I believe this patch yields a semantic change in the SELinux execheap permission check. That said, I think the change is for the better. For ease of comparison, is_initial_heap() is defined in patch 1 of the series as: +/* + * Indicate if the VMA is a heap for the given task; for + * /proc/PID/maps that is the heap of the main task. + */ +static inline bool vma_is_initial_heap(const struct vm_area_struct *vma) +{ + return vma->vm_start <= vma->vm_mm->brk && + vma->vm_end >= vma->vm_mm->start_brk; +} + This is a check for whether the mapping has a non-empty intersection with the heap range. Whereas the existing test in the SELinux code only appears to check whether the mapping is _within_ the heap range. ---------- Forwarded message --------- From: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> Date: Fri, Jul 28, 2023 at 12:48 AM Subject: [PATCH v3 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap() To: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Cc: <amd-gfx@xxxxxxxxxxxxxxxxxxxxx>, <dri-devel@xxxxxxxxxxxxxxxxxxxxx>, <linux-kernel@xxxxxxxxxxxxxxx>, <linux-fsdevel@xxxxxxxxxxxxxxx>, <linux-mm@xxxxxxxxx>, <linux-perf-users@xxxxxxxxxxxxxxx>, <selinux@xxxxxxxxxxxxxxx>, Christian Göttsche <cgzones@xxxxxxxxxxxxxx>, David Hildenbrand <david@xxxxxxxxxx>, Felix Kuehling <Felix.Kuehling@xxxxxxx>, Alex Deucher <alexander.deucher@xxxxxxx>, <christian.koenig@xxxxxxx>, <Xinhui.Pan@xxxxxxx>, <airlied@xxxxxxxxx>, <daniel@xxxxxxxx>, <paul@xxxxxxxxxxxxxx>, <stephen.smalley.work@xxxxxxxxx>, <eparis@xxxxxxxxxxxxxx>, <peterz@xxxxxxxxxxxxx>, <acme@xxxxxxxxxx>, Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> Use the helpers to simplify code. Cc: Paul Moore <paul@xxxxxxxxxxxxxx> Cc: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> Cc: Eric Paris <eparis@xxxxxxxxxxxxxx> Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> Reviewed-by: David Hildenbrand <david@xxxxxxxxxx> Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> --- security/selinux/hooks.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c87b79a29fad..ac582c046c51 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3800,13 +3800,10 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, if (default_noexec && (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { int rc = 0; - if (vma->vm_start >= vma->vm_mm->start_brk && - vma->vm_end <= vma->vm_mm->brk) { + if (vma_is_initial_heap(vma)) { rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__EXECHEAP, NULL); - } else if (!vma->vm_file && - ((vma->vm_start <= vma->vm_mm->start_stack && - vma->vm_end >= vma->vm_mm->start_stack) || + } else if (!vma->vm_file && (vma_is_initial_stack(vma) || vma_is_stack_for_current(vma))) { rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__EXECSTACK, NULL); -- 2.41.0