On Friday, April 08, 2016 01:55:03 PM Stephen Smalley wrote:
> The execstack check was only being applied on the main
> process stack. Thread stacks allocated via mmap were
> only subject to the execmem permission check. Augment
> the check to apply to the current thread stack as well.
> Note that this does NOT prevent making a different thread's
> stack executable.
>
> Suggested-by: Nick Kralevich <nnk@xxxxxxxxxx>
> Acked-by: Nick Kralevich <nnk@xxxxxxxxxx>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Applied, thanks.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index fce7dc8..d495dac 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3465,8 +3465,9 @@ static int selinux_file_mprotect(struct vm_area_struct
> *vma, vma->vm_end <= vma->vm_mm->brk) {
> rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
> } else if (!vma->vm_file &&
> - vma->vm_start <= vma->vm_mm->start_stack &&
> - vma->vm_end >= vma->vm_mm->start_stack) {
> + ((vma->vm_start <= vma->vm_mm->start_stack &&
> + vma->vm_end >= vma->vm_mm->start_stack) ||
> + vma_is_stack_for_task(vma, current))) {
> rc = current_has_perm(current, PROCESS__EXECSTACK);
> } else if (vma->vm_file && vma->anon_vma) {
> /*
--
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
