Hi, At the moment there is no permission check in filemap_nopage (reading in a page from an mmaped file). This makes the permission check in sys_read / sys_write a little pointless as the user can always avoid this check by mmaping the file. I've attaced a patch that puts in a hook at the top of filemap_nopage for consideration. I've also included some notes about the various choices I made below. Cheers, Antony(See attached file: filemap-2.4.16.patch) Notes: (1) The access bits passed to the permission hook are from the vm_area_struct rather than the file (though they are converted to the correct format). Thus if the user opens the file O_RDWR by maps it PROT_READ -- the permission check will be for O_RDONLY. This seemed the best way to go -- however the other way is just as easy if someone comes up with a good reason. (2) An protection error results in a SIGBUS. I was hoping to do a SIGSEGV, however, the number of extra modifications required to achieve this aren't really justified. (3) If the area is mapped PROT_READ | PROT_WRITE -- both are checked when the file is first mapped in. I.e., I don't only check PROT_READ on filemap_nopage and then check PROT_WRITE if they actually try and write to the page. This requires an extra check and I can't see the benefit. (4) If the patch is accepted, I think there should be a comment in security.h informing module writers that file_ops->permission could get called from a pagefault handler -- so be careful.
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 16:17:45 PST