aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLorenzo Hernandez García-Hierro <lorenzo@gnu.org>2005-06-25 17:54:34 -0400
committerLinus Torvalds <torvalds@ppc970.osdl.org>2005-06-25 19:24:26 -0400
commit6b9921976f0861e04828b3aff66696c1f3fd900d (patch)
treebe372b9dc81e393c909c7fecf8778e8864ba3a0d
parent2d15cab85b85a56cc886037cab43cc292923ff22 (diff)
[PATCH] selinux: add executable stack check
This patch adds an execstack permission check that controls the ability to make the main process stack executable so that attempts to make the stack executable can still be prevented even if the process is allowed the existing execmem permission in order to e.g. perform runtime code generation. Note that this does not yet address thread stacks. Note also that unlike the execmem check, the execstack check is only applied on mprotect calls, not mmap calls, as the current security_file_mmap hook is not passed the necessary information presently. The original author of the code that makes the distinction of the stack region, is Ingo Molnar, who wrote it within his patch for /proc/<pid>/maps markers. (http://marc.theaimsgroup.com/?l=linux-kernel&m=110719881508591&w=2) The patches also can be found at: http://pearls.tuxedo-es.org/patches/selinux/policy-execstack.patch http://pearls.tuxedo-es.org/patches/selinux/kernel-execstack.patch policy-execstack.patch is the patch that needs to be applied to the policy in order to support the execstack permission and exclude it from general_domain_access within macros/core_macros.te. kernel-execstack.patch adds such permission to the SELinux code within the kernel and adds the proper permission check to the selinux_file_mprotect() hook. Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> Acked-by: James Morris <jmorris@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--security/selinux/hooks.c10
-rw-r--r--security/selinux/include/av_perm_to_string.h1
-rw-r--r--security/selinux/include/av_permissions.h1
3 files changed, 12 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 87302a49067b..ad725213f568 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2488,6 +2488,16 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
2488 if (rc) 2488 if (rc)
2489 return rc; 2489 return rc;
2490 } 2490 }
2491 if (!vma->vm_file && (prot & PROT_EXEC) &&
2492 vma->vm_start <= vma->vm_mm->start_stack &&
2493 vma->vm_end >= vma->vm_mm->start_stack) {
2494 /* Attempt to make the process stack executable.
2495 * This has an additional execstack check.
2496 */
2497 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2498 if (rc)
2499 return rc;
2500 }
2491#endif 2501#endif
2492 2502
2493 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2503 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 8928bb4d3c53..e81f0226c37d 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -70,6 +70,7 @@
70 S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") 70 S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
71 S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") 71 S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
72 S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") 72 S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
73 S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
73 S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") 74 S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
74 S_(SECCLASS_MSG, MSG__SEND, "send") 75 S_(SECCLASS_MSG, MSG__SEND, "send")
75 S_(SECCLASS_MSG, MSG__RECEIVE, "receive") 76 S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index bdfce4ca8f8e..38ce18b33284 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -465,6 +465,7 @@
465#define PROCESS__DYNTRANSITION 0x00800000UL 465#define PROCESS__DYNTRANSITION 0x00800000UL
466#define PROCESS__SETCURRENT 0x01000000UL 466#define PROCESS__SETCURRENT 0x01000000UL
467#define PROCESS__EXECMEM 0x02000000UL 467#define PROCESS__EXECMEM 0x02000000UL
468#define PROCESS__EXECSTACK 0x04000000UL
468 469
469#define IPC__CREATE 0x00000001UL 470#define IPC__CREATE 0x00000001UL
470#define IPC__DESTROY 0x00000002UL 471#define IPC__DESTROY 0x00000002UL