive can_do_mlock returns true. The capable check leads to an LSM
>> hook used by apparmour and selinux which produce the audit denial.
>> Reordering so rlimit is checked first eliminates the denial on success,
>> only recording a denial when the lock is unsuccessful as a result of
>> the denial.
>
> I'm assuming that this is a minor issue - a bogus audit log, no other
> consequences.  And based on this I queued the patch for 4.0 with no
> -stable backport.
>
> All of this might have been wrong - the changelog wasn't very helpful
> in making such decisions (hint).

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>