Jesse Keating 7a3296
This needs a fixed toolchain, and a userspace rebuild to work.
Jesse Keating 7a3296
For these reasons, it's had difficulty getting upstream.
Jesse Keating 7a3296
Jesse Keating 7a3296
ie, Fedora has a new enough toolchain, and has been rebuilt, so we don't need
Jesse Keating 7a3296
the ifdefs.  Other distros don't/haven't, and this patch would break them
Jesse Keating 7a3296
if pushed upstream.
Jesse Keating 7a3296
Jesse Keating 7a3296
Jesse Keating 7a3296
Subject: [Fwd: Re: [PATCH] Disable execmem for sparc]
Jesse Keating 7a3296
From: Stephen Smalley <sds@tycho.nsa.gov>
Jesse Keating 7a3296
To: Dave Jones <davej@redhat.com>
Jesse Keating 7a3296
Date: Wed, 28 Apr 2010 16:04:56 -0400
Jesse Keating 7a3296
Message-Id: <1272485096.6013.326.camel@moss-pluto.epoch.ncsc.mil>
Jesse Keating 7a3296
Jesse Keating 7a3296
-------- Forwarded Message --------
Jesse Keating 7a3296
From: Stephen Smalley <sds@tycho.nsa.gov>
Jesse Keating 7a3296
To: David Miller <davem@davemloft.net>
Jesse Keating 7a3296
Cc: tcallawa@redhat.com, dennis@ausil.us, sparclinux@vger.kernel.org, dgilmore@redhat.com, jmorris@namei.org, eparis@parisplace.org
Jesse Keating 7a3296
Subject: Re: [PATCH] Disable execmem for sparc
Jesse Keating 7a3296
Date: Wed, 28 Apr 2010 15:57:57 -0400
Jesse Keating 7a3296
Jesse Keating 7a3296
On Tue, 2010-04-27 at 11:47 -0700, David Miller wrote:
Jesse Keating 7a3296
> From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>
Jesse Keating 7a3296
> Date: Tue, 27 Apr 2010 14:20:21 -0400
Jesse Keating 7a3296
> 
Jesse Keating 7a3296
> > [root@apollo ~]$ cat /proc/2174/maps
Jesse Keating 7a3296
> > 00010000-00014000 r-xp 00000000 fd:00 15466577
Jesse Keating 7a3296
> >  /sbin/mingetty
Jesse Keating 7a3296
> > 00022000-00024000 rwxp 00002000 fd:00 15466577
Jesse Keating 7a3296
> >  /sbin/mingetty
Jesse Keating 7a3296
> > 00024000-00046000 rwxp 00000000 00:00 0
Jesse Keating 7a3296
> >  [heap]
Jesse Keating 7a3296
> 
Jesse Keating 7a3296
> SELINUX probably barfs on the executable heap, the PLT is in the HEAP
Jesse Keating 7a3296
> just like powerpc32 and that's why VM_DATA_DEFAULT_FLAGS has to set
Jesse Keating 7a3296
> both executable and writable.
Jesse Keating 7a3296
> 
Jesse Keating 7a3296
> You also can't remove the CONFIG_PPC32 ifdefs in selinux, since
Jesse Keating 7a3296
> because of the VM_DATA_DEFAULT_FLAGS setting used still in that arch,
Jesse Keating 7a3296
> the heap will always have executable permission, just like sparc does.
Jesse Keating 7a3296
> You have to support those binaries forever, whether you like it or not.
Jesse Keating 7a3296
> 
Jesse Keating 7a3296
> Let's just replace the CONFIG_PPC32 ifdef in SELINUX with CONFIG_PPC32
Jesse Keating 7a3296
> || CONFIG_SPARC as in Tom's original patch and let's be done with
Jesse Keating 7a3296
> this.
Jesse Keating 7a3296
> 
Jesse Keating 7a3296
> In fact I would go through all the arch/ header files and check the
Jesse Keating 7a3296
> VM_DATA_DEFAULT_FLAGS settings and add the necessary new ifdefs to the
Jesse Keating 7a3296
> SELINUX code so that other platforms don't have the pain of having to
Jesse Keating 7a3296
> go through this process too.
Jesse Keating 7a3296
Jesse Keating 7a3296
To avoid maintaining per-arch ifdefs, it seems that we could just
Jesse Keating 7a3296
directly use (VM_DATA_DEFAULT_FLAGS & VM_EXEC) as the basis for deciding
Jesse Keating 7a3296
whether to enable or disable these checks.   VM_DATA_DEFAULT_FLAGS isn't
Jesse Keating 7a3296
constant on some architectures but instead depends on
Jesse Keating 7a3296
current->personality, but we want this applied uniformly.  So we'll just
Jesse Keating 7a3296
use the initial task state to determine whether or not to enable these
Jesse Keating 7a3296
checks.
Jesse Keating 7a3296
Jesse Keating 7a3296
Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Jesse Keating 7a3296
Jesse Keating 7a3296
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
Jesse Keating 7a3296
index ebee467..a03fd74 100644
Jesse Keating 7a3296
--- a/security/selinux/hooks.c
Jesse Keating 7a3296
+++ b/security/selinux/hooks.c
Jesse Keating 7a3296
@@ -2999,13 +2999,15 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
Jesse Keating 7a3296
 	return file_has_perm(cred, file, av);
Jesse Keating 7a3296
 }
Jesse Keating 7a3296
 
