diff mbox

selinux: apply execstack check on thread stacks

Message ID 1460138103-17507-1-git-send-email-sds@tycho.nsa.gov (mailing list archive)
State Accepted
Headers show

Commit Message

Stephen Smalley April 8, 2016, 5:55 p.m. UTC 
The execstack check was only being applied on the main
process stack.  Thread stacks allocated via mmap were
only subject to the execmem permission check.  Augment
the check to apply to the current thread stack as well.
Note that this does NOT prevent making a different thread's
stack executable.

Suggested-by: Nick Kralevich <nnk@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/hooks.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Paul Moore April 26, 2016, 7:51 p.m. UTC | #1 
On Friday, April 08, 2016 01:55:03 PM Stephen Smalley wrote:
> The execstack check was only being applied on the main
> process stack.  Thread stacks allocated via mmap were
> only subject to the execmem permission check.  Augment
> the check to apply to the current thread stack as well.
> Note that this does NOT prevent making a different thread's
> stack executable.
> 
> Suggested-by: Nick Kralevich <nnk@google.com>
> Acked-by: Nick Kralevich <nnk@google.com>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  security/selinux/hooks.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)

Applied, thanks.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index fce7dc8..d495dac 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3465,8 +3465,9 @@ static int selinux_file_mprotect(struct vm_area_struct
> *vma, vma->vm_end <= vma->vm_mm->brk) {
>  			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
>  		} else if (!vma->vm_file &&
> -			   vma->vm_start <= vma->vm_mm->start_stack &&
> -			   vma->vm_end >= vma->vm_mm->start_stack) {
> +			   ((vma->vm_start <= vma->vm_mm->start_stack &&
> +			     vma->vm_end >= vma->vm_mm->start_stack) ||
> +			    vma_is_stack_for_task(vma, current))) {
>  			rc = current_has_perm(current, PROCESS__EXECSTACK);
>  		} else if (vma->vm_file && vma->anon_vma) {
>  			/*
diff mbox

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fce7dc8..d495dac 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3465,8 +3465,9 @@  static int selinux_file_mprotect(struct vm_area_struct *vma,
 		    vma->vm_end <= vma->vm_mm->brk) {
 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
 		} else if (!vma->vm_file &&
-			   vma->vm_start <= vma->vm_mm->start_stack &&
-			   vma->vm_end >= vma->vm_mm->start_stack) {
+			   ((vma->vm_start <= vma->vm_mm->start_stack &&
+			     vma->vm_end >= vma->vm_mm->start_stack) ||
+			    vma_is_stack_for_task(vma, current))) {
 			rc = current_has_perm(current, PROCESS__EXECSTACK);
 		} else if (vma->vm_file && vma->anon_vma) {
 			/*