rpms/kernel/devel kernel-2.6.spec, 1.1891, 1.1892 linux-2.6-selinux-mprotect-checks.patch, 1.1, 1.2
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Feb 1 21:35:58 UTC 2006
- Previous message (by thread): rpms/rhythmbox/devel .cvsignore, 1.18, 1.19 rhythmbox.spec, 1.45, 1.46 sources, 1.20, 1.21
- Next message (by thread): rpms/redhat-menus/devel .cvsignore, 1.33, 1.34 redhat-menus.spec, 1.53, 1.54 sources, 1.35, 1.36
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: davej
Update of /cvs/dist/rpms/kernel/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv22935
Modified Files:
kernel-2.6.spec linux-2.6-selinux-mprotect-checks.patch
Log Message:
Enable exec* checking except for execmod for ppc32 and ia64 (#178747)
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/kernel-2.6.spec,v
retrieving revision 1.1891
retrieving revision 1.1892
diff -u -r1.1891 -r1.1892
--- kernel-2.6.spec 1 Feb 2006 20:17:07 -0000 1.1891
+++ kernel-2.6.spec 1 Feb 2006 21:35:54 -0000 1.1892
@@ -1382,6 +1382,7 @@
%changelog
* Wed Feb 1 2006 Dave Jones <<davej at redhat.com>
- Woo, 2.6.16rc1-git5 (at last)
+- Enable exec* checking except for execmod for ppc32 and ia64 (#178747)
- Fixed an oops in the stradis driver initialisation.
- Happy Birthday to "The Yellow Dart".
linux-2.6-selinux-mprotect-checks.patch:
hooks.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
Index: linux-2.6-selinux-mprotect-checks.patch
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/linux-2.6-selinux-mprotect-checks.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- linux-2.6-selinux-mprotect-checks.patch 27 Jan 2006 02:11:30 -0000 1.1
+++ linux-2.6-selinux-mprotect-checks.patch 1 Feb 2006 21:35:54 -0000 1.2
@@ -1,103 +1,31 @@
-From: Stephen Smalley <sds at tycho.nsa.gov>
-Fix the SELinux mprotect checks on executable mappings so that they are not
-re-applied when the mapping is already executable as well as cleaning up
-the code. This avoids a situation where e.g. an application is prevented
-from removing PROT_WRITE on an already executable mapping previously
-authorized via execmem permission due to an execmod denial.
-
-Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
-Acked-by: James Morris <jmorris at namei.org>
-Signed-off-by: Andrew Morton <akpm at osdl.org>
----
-
- security/selinux/hooks.c | 50 +++++++++++++++----------------------
- 1 files changed, 21 insertions(+), 29 deletions(-)
-
-diff -puN security/selinux/hooks.c~selinux-fix-and-cleanup-mprotect-checks security/selinux/hooks.c
---- devel/security/selinux/hooks.c~selinux-fix-and-cleanup-mprotect-checks 2006-01-23 16:41:27.000000000 -0800
-+++ devel-akpm/security/selinux/hooks.c 2006-01-23 16:41:27.000000000 -0800
-@@ -2452,35 +2452,27 @@ static int selinux_file_mprotect(struct
+--- linux-2.6.15.noarch/security/selinux/hooks.c~ 2006-02-01 16:28:13.000000000 -0500
++++ linux-2.6.15.noarch/security/selinux/hooks.c 2006-02-01 16:30:30.000000000 -0500
+@@ -2451,7 +2451,6 @@ static int selinux_file_mprotect(struct
+ if (selinux_checkreqprot)
prot = reqprot;
- #ifndef CONFIG_PPC32
-- if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
-- (vma->vm_start >= vma->vm_mm->start_brk &&
-- vma->vm_end <= vma->vm_mm->brk)) {
-- /*
-- * We are making an executable mapping in the brk region.
-- * This has an additional execheap check.
-- */
-- rc = task_has_perm(current, current, PROCESS__EXECHEAP);
-- if (rc)
-- return rc;
-- }
-- if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
-- /*
-- * We are making executable a file mapping that has
-- * had some COW done. Since pages might have been written,
-- * check ability to execute the possibly modified content.
-- * This typically should only occur for text relocations.
-- */
+-#ifndef CONFIG_PPC32
+ if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
+ (vma->vm_start >= vma->vm_mm->start_brk &&
+ vma->vm_end <= vma->vm_mm->brk)) {
+@@ -2470,7 +2469,9 @@ static int selinux_file_mprotect(struct
+ * check ability to execute the possibly modified content.
+ * This typically should only occur for text relocations.
+ */
- int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
-- if (rc)
-- return rc;
-- }
-- if (!vma->vm_file && (prot & PROT_EXEC) &&
-- vma->vm_start <= vma->vm_mm->start_stack &&
-- vma->vm_end >= vma->vm_mm->start_stack) {
-- /* Attempt to make the process stack executable.
-- * This has an additional execstack check.
-- */
-- rc = task_has_perm(current, current, PROCESS__EXECSTACK);
-+ if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
-+ rc = 0;
-+ if (vma->vm_start >= vma->vm_mm->start_brk &&
-+ vma->vm_end <= vma->vm_mm->brk) {
-+ rc = task_has_perm(current, current,
-+ PROCESS__EXECHEAP);
-+ } else if (!vma->vm_file &&
-+ vma->vm_start <= vma->vm_mm->start_stack &&
-+ vma->vm_end >= vma->vm_mm->start_stack) {
-+ rc = task_has_perm(current, current, PROCESS__EXECSTACK);
-+ } else if (vma->vm_file && vma->anon_vma) {
-+ /*
-+ * We are making executable a file mapping that has
-+ * had some COW done. Since pages might have been
-+ * written, check ability to execute the possibly
-+ * modified content. This typically should only
-+ * occur for text relocations.
-+ */
-+ rc = file_has_perm(current, vma->vm_file,
-+ FILE__EXECMOD);
-+ }
++#if !defined(CONFIG_PPC32) && !defined(CONFIG_IA64)
++ rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
++#endif
if (rc)
return rc;
}
-_
-Index: linux-2.6/security/selinux/hooks.c
-===================================================================
-RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
-retrieving revision 1.178
-diff -u -p -r1.178 hooks.c
---- linux-2.6/security/selinux/hooks.c 19 Jan 2006 21:04:27 -0000 1.178
-+++ linux-2.6/security/selinux/hooks.c 26 Jan 2006 19:16:22 -0000
-@@ -2366,7 +2366,7 @@ static int selinux_file_ioctl(struct fil
-
- static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
- {
--#ifndef CONFIG_PPC32
-+#if !defined(CONFIG_PPC32) && !defined(CONFIG_IA64)
- if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
- /*
- * We are making executable an anonymous mapping or a
-@@ -2424,7 +2424,7 @@ static int selinux_file_mprotect(struct
- if (selinux_checkreqprot)
- prot = reqprot;
+@@ -2484,7 +2485,6 @@ static int selinux_file_mprotect(struct
+ if (rc)
+ return rc;
+ }
+-#endif
--#ifndef CONFIG_PPC32
-+#if !defined(CONFIG_PPC32) && !defined(CONFIG_IA64)
- if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
- rc = 0;
- if (vma->vm_start >= vma->vm_mm->start_brk &&
+ return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
+ }
- Previous message (by thread): rpms/rhythmbox/devel .cvsignore, 1.18, 1.19 rhythmbox.spec, 1.45, 1.46 sources, 1.20, 1.21
- Next message (by thread): rpms/redhat-menus/devel .cvsignore, 1.33, 1.34 redhat-menus.spec, 1.53, 1.54 sources, 1.35, 1.36
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list