summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2016-04-08 13:55:03 -0400
committerPaul Moore <paul@paul-moore.com>2016-04-26 15:47:57 -0400
commitc2316dbf124257ae19fd2e29cb5ec51060649d38 (patch)
treea17220dace4ef3946ee7185a344fa9e735472a56
parent8e4ff6f228e4722cac74db716e308d1da33d744f (diff)
downloadlwn-c2316dbf124257ae19fd2e29cb5ec51060649d38.tar.gz
lwn-c2316dbf124257ae19fd2e29cb5ec51060649d38.zip
selinux: apply execstack check on thread stacks
The execstack check was only being applied on the main process stack. Thread stacks allocated via mmap were only subject to the execmem permission check. Augment the check to apply to the current thread stack as well. Note that this does NOT prevent making a different thread's stack executable. Suggested-by: Nick Kralevich <nnk@google.com> Acked-by: Nick Kralevich <nnk@google.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r--security/selinux/hooks.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bbff80c6d3f2..a00ab81ab719 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3479,8 +3479,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
vma->vm_end <= vma->vm_mm->brk) {
rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
} else if (!vma->vm_file &&
- vma->vm_start <= vma->vm_mm->start_stack &&
- vma->vm_end >= vma->vm_mm->start_stack) {
+ ((vma->vm_start <= vma->vm_mm->start_stack &&
+ vma->vm_end >= vma->vm_mm->start_stack) ||
+ vma_is_stack_for_task(vma, current))) {
rc = current_has_perm(current, PROCESS__EXECSTACK);
} else if (vma->vm_file && vma->anon_vma) {
/*