From patchwork Wed Apr  6 20:01:50 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Stephen Smalley <stephen.smalley@gmail.com>
X-Patchwork-Id: 8765161
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 800D8C0553
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  6 Apr 2016 20:04:06 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id BC9A720155
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  6 Apr 2016 20:04:05 +0000 (UTC)
Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [8.44.101.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 2B65420108
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed,  6 Apr 2016 20:04:02 +0000 (UTC)
X-TM-IMSS-Message-ID: <5c1fce1b0008ae6b@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	5c1fce1b0008ae6b ; Wed, 6 Apr 2016 16:01:03 -0400
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36K1ucY008338;
	Wed, 6 Apr 2016 16:01:58 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u36K1tGY047226 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 6 Apr 2016 16:01:55 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36K1t8o008319
	for <selinux@tycho.nsa.gov>; Wed, 6 Apr 2016 16:01:55 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DtAwDJagVXcjXcVdFcHAGEaq9PiG6EEIYNAoIcAQEBAQEBEwEKCxQfhHMBAQEDEhEPAQ0BBhUdAQMMBgMNDwImAgIjEQEFARwGEyKHbwEDEpJBj0GBMT4xizaBaoJXNIcBChknDVGERwEBAQEBAQEBAgEBAQEBAQETAQUKBW2DHIIJiFiDMoJWBY5BiUCBU4w4iSuFYQKNZC+BDoJZDRmBakyHNoE9AQEB
X-IPAS-Result: 
 A1DtAwDJagVXcjXcVdFcHAGEaq9PiG6EEIYNAoIcAQEBAQEBEwEKCxQfhHMBAQEDEhEPAQ0BBhUdAQMMBgMNDwImAgIjEQEFARwGEyKHbwEDEpJBj0GBMT4xizaBaoJXNIcBChknDVGERwEBAQEBAQEBAgEBAQEBAQETAQUKBW2DHIIJiFiDMoJWBY5BiUCBU4w4iSuFYQKNZC+BDoJZDRmBakyHNoE9AQEB
X-IronPort-AV: E=Sophos;i="5.24,448,1454994000"; d="scan'208";a="5356358"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 06 Apr 2016 16:01:54 -0400
X-TM-IMSS-Message-ID: <1041424400093dcb@nsa.gov>
Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com
	[209.85.220.53]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 1041424400093dcb ;
	Wed, 6 Apr 2016 16:00:49 -0400
Received: by mail-pa0-f53.google.com with SMTP id td3so39311241pab.2
	for <selinux@tycho.nsa.gov>; Wed, 06 Apr 2016 13:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:subject:from:to:cc:date:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=YyUAQ+oVDmp0T6PMBvKq8ncPZiACg4U2OHE/YrxldSs=;
	b=ei2V9O0tnDEoG2vqE3kKBmE9nviGX7snJ0dwORfJdarsEz5NZXX2R9ihiecbWHGY/X
	SNyjm1uq3lDeBokENLJuMABKXosGHYssKwK6UETjuN10WzJSBsAGd039WGQnQ+bmPp7D
	bfxPUji9x2I7vLuhzyci7p1BKg2TWn9YFhAJoMTBRUfk/VYm/TxVV0USRL3S8aKiGth2
	Lx9gDNvvK+xxOOsLTDBgjKpS68UgsMtN7wL1jwvTdV8Lnwg/es9Ti2d2FNg2of+oCaym
	BXdq6PMWMXUD+q9OYUXVlaZoiOW56H3PF+zfHkls0dxJeNA7237HOt8aoLDY6buOwQGE
	Fs3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=YyUAQ+oVDmp0T6PMBvKq8ncPZiACg4U2OHE/YrxldSs=;
	b=d1HDybJTYXwdHS9+x73d9wgWzn3Oh7LnplupyF+5OaB3B3+Bj5zGUv1L9a8hkin6s7
	9ERgBkcPMGoQ0+yNucDvCYCv/7S0Me7LXEcJyQ142mlOobo3udtih9ILcl8SwKD4nPET
	/W1LWNL/0gJB6VyFYOpGQ4txDQ8e08bF6y+Ef7evciQ9lUCIT+PPWRyDXwD2s3bAlwov
	uxCrqT4OPraZDbm7AEidRxjsX7VnQyi5y/1tX5GtnHfwMHlRW+mM5bCXu3G0k8JRnA7r
	qDS3DEE+xK3CkMphrZORVHgP/1oodFNC0UVfiIf5aNFZp7xAkyCPY2WWk7vzTwkfpIfp
	UGhg==
X-Gm-Message-State: 
 AD7BkJKo0GM4Aa8RofS0EmoYD1CC22VxJQOIUYnZO2Az4+pmY6se5b72WzJpgdQo5m9Oyw==
X-Received: by 10.67.21.167 with SMTP id hl7mr73093686pad.16.1459972912476;
	Wed, 06 Apr 2016 13:01:52 -0700 (PDT)
Received: from moss-charon.infosec.tycho.ncsc.mil ([209.65.105.133])
	by smtp.googlemail.com with ESMTPSA id
	yj1sm6846698pac.16.2016.04.06.13.01.51
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 06 Apr 2016 13:01:51 -0700 (PDT)
Message-ID: <1459972910.5403.5.camel@gmail.com>
Subject: [RFC][PATCH]  selinux-testsuite: Add test for execstack on thread
	stack
From: Stephen Smalley <stephen.smalley@gmail.com>
To: selinux <selinux@tycho.nsa.gov>
Date: Wed, 06 Apr 2016 13:01:50 -0700
In-Reply-To: <1459972627.5403.2.camel@gmail.com>
References: <1459972627.5403.2.camel@gmail.com>
X-Mailer: Evolution 3.20.0 (3.20.0-1.fc25) 
Mime-Version: 1.0
X-TM-AS-MML: disable
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RP_MATCHES_RCVD, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Test execstack permission checking for thread stacks.
This depends on the corresponding kernel patch to apply
the check for thread stacks in addition to the main process
stack.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 tests/mmap/Makefile                |  2 ++
 tests/mmap/mprotect_stack_thread.c | 33 +++++++++++++++++++++++++++++++++
 tests/mmap/test                    |  8 +++++++-
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 tests/mmap/mprotect_stack_thread.c

-- 
2.8.0

diff --git a/tests/mmap/Makefile b/tests/mmap/Makefile
index f2f486c..e330f3e 100644
--- a/tests/mmap/Makefile
+++ b/tests/mmap/Makefile
@@ -1,5 +1,7 @@
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
 
+LDLIBS += -lpthread
+
 all: $(TARGETS)
 
 clean:
diff --git a/tests/mmap/mprotect_stack_thread.c b/tests/mmap/mprotect_stack_thread.c
new file mode 100644
index 0000000..457b294
--- /dev/null
+++ b/tests/mmap/mprotect_stack_thread.c
@@ -0,0 +1,33 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <pthread.h>
+
+static void *test_thread(void *p)
+{
+	char buf[4096];
+	int rc;
+	void *ptr;
+	long pagesize = sysconf(_SC_PAGESIZE);
+
+	ptr = (void *) (((unsigned long) buf) & ~(pagesize - 1));
+
+	rc = mprotect(ptr, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC);
+	if (rc < 0) {
+		perror("mprotect");
+		exit(1);
+	}
+	return NULL;
+}
+
+int main(void)
+{
+	pthread_t thread;
+
+	pthread_create(&thread, NULL, test_thread, NULL);
+	pthread_join(thread, NULL);
+	exit(0);
+}
+
diff --git a/tests/mmap/test b/tests/mmap/test
index 6b1de55..89badda 100755
--- a/tests/mmap/test
+++ b/tests/mmap/test
@@ -1,7 +1,7 @@
 #!/usr/bin/perl
 
 use Test;
-BEGIN { plan tests => 30}
+BEGIN { plan tests => 32}
 
 $basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
 
@@ -68,6 +68,12 @@ ok($result, 0);
 $result = system "runcon -t test_execmem_t $basedir/mprotect_stack 2>&1";
 ok($result);
 
+# Test success and failure for thread execstack, independent of execmem.
+$result = system "runcon -t test_execstack_t $basedir/mprotect_stack_thread";
+ok($result, 0);
+$result = system "runcon -t test_execmem_t $basedir/mprotect_stack_thread 2>&1";
+ok($result);
+
 # Test success and failure for file execute on mmap w/ file shared mapping.
 $result = system "runcon -t test_file_rwx_t $basedir/mmap_file_shared $basedir/temp_file";
 ok($result, 0);