| Message ID | 1459972627.5403.2.camel@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
Thanks! On Wed, Apr 6, 2016 at 12:57 PM, Stephen Smalley <stephen.smalley@gmail.com> wrote: > The execstack check was only being applied on the main > process stack. Thread stacks allocated via mmap were > only subject to the execmem permission check. Augment > the check to apply to the current thread stack as well. > Note that this does NOT prevent making a different thread's > stack executable. > > Suggested-by: Nick Kralevich <nnk@google.com> Acked-By: Nick Kralevich <nnk@google.com> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > security/selinux/hooks.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index a9ca5ee..0271be4 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3465,8 +3465,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, > vma->vm_end <= vma->vm_mm->brk) { > rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); > } else if (!vma->vm_file && > - vma->vm_start <= vma->vm_mm->start_stack && > - vma->vm_end >= vma->vm_mm->start_stack) { > + ((vma->vm_start <= vma->vm_mm->start_stack && > + vma->vm_end >= vma->vm_mm->start_stack) || > + vma_is_stack_for_task(vma, current))) { > rc = current_has_perm(current, PROCESS__EXECSTACK); > } else if (vma->vm_file && vma->anon_vma) { > /* > -- > 2.8.0 >
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a9ca5ee..0271be4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3465,8 +3465,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, vma->vm_end <= vma->vm_mm->brk) { rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); } else if (!vma->vm_file && - vma->vm_start <= vma->vm_mm->start_stack && - vma->vm_end >= vma->vm_mm->start_stack) { + ((vma->vm_start <= vma->vm_mm->start_stack && + vma->vm_end >= vma->vm_mm->start_stack) || + vma_is_stack_for_task(vma, current))) { rc = current_has_perm(current, PROCESS__EXECSTACK); } else if (vma->vm_file && vma->anon_vma) { /*
The execstack check was only being applied on the main process stack. Thread stacks allocated via mmap were only subject to the execmem permission check. Augment the check to apply to the current thread stack as well. Note that this does NOT prevent making a different thread's stack executable. Suggested-by: Nick Kralevich <nnk@google.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- security/selinux/hooks.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.8.0