Skip to content

Commit

Permalink
selinux: apply execstack check on thread stacks
Browse files Browse the repository at this point in the history 
The execstack check was only being applied on the main
process stack.  Thread stacks allocated via mmap were
only subject to the execmem permission check.  Augment
the check to apply to the current thread stack as well.
Note that this does NOT prevent making a different thread's
stack executable.

Suggested-by: Nick Kralevich <[email protected]>
Acked-by: Nick Kralevich <[email protected]>
Signed-off-by: Stephen Smalley <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
  • Loading branch information
@stephensmalley @pcmoore
stephensmalley authored and pcmoore committed Apr 26, 2016
1 parent 8e4ff6f commit c2316db
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions security/selinux/hooks.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3479,8 +3479,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
vma->vm_end <= vma->vm_mm->brk) {
rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
} else if (!vma->vm_file &&
vma->vm_start <= vma->vm_mm->start_stack &&
vma->vm_end >= vma->vm_mm->start_stack) {
((vma->vm_start <= vma->vm_mm->start_stack &&
vma->vm_end >= vma->vm_mm->start_stack) ||
vma_is_stack_for_task(vma, current))) {
rc = current_has_perm(current, PROCESS__EXECSTACK);
} else if (vma->vm_file && vma->anon_vma) {
/*
Expand Down

0 comments on commit c2316db

Please sign in to comment.