selinux: apply execstack check on thread stacks

The execstack check was only being applied on the main process stack. Thread stacks allocated via mmap were only subject to the execmem permission check. Augment the check to apply to the current thread stack as well. Note that this does NOT prevent making a different thread's stack executable. Suggested-by: N Nick Kralevich <nnk@google.com> Acked-by: N Nick Kralevich <nnk@google.com> Signed-off-by: N Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: N Paul Moore <paul@paul-moore.com>

selinux: apply execstack check on thread stacks
The execstack check was only being applied on the main process stack. Thread stacks allocated via mmap were only subject to the execmem permission check. Augment the check to apply to the current thread stack as well. Note that this does NOT prevent making a different thread's stack executable. Suggested-by: N Nick Kralevich <nnk@google.com> Acked-by: N Nick Kralevich <nnk@google.com> Signed-off-by: N Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: N Paul Moore <paul@paul-moore.com>
c2316dbf · Stephen Smalley · Paul Moore · 8e4ff6f2 · c2316dbf
隐藏空白更改
内联并排

Showing with 3 addition and 2 deletion

security/selinux/hooks.c security/selinux/hooks.c +3 -2

未找到文件。
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3479,8 +3479,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
 		    vma->vm_end <= vma->vm_mm->brk) {
 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
 		} else if (!vma->vm_file &&
-			   vma->vm_start <= vma->vm_mm->start_stack &&
-			   vma->vm_end >= vma->vm_mm->start_stack) {
+			   ((vma->vm_start <= vma->vm_mm->start_stack &&
+			     vma->vm_end >= vma->vm_mm->start_stack) ||
+			    vma_is_stack_for_task(vma, current))) {
 			rc = current_has_perm(current, PROCESS__EXECSTACK);
 		} else if (vma->vm_file && vma->anon_vma) {
 			/*