From patchwork Thu Jul 28 14:43:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9251257 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0956660869 for ; Thu, 28 Jul 2016 14:42:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EA9B827CFC for ; Thu, 28 Jul 2016 14:42:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DF7CF27D4A; Thu, 28 Jul 2016 14:42:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D0FF927CFC for ; Thu, 28 Jul 2016 14:42:52 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,434,1464652800"; d="scan'208";a="18013446" IronPort-PHdr: =?us-ascii?q?9a23=3ApnZgnBefFHdhGZWJwClOdRYjlGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxc6+bR7h7PlgxGXEQZ/co6odzbGH6+a+Bidfv96oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JXvkb7tsMKNKyxzxxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?= =?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cYhuglv/Jkfe26Ov5gDO8QMDNzKG0x5cv2pTHf?= =?us-ascii?q?XACP4T0aSWxQnR1WUCbf6xSvZYv8qiv3sKJG3SCeOcDnBeQvVS+K87ZgSBiujj?= =?us-ascii?q?wOcTE+7jeE2YRLkKtHrUf59FREyInObdTQbqJz?= X-IPAS-Result: =?us-ascii?q?A2GnBABTGZpX/wHyM5BdGgEBAQGDJ4FDD7poIIc5TAEBAQE?= =?us-ascii?q?BAQICWieCMgQDEIIbAjcNByALAwMJAhcpCAgDAS0VHwsFGASIELJ9iGEljwcCE?= =?us-ascii?q?QGFdwWIG4cviWiOfQKJaIVTApAmVIISHIFoUoczDxeBHgEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 28 Jul 2016 14:42:34 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6SEgWVe013668; Thu, 28 Jul 2016 10:42:33 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u6SEfew1132901 for ; Thu, 28 Jul 2016 10:41:40 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6SEfe8J013538; Thu, 28 Jul 2016 10:41:40 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] selinux-testsuite: Add test for execstack on thread stacks. Date: Thu, 28 Jul 2016 10:43:37 -0400 Message-Id: <1469717017-19818-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Test execstack permission checking for thread stacks. The test is conditional on Linux >= 4.7. Signed-off-by: Stephen Smalley --- Revised to make it conditional on the kernel version in which the corresponding change was merged, so it passes on old and new kernels. tests/mmap/Makefile | 2 ++ tests/mmap/mprotect_stack_thread.c | 58 ++++++++++++++++++++++++++++++++++++++ tests/mmap/test | 8 +++++- 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 tests/mmap/mprotect_stack_thread.c diff --git a/tests/mmap/Makefile b/tests/mmap/Makefile index f2f486c..e330f3e 100644 --- a/tests/mmap/Makefile +++ b/tests/mmap/Makefile @@ -1,5 +1,7 @@ TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +LDLIBS += -lpthread + all: $(TARGETS) clean: diff --git a/tests/mmap/mprotect_stack_thread.c b/tests/mmap/mprotect_stack_thread.c new file mode 100644 index 0000000..fed9969 --- /dev/null +++ b/tests/mmap/mprotect_stack_thread.c @@ -0,0 +1,58 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static void *test_thread(void *p) +{ + char buf[4096]; + int rc; + void *ptr; + long pagesize = sysconf(_SC_PAGESIZE); + + ptr = (void *) (((unsigned long) buf) & ~(pagesize - 1)); + + rc = mprotect(ptr, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC); + if (rc < 0) { + perror("mprotect"); + exit(1); + } + return NULL; +} + +int main(int argc, char **argv) +{ + struct utsname uts; + pthread_t thread; + + if (argc != 2) { + fprintf(stderr, "usage: %s [pass|fail]\n", argv[0]); + exit(1); + } + + if (strcmp(argv[1], "pass") && strcmp(argv[1], "fail")) { + fprintf(stderr, "usage: %s [pass|fail]\n", argv[0]); + exit(1); + } + + if (uname(&uts) < 0) { + perror("uname"); + exit(1); + } + + if (!strcmp(argv[1], "fail") && strverscmp(uts.release, "4.7") < 0) { + printf("%s: Kernels < 4.7 do not check execstack on thread stacks, skipping.\n", argv[0]); + /* pass the test by failing as if it was denied */ + exit(1); + } + + pthread_create(&thread, NULL, test_thread, NULL); + pthread_join(thread, NULL); + exit(0); +} + diff --git a/tests/mmap/test b/tests/mmap/test index 6b1de55..e1c2942 100755 --- a/tests/mmap/test +++ b/tests/mmap/test @@ -1,7 +1,7 @@ #!/usr/bin/perl use Test; -BEGIN { plan tests => 30} +BEGIN { plan tests => 32} $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; @@ -68,6 +68,12 @@ ok($result, 0); $result = system "runcon -t test_execmem_t $basedir/mprotect_stack 2>&1"; ok($result); +# Test success and failure for thread execstack, independent of execmem. +$result = system "runcon -t test_execstack_t $basedir/mprotect_stack_thread pass"; +ok($result, 0); +$result = system "runcon -t test_execmem_t $basedir/mprotect_stack_thread fail 2>&1"; +ok($result); + # Test success and failure for file execute on mmap w/ file shared mapping. $result = system "runcon -t test_file_rwx_t $basedir/mmap_file_shared $basedir/temp_file"; ok($result, 0);