Perform a process { execstack } check unless virtual memory is marked
executable by default.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
security/selinux/hooks.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a0fde0641f77..daf901916836 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -113,6 +113,8 @@ struct selinux_state selinux_state;
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
+static int default_noexec __ro_after_init;
+
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
static int selinux_enforcing_boot __initdata;
@@ -2221,6 +2223,18 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
return cap_sys_admin;
}
+static int selinux_vm_execstack(void)
+{
+ u32 sid;
+
+ if (!default_noexec)
+ return 0;
+
+ sid = current_sid();
+ return avc_has_perm(sid, sid, SECCLASS_PROCESS,
+ PROCESS__EXECSTACK, NULL);
+}
+
/* binprm security operations */
static u32 ptrace_parent_sid(void)
@@ -3767,8 +3781,6 @@ static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
return selinux_file_ioctl(file, cmd, arg);
}
-static int default_noexec __ro_after_init;
-
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
{
const struct cred *cred = current_cred();
@@ -7120,6 +7132,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(quota_on, selinux_quota_on),
LSM_HOOK_INIT(syslog, selinux_syslog),
LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
+ LSM_HOOK_INIT(vm_execstack, selinux_vm_execstack),
LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
--
2.43.0