Jesse Keating 7a3296
+static int default_noexec;
Jesse Keating 7a3296
+
Jesse Keating 7a3296
 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
Jesse Keating 7a3296
 {
Jesse Keating 7a3296
 	const struct cred *cred = current_cred();
Jesse Keating 7a3296
 	int rc = 0;
Jesse Keating 7a3296
 
Jesse Keating 7a3296
-#ifndef CONFIG_PPC32
Jesse Keating 7a3296
-	if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
Jesse Keating 7a3296
+	if (default_noexec &&
Jesse Keating 7a3296
+	    (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
Jesse Keating 7a3296
 		/*
Jesse Keating 7a3296
 		 * We are making executable an anonymous mapping or a
Jesse Keating 7a3296
 		 * private file mapping that will also be writable.
Jesse Keating 7a3296
@@ -3015,7 +3017,6 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
Jesse Keating 7a3296
 		if (rc)
Jesse Keating 7a3296
 			goto error;
Jesse Keating 7a3296
 	}
Jesse Keating 7a3296
-#endif
Jesse Keating 7a3296
 
Jesse Keating 7a3296
 	if (file) {
Jesse Keating 7a3296
 		/* read access is always possible with a mapping */
Jesse Keating 7a3296
@@ -3076,8 +3077,8 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
Jesse Keating 7a3296
 	if (selinux_checkreqprot)
Jesse Keating 7a3296
 		prot = reqprot;
Jesse Keating 7a3296
 
Jesse Keating 7a3296
-#ifndef CONFIG_PPC32
Jesse Keating 7a3296
-	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
Jesse Keating 7a3296
+	if (default_noexec &&
Jesse Keating 7a3296
+	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
Jesse Keating 7a3296
 		int rc = 0;
Jesse Keating 7a3296
 		if (vma->vm_start >= vma->vm_mm->start_brk &&
Jesse Keating 7a3296
 		    vma->vm_end <= vma->vm_mm->brk) {
Jesse Keating 7a3296
@@ -3099,7 +3100,6 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
Jesse Keating 7a3296
 		if (rc)
Jesse Keating 7a3296
 			return rc;
Jesse Keating 7a3296
 	}
Jesse Keating 7a3296
-#endif
Jesse Keating 7a3296
 
Jesse Keating 7a3296
 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
Jesse Keating 7a3296
 }
Jesse Keating 7a3296
@@ -5662,6 +5662,8 @@ static __init int selinux_init(void)
Jesse Keating 7a3296
 	/* Set the security state for the initial task. */
Jesse Keating 7a3296
 	cred_init_security();
Jesse Keating 7a3296
 
Jesse Keating 7a3296
+	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
Jesse Keating 7a3296
+
Jesse Keating 7a3296
 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
Jesse Keating 7a3296
 					    sizeof(struct inode_security_struct),
Jesse Keating 7a3296
 					    0, SLAB_PANIC, NULL);
Jesse Keating 7a3296
Jesse Keating 7a3296
-- 
Jesse Keating 7a3296
Stephen Smalley
Jesse Keating 7a3296
National Security Agency
Jesse Keating 7a3296