We've carried this diff in Fedora for a few years now..
--- linux-2.6.26.noarch/security/selinux/hooks.c~ 2008-09-25 14:11:17.000000000 -0400
+++ linux-2.6.26.noarch/security/selinux/hooks.c 2008-09-25 14:12:17.000000000 -0400
@@ -3018,7 +3018,6 @@ static int file_map_prot_check(struct fi
const struct cred *cred = current_cred();
int rc = 0;
-#ifndef CONFIG_PPC32
if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
/*
* We are making executable an anonymous mapping or a
@@ -3029,7 +3028,6 @@ static int file_map_prot_check(struct fi
if (rc)
goto error;
}
-#endif
if (file) {
/* read access is always possible with a mapping */
@@ -3024,7 +3022,6 @@ static int selinux_file_mprotect(struct
if (selinux_checkreqprot)
prot = reqprot;
-#ifndef CONFIG_PPC32
if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
rc = 0;
if (vma->vm_start >= vma->vm_mm->start_brk &&
@@ -3049,7 +3046,6 @@ static int selinux_file_mprotect(struct
if (rc)
return rc;
}
-#endif
return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
}
This needs a fixed toolchain, and a userspace rebuild to work.
For these reasons, it's had difficulty getting upstream.
Fedora has a new enough toolchain, and has been rebuilt, so we don't need
the ifdefs. Other distros don't/haven't, and this patch would break them
if pushed upstream.
Could we do something like the (untested) diff below instead,
which might be more palatable to upstream, allowing us to stop
carrying it ?
Dave
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index bca1b74..83a9675 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -131,3 +131,10 @@ config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
installed under /etc/selinux/$SELINUXTYPE/policy, where
SELINUXTYPE is defined in your /etc/selinux/config.
+config SELINUX_NEW_ENOUGH_TOOLCHAIN
+ bool "SELinux mprotect checks"
+ default n if PPC32
+ help
+ This option requires a modern toolchain (FIXME: Version?)
+ and a userspace rebuild to work.
+
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9a2ee84..e805df7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3009,7 +3009,7 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
const struct cred *cred = current_cred();
int rc = 0;
-#ifndef CONFIG_PPC32
+#ifdef CONFIG_SELINUX_NEW_ENOUGH_TOOLCHAIN
if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
/*
* We are making executable an anonymous mapping or a
@@ -3081,7 +3081,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
if (selinux_checkreqprot)
prot = reqprot;
-#ifndef CONFIG_PPC32
+#ifdef CONFIG_SELINUX_NEW_ENOUGH_TOOLCHAIN
if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
int rc = 0;
if (vma->vm_start >= vma->vm_mm->start_brk &&
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
