rpms/kernel/devel linux-2.6-selinux-mprotect-checks.patch, NONE, 1.1 kernel-2.6.spec, 1.1876, 1.1877

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Jan 27 02:11:33 UTC 2006 

Author: davej

Update of /cvs/dist/rpms/kernel/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8900

Modified Files:
	kernel-2.6.spec 
Added Files:
	linux-2.6-selinux-mprotect-checks.patch 
Log Message:
Fix the SELinux mprotect checks on executable mappings. (#178747)



linux-2.6-selinux-mprotect-checks.patch:
 devel-akpm/security/selinux/hooks.c |   50 +++++++++++++++---------------------
 linux-2.6/security/selinux/hooks.c  |    4 +-
 2 files changed, 23 insertions(+), 31 deletions(-)

--- NEW FILE linux-2.6-selinux-mprotect-checks.patch ---

From: Stephen Smalley <sds at tycho.nsa.gov>

Fix the SELinux mprotect checks on executable mappings so that they are not
re-applied when the mapping is already executable as well as cleaning up
the code.  This avoids a situation where e.g.  an application is prevented
from removing PROT_WRITE on an already executable mapping previously
authorized via execmem permission due to an execmod denial.

Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
Acked-by: James Morris <jmorris at namei.org>
Signed-off-by: Andrew Morton <akpm at osdl.org>
---

 security/selinux/hooks.c |   50 +++++++++++++++----------------------
 1 files changed, 21 insertions(+), 29 deletions(-)

diff -puN security/selinux/hooks.c~selinux-fix-and-cleanup-mprotect-checks security/selinux/hooks.c
--- devel/security/selinux/hooks.c~selinux-fix-and-cleanup-mprotect-checks	2006-01-23 16:41:27.000000000 -0800
+++ devel-akpm/security/selinux/hooks.c	2006-01-23 16:41:27.000000000 -0800
@@ -2452,35 +2452,27 @@ static int selinux_file_mprotect(struct 
 		prot = reqprot;
 
 #ifndef CONFIG_PPC32
-	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
-	   (vma->vm_start >= vma->vm_mm->start_brk &&
-	    vma->vm_end <= vma->vm_mm->brk)) {
-	    	/*
-		 * We are making an executable mapping in the brk region.
-		 * This has an additional execheap check.
-		 */
-		rc = task_has_perm(current, current, PROCESS__EXECHEAP);
-		if (rc)
-			return rc;
-	}
-	if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
-		/*
-		 * We are making executable a file mapping that has
-		 * had some COW done. Since pages might have been written,
-		 * check ability to execute the possibly modified content.
-		 * This typically should only occur for text relocations.
-		 */
-		int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
-		if (rc)
-			return rc;
-	}
-	if (!vma->vm_file && (prot & PROT_EXEC) &&
-		vma->vm_start <= vma->vm_mm->start_stack &&
-		vma->vm_end >= vma->vm_mm->start_stack) {
-		/* Attempt to make the process stack executable.
-		 * This has an additional execstack check.
-		 */
-		rc = task_has_perm(current, current, PROCESS__EXECSTACK);
+	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
+		rc = 0;
+		if (vma->vm_start >= vma->vm_mm->start_brk &&
+		    vma->vm_end <= vma->vm_mm->brk) {
+			rc = task_has_perm(current, current,
+					   PROCESS__EXECHEAP);
+		} else if (!vma->vm_file &&
+			   vma->vm_start <= vma->vm_mm->start_stack &&
+			   vma->vm_end >= vma->vm_mm->start_stack) {
+			rc = task_has_perm(current, current, PROCESS__EXECSTACK);
+		} else if (vma->vm_file && vma->anon_vma) {
+			/*
+			 * We are making executable a file mapping that has
+			 * had some COW done. Since pages might have been
+			 * written, check ability to execute the possibly
+			 * modified content.  This typically should only
+			 * occur for text relocations.
+			 */
+			rc = file_has_perm(current, vma->vm_file,
+					   FILE__EXECMOD);
+		}
 		if (rc)
 			return rc;
 	}
_
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.178
diff -u -p -r1.178 hooks.c
--- linux-2.6/security/selinux/hooks.c	19 Jan 2006 21:04:27 -0000	1.178
+++ linux-2.6/security/selinux/hooks.c	26 Jan 2006 19:16:22 -0000
@@ -2366,7 +2366,7 @@ static int selinux_file_ioctl(struct fil
 
 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
 {
-#ifndef CONFIG_PPC32
+#if !defined(CONFIG_PPC32) && !defined(CONFIG_IA64)
 	if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
 		/*
 		 * We are making executable an anonymous mapping or a
@@ -2424,7 +2424,7 @@ static int selinux_file_mprotect(struct 
 	if (selinux_checkreqprot)
 		prot = reqprot;
 
-#ifndef CONFIG_PPC32
+#if !defined(CONFIG_PPC32) && !defined(CONFIG_IA64)
 	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
 		rc = 0;
 		if (vma->vm_start >= vma->vm_mm->start_brk &&


Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/kernel-2.6.spec,v
retrieving revision 1.1876
retrieving revision 1.1877
diff -u -r1.1876 -r1.1877
--- kernel-2.6.spec	26 Jan 2006 22:54:44 -0000	1.1876
+++ kernel-2.6.spec	27 Jan 2006 02:11:30 -0000	1.1877
@@ -342,6 +342,7 @@
 Patch1700: linux-2.6-ide-tune-locking.patch
 Patch1710: linux-2.6-autofs-pathlookup.patch
 Patch1720: linux-2.6-selinux-hush.patch
+Patch1721: linux-2.6-selinux-mprotect-checks.patch
 Patch1730: linux-2.6-ide-cd-shutup.patch
 Patch1740: linux-2.6-block-reduce-stack.patch
 Patch1750: linux-2.6-ub.patch
@@ -816,6 +817,8 @@
 %patch1710 -p1
 # Silence some selinux messages.
 %patch1720 -p1
+# Fix the SELinux mprotect checks on executable mappings
+%patch1721 -p1
 # Silence noisy CD drive spew
 %patch1730 -p1
 # Reduce stack usage in block layer
@@ -1370,6 +1373,7 @@
 - Fix slab corruption in network layer.
 - Make iptables work again.
 - Update ACPI to latest acpi-git tree.
+- Fix the SELinux mprotect checks on executable mappings. (#178747)
 
 * Wed Jan 25 2006 Dave Jones <davej at redhat.com>
 - Disable page allocation debugging again.

More information about the fedora-cvs-commits mailing list