selinux: apply execstack check on thread stacks
authorStephen Smalley <sds@tycho.nsa.gov>
Fri, 8 Apr 2016 17:55:03 +0000 (13:55 -0400)
committerPaul Moore <paul@paul-moore.com>
Tue, 26 Apr 2016 19:47:57 +0000 (15:47 -0400)
The execstack check was only being applied on the main
process stack.  Thread stacks allocated via mmap were
only subject to the execmem permission check.  Augment
the check to apply to the current thread stack as well.
Note that this does NOT prevent making a different thread's
stack executable.

Suggested-by: Nick Kralevich <nnk@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/hooks.c

index bbff80c6d3f2ab339e93228881e0ba76d91ea5ec..a00ab81ab719088e8f571c696b3ebbd86ad2f167 100644 (file)
@@ -3479,8 +3479,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
                    vma->vm_end <= vma->vm_mm->brk) {
                        rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
                } else if (!vma->vm_file &&
-                          vma->vm_start <= vma->vm_mm->start_stack &&
-                          vma->vm_end >= vma->vm_mm->start_stack) {
+                          ((vma->vm_start <= vma->vm_mm->start_stack &&
+                            vma->vm_end >= vma->vm_mm->start_stack) ||
+                           vma_is_stack_for_task(vma, current))) {
                        rc = current_has_perm(current, PROCESS__EXECSTACK);
                } else if (vma->vm_file && vma->anon_vma) {
                        /*