kernel/linux-2.6-selinux-mprotect-checks.patch

This needs a fixed toolchain, and a userspace rebuild to work.
For these reasons, it's had difficulty getting upstream.

ie, Fedora has a new enough toolchain, and has been rebuilt, so we don't need
the ifdefs.  Other distros don't/haven't, and this patch would break them
if pushed upstream.


Subject: [Fwd: Re: [PATCH] Disable execmem for sparc]
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Dave Jones <davej@redhat.com>
Date: Wed, 28 Apr 2010 16:04:56 -0400
Message-Id: <1272485096.6013.326.camel@moss-pluto.epoch.ncsc.mil>

-------- Forwarded Message --------
From: Stephen Smalley <sds@tycho.nsa.gov>
To: David Miller <davem@davemloft.net>
Cc: tcallawa@redhat.com, dennis@ausil.us, sparclinux@vger.kernel.org, dgilmore@redhat.com, jmorris@namei.org, eparis@parisplace.org
Subject: Re: [PATCH] Disable execmem for sparc
Date: Wed, 28 Apr 2010 15:57:57 -0400

On Tue, 2010-04-27 at 11:47 -0700, David Miller wrote:
> From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>
> Date: Tue, 27 Apr 2010 14:20:21 -0400
> 
> > [root@apollo ~]$ cat /proc/2174/maps
> > 00010000-00014000 r-xp 00000000 fd:00 15466577
> >  /sbin/mingetty
> > 00022000-00024000 rwxp 00002000 fd:00 15466577
> >  /sbin/mingetty
> > 00024000-00046000 rwxp 00000000 00:00 0
> >  [heap]
> 
> SELINUX probably barfs on the executable heap, the PLT is in the HEAP
> just like powerpc32 and that's why VM_DATA_DEFAULT_FLAGS has to set
> both executable and writable.
> 
> You also can't remove the CONFIG_PPC32 ifdefs in selinux, since
> because of the VM_DATA_DEFAULT_FLAGS setting used still in that arch,
> the heap will always have executable permission, just like sparc does.
> You have to support those binaries forever, whether you like it or not.
> 
> Let's just replace the CONFIG_PPC32 ifdef in SELINUX with CONFIG_PPC32
> || CONFIG_SPARC as in Tom's original patch and let's be done with
> this.
> 
> In fact I would go through all the arch/ header files and check the
> VM_DATA_DEFAULT_FLAGS settings and add the necessary new ifdefs to the
> SELINUX code so that other platforms don't have the pain of having to
> go through this process too.

To avoid maintaining per-arch ifdefs, it seems that we could just
directly use (VM_DATA_DEFAULT_FLAGS & VM_EXEC) as the basis for deciding
whether to enable or disable these checks.   VM_DATA_DEFAULT_FLAGS isn't
constant on some architectures but instead depends on
current->personality, but we want this applied uniformly.  So we'll just
use the initial task state to determine whether or not to enable these
checks.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ebee467..a03fd74 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2999,13 +2999,15 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
 	return file_has_perm(cred, file, av);
 }
 
+static int default_noexec;
+
 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
 {
 	const struct cred *cred = current_cred();
 	int rc = 0;
 
-#ifndef CONFIG_PPC32
-	if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
+	if (default_noexec &&
+	    (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
 		/*
 		 * We are making executable an anonymous mapping or a
 		 * private file mapping that will also be writable.
@@ -3015,7 +3017,6 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
 		if (rc)
 			goto error;
 	}
-#endif
 
 	if (file) {
 		/* read access is always possible with a mapping */
@@ -3076,8 +3077,8 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
 	if (selinux_checkreqprot)
 		prot = reqprot;
 
-#ifndef CONFIG_PPC32
-	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
+	if (default_noexec &&
+	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
 		int rc = 0;
 		if (vma->vm_start >= vma->vm_mm->start_brk &&
 		    vma->vm_end <= vma->vm_mm->brk) {
@@ -3099,7 +3100,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
 		if (rc)
 			return rc;
 	}
-#endif
 
 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
 }
@@ -5662,6 +5662,8 @@ static __init int selinux_init(void)
 	/* Set the security state for the initial task. */
 	cred_init_security();
 
+	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
+
 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
 					    sizeof(struct inode_security_struct),
 					    0, SLAB_PANIC, NULL);

-- 
Stephen Smalley
National Security Agency
initial srpm import 2010-07-29 23:46:31 +00:00			`This needs a fixed toolchain, and a userspace rebuild to work.`
			`For these reasons, it's had difficulty getting upstream.`

			`ie, Fedora has a new enough toolchain, and has been rebuilt, so we don't need`
			`the ifdefs. Other distros don't/haven't, and this patch would break them`
			`if pushed upstream.`


			`Subject: [Fwd: Re: [PATCH] Disable execmem for sparc]`
			`From: Stephen Smalley <sds@tycho.nsa.gov>`
			`To: Dave Jones <davej@redhat.com>`
			`Date: Wed, 28 Apr 2010 16:04:56 -0400`
			`Message-Id: <1272485096.6013.326.camel@moss-pluto.epoch.ncsc.mil>`

