diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 87302a49067b..17a1189f1ff8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1658,9 +1658,8 @@ static int selinux_bprm_secureexec (struct linux_binprm *bprm) | |||
| 1658 | 1658 | ||
| 1659 | static void selinux_bprm_free_security(struct linux_binprm *bprm) | 1659 | static void selinux_bprm_free_security(struct linux_binprm *bprm) |
| 1660 | { | 1660 | { |
| 1661 | struct bprm_security_struct *bsec = bprm->security; | 1661 | kfree(bprm->security); |
| 1662 | bprm->security = NULL; | 1662 | bprm->security = NULL; |
| 1663 | kfree(bsec); | ||
| 1664 | } | 1663 | } |
| 1665 | 1664 | ||
| 1666 | extern struct vfsmount *selinuxfs_mount; | 1665 | extern struct vfsmount *selinuxfs_mount; |
| @@ -2477,6 +2476,17 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
| 2477 | prot = reqprot; | 2476 | prot = reqprot; |
| 2478 | 2477 | ||
| 2479 | #ifndef CONFIG_PPC32 | 2478 | #ifndef CONFIG_PPC32 |
| 2479 | if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) && | ||
| 2480 | (vma->vm_start >= vma->vm_mm->start_brk && | ||
| 2481 | vma->vm_end <= vma->vm_mm->brk)) { | ||
| 2482 | /* | ||
| 2483 | * We are making an executable mapping in the brk region. | ||
| 2484 | * This has an additional execheap check. | ||
| 2485 | */ | ||
| 2486 | rc = task_has_perm(current, current, PROCESS__EXECHEAP); | ||
| 2487 | if (rc) | ||
| 2488 | return rc; | ||
| 2489 | } | ||
| 2480 | if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { | 2490 | if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { |
| 2481 | /* | 2491 | /* |
| 2482 | * We are making executable a file mapping that has | 2492 | * We are making executable a file mapping that has |
| @@ -2488,6 +2498,16 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
| 2488 | if (rc) | 2498 | if (rc) |
| 2489 | return rc; | 2499 | return rc; |
| 2490 | } | 2500 | } |
| 2501 | if (!vma->vm_file && (prot & PROT_EXEC) && | ||
| 2502 | vma->vm_start <= vma->vm_mm->start_stack && | ||
| 2503 | vma->vm_end >= vma->vm_mm->start_stack) { | ||
| 2504 | /* Attempt to make the process stack executable. | ||
| 2505 | * This has an additional execstack check. | ||
| 2506 | */ | ||
| 2507 | rc = task_has_perm(current, current, PROCESS__EXECSTACK); | ||
| 2508 | if (rc) | ||
| 2509 | return rc; | ||
| 2510 | } | ||
| 2491 | #endif | 2511 | #endif |
| 2492 | 2512 | ||
| 2493 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); | 2513 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); |