aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ebee467e2913..a03fd74602b4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2999,13 +2999,15 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2999 return file_has_perm(cred, file, av); 2999 return file_has_perm(cred, file, av);
3000} 3000}
3001 3001
3002static int default_noexec;
3003
3002static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3004static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3003{ 3005{
3004 const struct cred *cred = current_cred(); 3006 const struct cred *cred = current_cred();
3005 int rc = 0; 3007 int rc = 0;
3006 3008
3007#ifndef CONFIG_PPC32 3009 if (default_noexec &&
3008 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3010 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3009 /* 3011 /*
3010 * We are making executable an anonymous mapping or a 3012 * We are making executable an anonymous mapping or a
3011 * private file mapping that will also be writable. 3013 * private file mapping that will also be writable.
@@ -3015,7 +3017,6 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
3015 if (rc) 3017 if (rc)
3016 goto error; 3018 goto error;
3017 } 3019 }
3018#endif
3019 3020
3020 if (file) { 3021 if (file) {
3021 /* read access is always possible with a mapping */ 3022 /* read access is always possible with a mapping */
@@ -3076,8 +3077,8 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3076 if (selinux_checkreqprot) 3077 if (selinux_checkreqprot)
3077 prot = reqprot; 3078 prot = reqprot;
3078 3079
3079#ifndef CONFIG_PPC32 3080 if (default_noexec &&
3080 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3081 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3081 int rc = 0; 3082 int rc = 0;
3082 if (vma->vm_start >= vma->vm_mm->start_brk && 3083 if (vma->vm_start >= vma->vm_mm->start_brk &&
3083 vma->vm_end <= vma->vm_mm->brk) { 3084 vma->vm_end <= vma->vm_mm->brk) {
@@ -3099,7 +3100,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3099 if (rc) 3100 if (rc)
3100 return rc; 3101 return rc;
3101 } 3102 }
3102#endif
3103 3103
3104 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3104 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3105} 3105}
@@ -5662,6 +5662,8 @@ static __init int selinux_init(void)
5662 /* Set the security state for the initial task. */ 5662 /* Set the security state for the initial task. */
5663 cred_init_security(); 5663 cred_init_security();
5664 5664
5665 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5666
5665 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5667 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5666 sizeof(struct inode_security_struct), 5668 sizeof(struct inode_security_struct),
5667 0, SLAB_PANIC, NULL); 5669 0, SLAB_PANIC, NULL);