diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ebee467e2913..a03fd74602b4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -2999,13 +2999,15 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, | |||
2999 | return file_has_perm(cred, file, av); | 2999 | return file_has_perm(cred, file, av); |
3000 | } | 3000 | } |
3001 | 3001 | ||
3002 | static int default_noexec; | ||
3003 | |||
3002 | static int file_map_prot_check(struct file *file, unsigned long prot, int shared) | 3004 | static int file_map_prot_check(struct file *file, unsigned long prot, int shared) |
3003 | { | 3005 | { |
3004 | const struct cred *cred = current_cred(); | 3006 | const struct cred *cred = current_cred(); |
3005 | int rc = 0; | 3007 | int rc = 0; |
3006 | 3008 | ||
3007 | #ifndef CONFIG_PPC32 | 3009 | if (default_noexec && |
3008 | if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { | 3010 | (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { |
3009 | /* | 3011 | /* |
3010 | * We are making executable an anonymous mapping or a | 3012 | * We are making executable an anonymous mapping or a |
3011 | * private file mapping that will also be writable. | 3013 | * private file mapping that will also be writable. |
@@ -3015,7 +3017,6 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared | |||
3015 | if (rc) | 3017 | if (rc) |
3016 | goto error; | 3018 | goto error; |
3017 | } | 3019 | } |
3018 | #endif | ||
3019 | 3020 | ||
3020 | if (file) { | 3021 | if (file) { |
3021 | /* read access is always possible with a mapping */ | 3022 | /* read access is always possible with a mapping */ |
@@ -3076,8 +3077,8 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
3076 | if (selinux_checkreqprot) | 3077 | if (selinux_checkreqprot) |
3077 | prot = reqprot; | 3078 | prot = reqprot; |
3078 | 3079 | ||
3079 | #ifndef CONFIG_PPC32 | 3080 | if (default_noexec && |
3080 | if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { | 3081 | (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { |
3081 | int rc = 0; | 3082 | int rc = 0; |
3082 | if (vma->vm_start >= vma->vm_mm->start_brk && | 3083 | if (vma->vm_start >= vma->vm_mm->start_brk && |
3083 | vma->vm_end <= vma->vm_mm->brk) { | 3084 | vma->vm_end <= vma->vm_mm->brk) { |
@@ -3099,7 +3100,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
3099 | if (rc) | 3100 | if (rc) |
3100 | return rc; | 3101 | return rc; |
3101 | } | 3102 | } |
3102 | #endif | ||
3103 | 3103 | ||
3104 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); | 3104 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); |
3105 | } | 3105 | } |
@@ -5662,6 +5662,8 @@ static __init int selinux_init(void) | |||
5662 | /* Set the security state for the initial task. */ | 5662 | /* Set the security state for the initial task. */ |
5663 | cred_init_security(); | 5663 | cred_init_security(); |
5664 | 5664 | ||
5665 | default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); | ||
5666 | |||
5665 | sel_inode_cache = kmem_cache_create("selinux_inode_security", | 5667 | sel_inode_cache = kmem_cache_create("selinux_inode_security", |
5666 | sizeof(struct inode_security_struct), | 5668 | sizeof(struct inode_security_struct), |
5667 | 0, SLAB_PANIC, NULL); | 5669 | 0, SLAB_PANIC, NULL); |