diff options
| author | Stephen D. Smalley <sds@tycho.nsa.gov> | 2005-03-09 16:28:29 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-03-09 16:28:29 -0800 |
| commit | 65e05719ebd5107c82b40f8d2f2dba0964cac61f (patch) | |
| tree | a3f9cca094587ff549d91cbeda16cef3b4931cc5 /include/linux | |
| parent | d75f9d53dcd74638f4650a41179b78afd56641c2 (diff) | |
[PATCH] SELinux: pass requested protection to security_file_mmap/mprotect hooks
This patch adds a reqprot parameter to the security_file_mmap and
security_file_mprotect hooks that is the original requested protection
value prior to any modification for read-implies-exec, and changes the
SELinux module to allow a mode of operation (controllable via a
checkreqprot setting) where it applies checks based on that protection
value rather than the protection that will be applied by the kernel,
effectively restoring SELinux's original behavior prior to the introduction
of the read-implies-exec logic in the mainline kernel. The patch also
disables execmem and execmod checking entirely on PPC32, as the PPC32 ELF
ABI presently requires RWE segments per Ulrich Drepper.
At present, the read-implies-exec logic causes SELinux to see every
mmap/mprotect read request by legacy binaries or binaries marked with
PT_GNU_STACK RWE as a read|execute request, which tends to distort policy
even if it reflects what is ultimately possible. The checkreqprot setting
allows one to set the desired behavior for SELinux, so either the current
behavior or the original behavior is possible. The checkreqprot value has
a compile-time configurable default value and can also be set via boot
parameter or at runtime via /selinux/checkreqprot if allowed by policy.
Thanks to Chris Wright, James Morris, and Colin Walters for comments on an
earlier version of the patch.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/security.h | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 78d91972c4dc..b42095a68b1c 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -458,13 +458,15 @@ struct swap_info_struct; * Check permissions for a mmap operation. The @file may be NULL, e.g. * if mapping anonymous memory. * @file contains the file structure for file to map (may be NULL). - * @prot contains the requested permissions. + * @reqprot contains the protection requested by the application. + * @prot contains the protection that will be applied by the kernel. * @flags contains the operational flags. * Return 0 if permission is granted. * @file_mprotect: * Check permissions before changing memory access permissions. * @vma contains the memory region to modify. - * @prot contains the requested permissions. + * @reqprot contains the protection requested by the application. + * @prot contains the protection that will be applied by the kernel. * Return 0 if permission is granted. * @file_lock: * Check permission before performing file locking operations. @@ -1129,8 +1131,11 @@ struct security_operations { int (*file_ioctl) (struct file * file, unsigned int cmd, unsigned long arg); int (*file_mmap) (struct file * file, + unsigned long reqprot, unsigned long prot, unsigned long flags); - int (*file_mprotect) (struct vm_area_struct * vma, unsigned long prot); + int (*file_mprotect) (struct vm_area_struct * vma, + unsigned long reqprot, + unsigned long prot); int (*file_lock) (struct file * file, unsigned int cmd); int (*file_fcntl) (struct file * file, unsigned int cmd, unsigned long arg); @@ -1693,16 +1698,18 @@ static inline int security_file_ioctl (struct file *file, unsigned int cmd, return security_ops->file_ioctl (file, cmd, arg); } -static inline int security_file_mmap (struct file *file, unsigned long prot, +static inline int security_file_mmap (struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) { - return security_ops->file_mmap (file, prot, flags); + return security_ops->file_mmap (file, reqprot, prot, flags); } static inline int security_file_mprotect (struct vm_area_struct *vma, + unsigned long reqprot, unsigned long prot) { - return security_ops->file_mprotect (vma, prot); + return security_ops->file_mprotect (vma, reqprot, prot); } static inline int security_file_lock (struct file *file, unsigned int cmd) @@ -2342,13 +2349,15 @@ static inline int security_file_ioctl (struct file *file, unsigned int cmd, return 0; } -static inline int security_file_mmap (struct file *file, unsigned long prot, +static inline int security_file_mmap (struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) { return 0; } static inline int security_file_mprotect (struct vm_area_struct *vma, + unsigned long reqprot, unsigned long prot) { return 0; |