diff options
| -rw-r--r-- | security/selinux/hooks.c | 11 | ||||
| -rw-r--r-- | security/selinux/include/av_perm_to_string.h | 1 | ||||
| -rw-r--r-- | security/selinux/include/av_permissions.h | 1 |
3 files changed, 13 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad725213f568..932eef18db33 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2477,6 +2477,17 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
| 2477 | prot = reqprot; | 2477 | prot = reqprot; |
| 2478 | 2478 | ||
| 2479 | #ifndef CONFIG_PPC32 | 2479 | #ifndef CONFIG_PPC32 |
| 2480 | if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) && | ||
| 2481 | (vma->vm_start >= vma->vm_mm->start_brk && | ||
| 2482 | vma->vm_end <= vma->vm_mm->brk)) { | ||
| 2483 | /* | ||
| 2484 | * We are making an executable mapping in the brk region. | ||
| 2485 | * This has an additional execheap check. | ||
| 2486 | */ | ||
| 2487 | rc = task_has_perm(current, current, PROCESS__EXECHEAP); | ||
| 2488 | if (rc) | ||
| 2489 | return rc; | ||
| 2490 | } | ||
| 2480 | if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { | 2491 | if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { |
| 2481 | /* | 2492 | /* |
| 2482 | * We are making executable a file mapping that has | 2493 | * We are making executable a file mapping that has |
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index e81f0226c37d..1deb59e1b762 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
| @@ -71,6 +71,7 @@ | |||
| 71 | S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") | 71 | S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") |
| 72 | S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") | 72 | S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") |
| 73 | S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") | 73 | S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") |
| 74 | S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap") | ||
| 74 | S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") | 75 | S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") |
| 75 | S_(SECCLASS_MSG, MSG__SEND, "send") | 76 | S_(SECCLASS_MSG, MSG__SEND, "send") |
| 76 | S_(SECCLASS_MSG, MSG__RECEIVE, "receive") | 77 | S_(SECCLASS_MSG, MSG__RECEIVE, "receive") |
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 38ce18b33284..a78b5d59c9fc 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
| @@ -466,6 +466,7 @@ | |||
| 466 | #define PROCESS__SETCURRENT 0x01000000UL | 466 | #define PROCESS__SETCURRENT 0x01000000UL |
| 467 | #define PROCESS__EXECMEM 0x02000000UL | 467 | #define PROCESS__EXECMEM 0x02000000UL |
| 468 | #define PROCESS__EXECSTACK 0x04000000UL | 468 | #define PROCESS__EXECSTACK 0x04000000UL |
| 469 | #define PROCESS__EXECHEAP 0x08000000UL | ||
| 469 | 470 | ||
| 470 | #define IPC__CREATE 0x00000001UL | 471 | #define IPC__CREATE 0x00000001UL |
| 471 | #define IPC__DESTROY 0x00000002UL | 472 | #define IPC__DESTROY 0x00000002UL |