From 4b90229cd2dcffc8519a4cd34f51fce71e38308e Mon Sep 17 00:00:00 2001
From: cgd <cgd@NetBSD.org>
Date: Thu, 15 Jul 1993 14:48:37 +0000
Subject: [PATCH] do the "right thing" with mmap protections, once and for all.
 in particular, if an object is mapped private, DO NOT grant VM_PROT_ALL
 protections to it; it could be sensitive data.

---
 sys/vm/vm_mmap.c | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c
index 9f796fe6d759..78e4a17df30a 100644
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@@ -38,7 +38,7 @@
  * from: Utah $Hdr: vm_mmap.c 1.3 90/01/21$
  *
  *	from: @(#)vm_mmap.c	7.5 (Berkeley) 6/28/91
- *	$Id: vm_mmap.c,v 1.8 1993/07/07 11:25:32 cgd Exp $
+ *	$Id: vm_mmap.c,v 1.9 1993/07/15 14:48:37 cgd Exp $
  */
 
 /*
@@ -131,7 +131,7 @@ smmap(p, uap, retval)
 	if (mmapdebug & MDB_FOLLOW)
 		printf("mmap(%d): addr %x len %x pro %x flg %x fd %d pos %x\n",
 		       p->p_pid, uap->addr, uap->len, uap->prot,
-		       uap->flags, uap->fd, uap->pos);
+		       flags, uap->fd, uap->pos);
 #endif
 	/*
 	 * Make sure one of the sharing types is specified
@@ -187,7 +187,8 @@ smmap(p, uap, retval)
 		/*
 		 * Ensure that file protection and desired protection
 		 * are compatible.  Note that we only worry about writability
-		 * if mapping is shared.
+		 * if mapping is shared.  XXX (cgd) -- coalese access checks
+		 * and permissions setting.
 		 */
 		if ((uap->prot & PROT_READ) && (fp->f_flag & FREAD) == 0 ||
 		    ((flags & MAP_SHARED) &&
@@ -195,17 +196,16 @@ smmap(p, uap, retval)
 			return(EACCES);
 		handle = (caddr_t)vp;
 		/*
-		 * Map protections to MACH style
+		 * Map maximum protections to MACH style
 		 */
-		if(flags & MAP_SHARED) {
-        	        maxprot = VM_PROT_EXECUTE;
-			if (fp->f_flag & FREAD)
-				maxprot |= VM_PROT_READ;
+		maxprot = VM_PROT_EXECUTE;	/* ??? */
+		if (fp->f_flag & FREAD)
+			maxprot |= VM_PROT_READ;
+		if(uap->flags & MAP_SHARED) {
 			if (fp->f_flag & FWRITE)
 				maxprot |= VM_PROT_WRITE;
-		} else {
-			maxprot = VM_PROT_ALL;
-		}
+		} else
+			maxprot |= VM_PROT_WRITE;
 	} else if (uap->fd != -1) {
                 maxprot = VM_PROT_ALL;
 		handle = (caddr_t)fp;
@@ -214,7 +214,7 @@ smmap(p, uap, retval)
 		handle = NULL;
 	}
 	/*
-	 * Map protections to MACH style
+	 * Map current protections to MACH style
 	 */
 	prot = VM_PROT_NONE;
 	if (uap->prot & PROT_READ)
@@ -652,12 +652,8 @@ vm_mmap(map, addr, size, prot, maxprot, flags, handle, foff)
 	/*
 	 * Correct protection (default is VM_PROT_ALL).
 	 * Note that we set the maximum protection.  This may not be
-	 * entirely correct.  Maybe the maximum protection should be based
-	 * on the object permissions where it makes sense (e.g. a vnode).
-	 *
-	 * XXX Changed my mind: leave max prot at VM_PROT_ALL.
-	 * Changed again: indeed set maximum protection based on
-	 * object permissions.
+	 * entirely correct.  The maximum protection is be based on
+	 * the object permissions where it makes sense (e.g. a vnode).
 	 */
 		rv = vm_map_protect(map, *addr, *addr+size, prot, FALSE);
 		if (rv != KERN_SUCCESS) {