Commit c2316dbf authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore

selinux: apply execstack check on thread stacks

The execstack check was only being applied on the main
process stack.  Thread stacks allocated via mmap were
only subject to the execmem permission check.  Augment
the check to apply to the current thread stack as well.
Note that this does NOT prevent making a different thread's
stack executable.
Suggested-by: default avatarNick Kralevich <nnk@google.com>
Acked-by: default avatarNick Kralevich <nnk@google.com>
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 8e4ff6f2
...@@ -3479,8 +3479,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, ...@@ -3479,8 +3479,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
vma->vm_end <= vma->vm_mm->brk) { vma->vm_end <= vma->vm_mm->brk) {
rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
} else if (!vma->vm_file && } else if (!vma->vm_file &&
vma->vm_start <= vma->vm_mm->start_stack && ((vma->vm_start <= vma->vm_mm->start_stack &&
vma->vm_end >= vma->vm_mm->start_stack) { vma->vm_end >= vma->vm_mm->start_stack) ||
vma_is_stack_for_task(vma, current))) {
rc = current_has_perm(current, PROCESS__EXECSTACK); rc = current_has_perm(current, PROCESS__EXECSTACK);
} else if (vma->vm_file && vma->anon_vma) { } else if (vma->vm_file && vma->anon_vma) {
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment