diff options
| -rw-r--r-- | security/selinux/hooks.c | 10 | ||||
| -rw-r--r-- | security/selinux/include/av_perm_to_string.h | 1 | ||||
| -rw-r--r-- | security/selinux/include/av_permissions.h | 1 |
3 files changed, 12 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 87302a49067b..ad725213f568 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2488,6 +2488,16 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
| 2488 | if (rc) | 2488 | if (rc) |
| 2489 | return rc; | 2489 | return rc; |
| 2490 | } | 2490 | } |
| 2491 | if (!vma->vm_file && (prot & PROT_EXEC) && | ||
| 2492 | vma->vm_start <= vma->vm_mm->start_stack && | ||
| 2493 | vma->vm_end >= vma->vm_mm->start_stack) { | ||
| 2494 | /* Attempt to make the process stack executable. | ||
| 2495 | * This has an additional execstack check. | ||
| 2496 | */ | ||
| 2497 | rc = task_has_perm(current, current, PROCESS__EXECSTACK); | ||
| 2498 | if (rc) | ||
| 2499 | return rc; | ||
| 2500 | } | ||
| 2491 | #endif | 2501 | #endif |
| 2492 | 2502 | ||
| 2493 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); | 2503 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); |
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 8928bb4d3c53..e81f0226c37d 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
| @@ -70,6 +70,7 @@ | |||
| 70 | S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") | 70 | S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") |
| 71 | S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") | 71 | S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") |
| 72 | S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") | 72 | S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") |
| 73 | S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") | ||
| 73 | S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") | 74 | S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") |
| 74 | S_(SECCLASS_MSG, MSG__SEND, "send") | 75 | S_(SECCLASS_MSG, MSG__SEND, "send") |
| 75 | S_(SECCLASS_MSG, MSG__RECEIVE, "receive") | 76 | S_(SECCLASS_MSG, MSG__RECEIVE, "receive") |
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index bdfce4ca8f8e..38ce18b33284 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
| @@ -465,6 +465,7 @@ | |||
| 465 | #define PROCESS__DYNTRANSITION 0x00800000UL | 465 | #define PROCESS__DYNTRANSITION 0x00800000UL |
| 466 | #define PROCESS__SETCURRENT 0x01000000UL | 466 | #define PROCESS__SETCURRENT 0x01000000UL |
| 467 | #define PROCESS__EXECMEM 0x02000000UL | 467 | #define PROCESS__EXECMEM 0x02000000UL |
| 468 | #define PROCESS__EXECSTACK 0x04000000UL | ||
| 468 | 469 | ||
| 469 | #define IPC__CREATE 0x00000001UL | 470 | #define IPC__CREATE 0x00000001UL |
| 470 | #define IPC__DESTROY 0x00000002UL | 471 | #define IPC__DESTROY 0x00000002UL |