* Stephen Smalley (sds@private) wrote:
> This patch adds a reqprot parameter to the security_file_mmap and
> security_file_mprotect hooks that is the original requested protection
> value prior to any modification for read-implies-exec, and changes the
> SELinux module to allow a mode of operation (controllable via
> a /selinux/checkreqprot setting) where it applies checks based on that
> protection value rather than the protection that will be applied by the
> kernel, effectively restoring SELinux's original behavior prior to the
> introduction of the read-implies-exec logic in the mainline kernel. At
> present, the read-implies-exec logic causes SELinux to see every
> mmap/mprotect read request by legacy binaries or binaries marked with
> PT_GNU_STACK RWE as a read|execute request, which tends to distort
> policy even if it reflects what is ultimately possible.
Only other way I can see is to effectively tweak policy based on
tsk->personality. While it seems ugly, it's an accurate reflection
of both policy and reality (with some confusion of audit messages when
building policy). But your patch is probably the most straight-forward
way to do it.
> Index: linux-2.6/mm/mprotect.c
> ===================================================================
> RCS file: /nfshome/pal/CVS/linux-2.6/mm/mprotect.c,v
> retrieving revision 1.10
> diff -u -p -r1.10 mprotect.c
> --- linux-2.6/mm/mprotect.c 27 Dec 2004 15:09:53 -0000 1.10
> +++ linux-2.6/mm/mprotect.c 22 Feb 2005 14:36:21 -0000
> @@ -193,7 +193,7 @@ fail:
> asmlinkage long
> sys_mprotect(unsigned long start, size_t len, unsigned long prot)
> {
> - unsigned long vm_flags, nstart, end, tmp;
> + unsigned long vm_flags, nstart, end, tmp, reqprot = prot;
Do you want to sample prot after it's been cleared of GROWSUP/DOWN bits
just to keep reqport as clean as possible?
> + prot = reqprot;
> +
> if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
> /*
> * We are making executable a file mapping that has
> Index: linux-2.6/security/selinux/selinuxfs.c
> ===================================================================
> RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/selinuxfs.c,v
> retrieving revision 1.51
> diff -u -p -r1.51 selinuxfs.c
> --- linux-2.6/security/selinux/selinuxfs.c 2 Dec 2004 15:21:42 -0000 1.51
> +++ linux-2.6/security/selinux/selinuxfs.c 22 Feb 2005 15:33:39 -0000
> @@ -34,6 +34,8 @@
> #include "objsec.h"
> #include "conditional.h"
>
> +unsigned int selinux_checkreqprot = 0;
unnecessary initialization
> +
> static DECLARE_MUTEX(sel_sem);
>
> /* global data for booleans */
> @@ -72,6 +74,7 @@ enum sel_inos {
> SEL_DISABLE, /* disable SELinux until next reboot */
> SEL_AVC, /* AVC management directory */
> SEL_MEMBER, /* compute polyinstantiation membership decision */
> + SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
> };
>
> #define TMPBUFLEN 12
> @@ -300,6 +303,55 @@ static struct file_operations sel_contex
> .write = sel_write_context,
> };
>
> +#define TMPBUFLEN 12
Looks an unnecessary duplicate
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2.1.3 : Tue Feb 22 2005 - 15:48:29 PST