From patchwork Wed Apr 6 19:57:07 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 8765151 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 21B879F36E for ; Wed, 6 Apr 2016 19:59:26 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6E145201CD for ; Wed, 6 Apr 2016 19:59:25 +0000 (UTC) Received: from emvm-gh1-uea08.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 51F0820155 for ; Wed, 6 Apr 2016 19:59:24 +0000 (UTC) X-TM-IMSS-Message-ID: <103d296700093c61@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id 103d296700093c61 ; Wed, 6 Apr 2016 15:56:21 -0400 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36JvDLN006749; Wed, 6 Apr 2016 15:57:15 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u36JvBmS047170 for ; Wed, 6 Apr 2016 15:57:11 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36JvBfL006747 for ; Wed, 6 Apr 2016 15:57:11 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AzAABoaQVXkrTVVdFcHYRqqBoEA4cuiG6DMgVZhg2CHgEBAQEBARMBAQEBBwsLCSGEcwEVEQQLAQ0BGx0BAxIDDQ8CJgIlEQEFASITIodvAQMSkkGPQYExPjGLNoFqgleHNgoZJw1RhEcBAQEBBgEBAQEWAQUKBW2DHIIJjAqCVgWOQYlAgVOMOIkrhWECjWQvgQ6CWR6BckyIcwEBAQ X-IPAS-Result: A1AzAABoaQVXkrTVVdFcHYRqqBoEA4cuiG6DMgVZhg2CHgEBAQEBARMBAQEBBwsLCSGEcwEVEQQLAQ0BGx0BAxIDDQ8CJgIlEQEFASITIodvAQMSkkGPQYExPjGLNoFqgleHNgoZJw1RhEcBAQEBBgEBAQEWAQUKBW2DHIIJjAqCVgWOQYlAgVOMOIkrhWECjWQvgQ6CWR6BckyIcwEBAQ X-IronPort-AV: E=Sophos;i="5.24,448,1454994000"; d="scan'208";a="5356338" Received: from emvm-gh1-uea09.nsa.gov ([10.208.42.194]) by goalie.tycho.ncsc.mil with ESMTP; 06 Apr 2016 15:57:11 -0400 X-TM-IMSS-Message-ID: <5c1b5bd90008ad0f@nsa.gov> Received: from mail-ig0-f180.google.com (mail-ig0-f180.google.com [209.85.213.180]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 5c1b5bd90008ad0f ; Wed, 6 Apr 2016 15:56:11 -0400 Received: by mail-ig0-f180.google.com with SMTP id gy3so86538905igb.0 for ; Wed, 06 Apr 2016 12:57:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=NvjeLBdTKBctezJm6X7b6MG8v8PdoVHKwpHvoBKVdZc=; b=XnELXANo6ezZ3vDLWH9+LeZByRIcPQgmPZOlDToRaI45HXt7daPCOIbjPqMnV+L0lE dJ6ofvXKdKV82Zl9eK5Rjf11fhwqQJMaOdivT+kQoAx2ElWiVXgtA7DLt1Pg+pS1h+W8 eevcOKQLyJVofkpM6PAwni+GG5PhJ8Xlt8V5HH3JXY9lomwz0KFWGI5FCxIJmkVEGmwj gQ/FkMM8TqLuOTkHw1O8DK5yLM+QW8nTIOuCQAfFJEiNvXWjbVeRb5QFEpYSPEOBXnxM YenPY1JHLYBNlK00Jt4E5uEmKyxL+0/wKlSMsQjAQt21yZQT85gweqWPr8qHBLGfjlrX r6FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=NvjeLBdTKBctezJm6X7b6MG8v8PdoVHKwpHvoBKVdZc=; b=HTZKB2CzZ6jm5Ornfu7NWGdPkxhpxlCGS19kvHUvSNKfFd6fAZfLcF0MZG2yBkiqQV sw7JlELssFqBLdOeFpQ3fMkvUqbfJbhPW7YKdNOBadOhYOymejO/ChCQ13n7RqBVoPoS 4Ei78jROrOqA/j/2YDFSLiVmsYmNx6/uv7JHBv3H4Rf1wMjJOLLIoT3o6ZzPNUUNL+Hz 8yUxhJ1gCLASwTFVGg714buXLh+UiGj9Znh9gf/faL062/g7PiD9GDvwlBVahAp9r2wX 34x96aTwyOssLM4we6yZ1DSAplaS1+UQpc4QO5zpMzKfus3NEY2wf0nUqKvbWriNeZt1 vXjw== X-Gm-Message-State: AD7BkJJ6DcHhkACF2KIz+zeKiFIFaarWqPBgHmouJO8uRD/kKgezTugMUdUktwlQoBAwmQ== X-Received: by 10.50.45.41 with SMTP id j9mr24698934igm.28.1459972629334; Wed, 06 Apr 2016 12:57:09 -0700 (PDT) Received: from moss-charon.infosec.tycho.ncsc.mil ([209.65.105.133]) by smtp.googlemail.com with ESMTPSA id b202sm2106920ioe.27.2016.04.06.12.57.08 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 06 Apr 2016 12:57:08 -0700 (PDT) Message-ID: <1459972627.5403.2.camel@gmail.com> Subject: [RFC][PATCH] selinux: apply execstack check on thread stacks From: Stephen Smalley To: selinux Date: Wed, 06 Apr 2016 12:57:07 -0700 X-Mailer: Evolution 3.20.0 (3.20.0-1.fc25) Mime-Version: 1.0 X-TM-AS-MML: disable X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The execstack check was only being applied on the main process stack.  Thread stacks allocated via mmap were only subject to the execmem permission check.  Augment the check to apply to the current thread stack as well. Note that this does NOT prevent making a different thread's stack executable. Suggested-by: Nick Kralevich Signed-off-by: Stephen Smalley Acked-By: Nick Kralevich ---  security/selinux/hooks.c | 5 +++--  1 file changed, 3 insertions(+), 2 deletions(-) --  2.8.0 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a9ca5ee..0271be4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3465,8 +3465,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,       vma->vm_end <= vma->vm_mm->brk) {   rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);   } else if (!vma->vm_file && -    vma->vm_start <= vma->vm_mm->start_stack && -    vma->vm_end >= vma->vm_mm->start_stack) { +    ((vma->vm_start <= vma->vm_mm->start_stack && +      vma->vm_end >= vma->vm_mm->start_stack) || +     vma_is_stack_for_task(vma, current))) {   rc = current_has_perm(current, PROCESS__EXECSTACK);   } else if (vma->vm_file && vma->anon_vma) {   /*