From: Amerigo Wang <amwang@redhat.com>
Date: Wed, 2 Dec 2009 12:01:13 -0500
Subject: [misc] sysctl: require CAP_SYS_RAWIO to set mmap_min_addr
Message-id: <20091202120411.10837.29175.sendpatchset@localhost.localdomain>
Patchwork-id: 21647
O-Subject: [PATCH RHEL5.x] sysctl: require CAP_SYS_RAWIO to set mmap_min_addr
Bugzilla: 534018
RH-Acked-by: Eugene Teo <eugene@redhat.com>
RH-Acked-by: Jarod Wilson <jarod@redhat.com>

BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=534018

Description:
Currently the mmap_min_addr value can only be bypassed during mmap when the
task has CAP_SYS_RAWIO.  However, the mmap_min_addr sysctl value itself can be
adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch
adds a check for the capability before allowing mmap_min_addr to be changed.

Brew:
https://brewweb.devel.redhat.com/taskinfo?taskID=2114810

Upstream status:
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=0e1a6ef2dea88101b056b6d9984f3325c5efced3

Signed-off-by: WANG Cong <amwang@redhat.com>


diff --git a/security/min_addr.c b/security/min_addr.c
index 5e3a07d..7d035df 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -34,6 +34,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
 {
 	int ret;
 
+	if (!capable(CAP_SYS_RAWIO))
+		return -EPERM;
+
 	ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
 
 	update_mmap_min_addr();