diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/hooks.c | 50 |
1 files changed, 21 insertions, 29 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b9f8d9731c3d..1bb5eea3b8c1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -2454,35 +2454,27 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
2454 | prot = reqprot; | 2454 | prot = reqprot; |
2455 | 2455 | ||
2456 | #ifndef CONFIG_PPC32 | 2456 | #ifndef CONFIG_PPC32 |
2457 | if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) && | 2457 | if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { |
2458 | (vma->vm_start >= vma->vm_mm->start_brk && | 2458 | rc = 0; |
2459 | vma->vm_end <= vma->vm_mm->brk)) { | 2459 | if (vma->vm_start >= vma->vm_mm->start_brk && |
2460 | /* | 2460 | vma->vm_end <= vma->vm_mm->brk) { |
2461 | * We are making an executable mapping in the brk region. | 2461 | rc = task_has_perm(current, current, |
2462 | * This has an additional execheap check. | 2462 | PROCESS__EXECHEAP); |
2463 | */ | 2463 | } else if (!vma->vm_file && |
2464 | rc = task_has_perm(current, current, PROCESS__EXECHEAP); | 2464 | vma->vm_start <= vma->vm_mm->start_stack && |
2465 | if (rc) | 2465 | vma->vm_end >= vma->vm_mm->start_stack) { |
2466 | return rc; | 2466 | rc = task_has_perm(current, current, PROCESS__EXECSTACK); |
2467 | } | 2467 | } else if (vma->vm_file && vma->anon_vma) { |
2468 | if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { | 2468 | /* |
2469 | /* | 2469 | * We are making executable a file mapping that has |
2470 | * We are making executable a file mapping that has | 2470 | * had some COW done. Since pages might have been |
2471 | * had some COW done. Since pages might have been written, | 2471 | * written, check ability to execute the possibly |
2472 | * check ability to execute the possibly modified content. | 2472 | * modified content. This typically should only |
2473 | * This typically should only occur for text relocations. | 2473 | * occur for text relocations. |
2474 | */ | 2474 | */ |
2475 | int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD); | 2475 | rc = file_has_perm(current, vma->vm_file, |
2476 | if (rc) | 2476 | FILE__EXECMOD); |
2477 | return rc; | 2477 | } |
2478 | } | ||
2479 | if (!vma->vm_file && (prot & PROT_EXEC) && | ||
2480 | vma->vm_start <= vma->vm_mm->start_stack && | ||
2481 | vma->vm_end >= vma->vm_mm->start_stack) { | ||
2482 | /* Attempt to make the process stack executable. | ||
2483 | * This has an additional execstack check. | ||
2484 | */ | ||
2485 | rc = task_has_perm(current, current, PROCESS__EXECSTACK); | ||
2486 | if (rc) | 2478 | if (rc) |
2487 | return rc; | 2479 | return rc; |
2488 | } | 2480 | } |