			`-------- Forwarded Message --------`
			`From: Stephen Smalley <sds@tycho.nsa.gov>`
			`To: David Miller <davem@davemloft.net>`
			`Cc: tcallawa@redhat.com, dennis@ausil.us, sparclinux@vger.kernel.org, dgilmore@redhat.com, jmorris@namei.org, eparis@parisplace.org`
			`Subject: Re: [PATCH] Disable execmem for sparc`
			`Date: Wed, 28 Apr 2010 15:57:57 -0400`

			`On Tue, 2010-04-27 at 11:47 -0700, David Miller wrote:`
			`> From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>`
			`> Date: Tue, 27 Apr 2010 14:20:21 -0400`
			`>`
			`> > [root@apollo ~]$ cat /proc/2174/maps`
			`> > 00010000-00014000 r-xp 00000000 fd:00 15466577`
			`> > /sbin/mingetty`
			`> > 00022000-00024000 rwxp 00002000 fd:00 15466577`
			`> > /sbin/mingetty`
			`> > 00024000-00046000 rwxp 00000000 00:00 0`
			`> > [heap]`
			`>`
			`> SELINUX probably barfs on the executable heap, the PLT is in the HEAP`
			`> just like powerpc32 and that's why VM_DATA_DEFAULT_FLAGS has to set`
			`> both executable and writable.`
			`>`
			`> You also can't remove the CONFIG_PPC32 ifdefs in selinux, since`
			`> because of the VM_DATA_DEFAULT_FLAGS setting used still in that arch,`
			`> the heap will always have executable permission, just like sparc does.`
			`> You have to support those binaries forever, whether you like it or not.`
			`>`
			`> Let's just replace the CONFIG_PPC32 ifdef in SELINUX with CONFIG_PPC32`
			`> \|\| CONFIG_SPARC as in Tom's original patch and let's be done with`
			`> this.`
			`>`
			`> In fact I would go through all the arch/ header files and check the`
			`> VM_DATA_DEFAULT_FLAGS settings and add the necessary new ifdefs to the`
			`> SELINUX code so that other platforms don't have the pain of having to`
			`> go through this process too.`

			`To avoid maintaining per-arch ifdefs, it seems that we could just`
			`directly use (VM_DATA_DEFAULT_FLAGS & VM_EXEC) as the basis for deciding`
			`whether to enable or disable these checks. VM_DATA_DEFAULT_FLAGS isn't`
			`constant on some architectures but instead depends on`
			`current->personality, but we want this applied uniformly. So we'll just`
			`use the initial task state to determine whether or not to enable these`
			`checks.`

			`Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>`

			`diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c`
			`index ebee467..a03fd74 100644`
			`--- a/security/selinux/hooks.c`
			`+++ b/security/selinux/hooks.c`
			`@@ -2999,13 +2999,15 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,`
			`return file_has_perm(cred, file, av);`
			`}`

			`+static int default_noexec;`
			`+`
			`static int file_map_prot_check(struct file *file, unsigned long prot, int shared)`
			`{`
			`const struct cred *cred = current_cred();`
			`int rc = 0;`

			`-#ifndef CONFIG_PPC32`
			`- if ((prot & PROT_EXEC) && (!file \|\| (!shared && (prot & PROT_WRITE)))) {`
			`+ if (default_noexec &&`
			`+ (prot & PROT_EXEC) && (!file \|\| (!shared && (prot & PROT_WRITE)))) {`
			`/*`
			`* We are making executable an anonymous mapping or a`
			`* private file mapping that will also be writable.`
			`@@ -3015,7 +3017,6 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared`
			`if (rc)`
			`goto error;`
			`}`
			`-#endif`

			`if (file) {`
			`/* read access is always possible with a mapping */`
			`@@ -3076,8 +3077,8 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,`
			`if (selinux_checkreqprot)`
			`prot = reqprot;`

			`-#ifndef CONFIG_PPC32`
			`- if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {`
			`+ if (default_noexec &&`
			`+ (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {`
			`int rc = 0;`
			`if (vma->vm_start >= vma->vm_mm->start_brk &&`
			`vma->vm_end <= vma->vm_mm->brk) {`
			`@@ -3099,7 +3100,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,`
			`if (rc)`
			`return rc;`
			`}`
			`-#endif`

			`return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);`
			`}`
			`@@ -5662,6 +5662,8 @@ static __init int selinux_init(void)`
			`/* Set the security state for the initial task. */`
			`cred_init_security();`

			`+ default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);`
			`+`
			`sel_inode_cache = kmem_cache_create("selinux_inode_security",`
			`sizeof(struct inode_security_struct),`
			`0, SLAB_PANIC, NULL);`

			`--`
			`Stephen Smalley`
			`National Security Agency`