Skip to content

Commit

Permalink
selinux: make default_noexec read-only after init
Browse files Browse the repository at this point in the history 
SELinux checks whether VM_EXEC is set in the VM_DATA_DEFAULT_FLAGS
during initialization and saves the result in default_noexec for use
in its mmap and mprotect hook function implementations to decide
whether to apply EXECMEM, EXECHEAP, EXECSTACK, and EXECMOD checks.
Mark default_noexec as ro_after_init to prevent later clearing it
and thereby disabling these checks.  It is only set legitimately from
init code.

Signed-off-by: Stephen Smalley <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
  • Loading branch information
@stephensmalley @pcmoore
stephensmalley authored and pcmoore committed Jan 10, 2020
1 parent fe49c7e commit b78b7d5
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion security/selinux/hooks.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3647,7 +3647,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
return error;
}

static int default_noexec;
static int default_noexec __ro_after_init;

static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
{
Expand Down

0 comments on commit b78b7d5

Please sign in to comment.