[RFC][PATCH 2/2] Further SELinux restrictions on mprotect

This patch,based on sample code by Roland McGrath, adds an execheap permission check that controls the ability to make the heap executable so that this can be prevented in almost all cases (the X server is presently an exception, but this will hopefully be resolved in the future) so that even programs with execmem permission will need to have the anonymous memory mapped in order to make it executable. The only reason that we use a permission check for such restriction (vs. making it unconditional) is that the X module loader presently needs it; it could possibly be made unconditional in the future when X is changed.

The policy patch for the execheap permission is available at: http://pearls.tuxedo-es.org/patches/selinux/policy-execheap.patch

Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>

---

 linux-2.6-20050404-lorenzo/security/selinux/hooks.c                     |   11 ++++++++++
 linux-2.6-20050404-lorenzo/security/selinux/include/av_perm_to_string.h |    1 
 linux-2.6-20050404-lorenzo/security/selinux/include/av_permissions.h    |    1 
 3 files changed, 13 insertions(+)

diff -puN security/selinux/include/av_permissions.h~kernel-execheap security/selinux/include/av_permissions.h
--- linux-2.6-20050404/security/selinux/include/av_permissions.h~kernel-execheap	2005-04-20 19:02:37.743652408 +0200
+++ linux-2.6-20050404-lorenzo/security/selinux/include/av_permissions.h	2005-04-20 19:02:37.754650736 +0200
@@ -466,6 +466,7 @@


 #define PROCESS__SETCURRENT                       0x01000000UL

 #define PROCESS__EXECMEM                          0x02000000UL

 #define PROCESS__EXECSTACK                        0x04000000UL

+#define PROCESS__EXECHEAP                         0x08000000UL
 


 #define IPC__CREATE                               0x00000001UL

 #define IPC__DESTROY                              0x00000002UL

diff -puN security/selinux/include/av_perm_to_string.h~kernel-execheap security/selinux/include/av_perm_to_string.h
--- linux-2.6-20050404/security/selinux/include/av_perm_to_string.h~kernel-execheap	2005-04-20 19:02:37.745652104 +0200
+++ linux-2.6-20050404-lorenzo/security/selinux/include/av_perm_to_string.h	2005-04-20 19:02:37.754650736 +0200
@@ -71,6 +71,7 @@
    S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
    S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
    S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
+   S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
    S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
    S_(SECCLASS_MSG, MSG__SEND, "send")
    S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
diff -puN security/selinux/hooks.c~kernel-execheap security/selinux/hooks.c
--- linux-2.6-20050404/security/selinux/hooks.c~kernel-execheap	2005-04-20 19:02:37.749651496 +0200
+++ linux-2.6-20050404-lorenzo/security/selinux/hooks.c	2005-04-20 19:02:37.756650432 +0200
@@ -2467,6 +2467,17 @@ static int selinux_file_mprotect(struct 
 		prot = reqprot;
 


 #ifndef CONFIG_PPC32

+	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
+	   (vma->vm_start >= vma->vm_mm->start_brk &&
+	    vma->vm_end <= vma->vm_mm->brk)) {
+	    	/*
+		 * We are making an executable mapping in the brk region.
+		 * This has an additional execheap check.
+		 */
+		rc = task_has_perm(current, current, PROCESS__EXECHEAP);
+		if (rc)
+			return rc;
+	}
 	if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
 		/*
 		 * We are making executable a file mapping that has
_
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/pgp-signature attachment: This is a digitally signed message part