I believe this patch yields a semantic change in the SELinux execheap
permission check. That said, I think the change is for the better. For
ease of comparison, is_initial_heap() is defined in patch 1 of the
series as:
+/*
+ * Indicate if the VMA is a heap for the given task; for
+ * /proc/PID/maps that is the heap of the main task.
+ */
+static inline bool vma_is_initial_heap(const struct vm_area_struct *vma)
+{
+ return vma->vm_start <= vma->vm_mm->brk &&
+ vma->vm_end >= vma->vm_mm->start_brk;
+}
+
This is a check for whether the mapping has a non-empty intersection
with the heap range.
Whereas the existing test in the SELinux code only appears to check
whether the mapping is _within_ the heap range.
---------- Forwarded message ---------
From: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
Date: Fri, Jul 28, 2023 at 12:48 AM
Subject: [PATCH v3 3/4] selinux: use vma_is_initial_stack() and
vma_is_initial_heap()
To: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: <amd-gfx@xxxxxxxxxxxxxxxxxxxxx>,
<dri-devel@xxxxxxxxxxxxxxxxxxxxx>, <linux-kernel@xxxxxxxxxxxxxxx>,
<linux-fsdevel@xxxxxxxxxxxxxxx>, <linux-mm@xxxxxxxxx>,
<linux-perf-users@xxxxxxxxxxxxxxx>, <selinux@xxxxxxxxxxxxxxx>,
Christian Göttsche <cgzones@xxxxxxxxxxxxxx>, David Hildenbrand
<david@xxxxxxxxxx>, Felix Kuehling <Felix.Kuehling@xxxxxxx>, Alex
Deucher <alexander.deucher@xxxxxxx>, <christian.koenig@xxxxxxx>,
<Xinhui.Pan@xxxxxxx>, <airlied@xxxxxxxxx>, <daniel@xxxxxxxx>,
<paul@xxxxxxxxxxxxxx>, <stephen.smalley.work@xxxxxxxxx>,
<eparis@xxxxxxxxxxxxxx>, <peterz@xxxxxxxxxxxxx>, <acme@xxxxxxxxxx>,
Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
Use the helpers to simplify code.
Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
Cc: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
Cc: Eric Paris <eparis@xxxxxxxxxxxxxx>
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Reviewed-by: David Hildenbrand <david@xxxxxxxxxx>
Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
---
security/selinux/hooks.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c87b79a29fad..ac582c046c51 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3800,13 +3800,10 @@ static int selinux_file_mprotect(struct
vm_area_struct *vma,
if (default_noexec &&
(prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
int rc = 0;
- if (vma->vm_start >= vma->vm_mm->start_brk &&
- vma->vm_end <= vma->vm_mm->brk) {
+ if (vma_is_initial_heap(vma)) {
rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
PROCESS__EXECHEAP, NULL);
- } else if (!vma->vm_file &&
- ((vma->vm_start <= vma->vm_mm->start_stack &&
- vma->vm_end >= vma->vm_mm->start_stack) ||
+ } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
vma_is_stack_for_current(vma))) {
rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
PROCESS__EXECSTACK, NULL);
--
2.41.0
