]>
Commit | Line | Data |
---|---|---|
79af5832 | 1 | diff -urN linux-2.6.2/security/selinux/hooks.c linux-2.6.2-pax/security/selinux/hooks.c |
2 | --- linux-2.6.2/security/selinux/hooks.c 2004-02-08 02:41:59.000000000 -0600 | |
3 | +++ linux-2.6.2-pax/security/selinux/hooks.c 2004-02-07 23:40:47.000000000 -0600 | |
4 | @@ -61,6 +61,10 @@ | |
5 | #include "objsec.h" | |
6 | #include "netif.h" | |
7 | ||
8 | +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS | |
9 | +static void avc_pax_set_flags(struct linux_binprm * bprm); | |
10 | +#endif | |
11 | + | |
12 | #define XATTR_SELINUX_SUFFIX "selinux" | |
13 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX | |
14 | ||
15 | @@ -3738,12 +3742,104 @@ | |
16 | } | |
17 | spin_unlock(&sb_security_lock); | |
18 | spin_unlock(&sb_lock); | |
19 | + | |
20 | + #ifdef CONFIG_PAX_HOOK_ACL_FLAGS | |
21 | + printk(KERN_DEBUG "SELinux: Setting PaX callback function\n"); | |
22 | + pax_set_flags_func = avc_pax_set_flags; | |
23 | + #endif | |
24 | } | |
25 | ||
26 | /* SELinux requires early initialization in order to label | |
27 | all processes and objects when they are created. */ | |
28 | security_initcall(selinux_init); | |
29 | ||
30 | +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS | |
31 | + | |
32 | +static void avc_pax_set_flags(struct linux_binprm * bprm) | |
33 | +{ | |
34 | + struct inode_security_struct *isec; | |
35 | + struct av_decision avd; | |
36 | + /* these are good default flags for i386 */ | |
37 | + unsigned long flags = (PF_PAX_SEGMEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP); | |
38 | + unsigned long oldflags = current->flags; | |
39 | + int rc; | |
40 | + | |
41 | + char *scontext; | |
42 | + u32 scontext_len; | |
43 | + | |
44 | + /* | |
45 | + * get the security struct from the inode of the file | |
46 | + * since the bprm security struct will just point to | |
47 | + * the user running the binary | |
48 | + */ | |
49 | + struct inode *inode = bprm->file->f_dentry->d_inode; | |
50 | + isec = inode->i_security; | |
51 | + | |
52 | + /* PAGEEXEC is disabled by default, we'll check if it should enabled */ | |
53 | + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__PAGEEXEC, &isec->avcr,NULL); | |
54 | + if (!rc) { | |
55 | + flags |= PF_PAX_PAGEEXEC; | |
56 | + } | |
57 | + /* EMUTRAMP is disabled by default, we'll check if it should enabled */ | |
58 | + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__EMUTRAMP, &isec->avcr, NULL); | |
59 | + if (!rc) { | |
60 | + flags |= PF_PAX_EMUTRAMP; | |
61 | + } | |
62 | + /* RANDEXEC is disabled by default, we'll check if it should enabled */ | |
63 | + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDEXEC, &isec->avcr, NULL); | |
64 | + if (!rc) { | |
65 | + flags |= PF_PAX_RANDEXEC; | |
66 | + } | |
67 | + /* MPROTECT is enabled by default, nomprotect disables */ | |
68 | + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOMPROTECT, &isec->avcr, NULL); | |
69 | + if (!rc) { | |
70 | + flags &= ~PF_PAX_MPROTECT; | |
71 | + } | |
72 | + /* RANDMMAP is enabled by default, norandmmap disables */ | |
73 | + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NORANDMMAP, &isec->avcr, NULL); | |
74 | + if (!rc) { | |
75 | + flags &= ~PF_PAX_RANDMMAP; | |
76 | + } | |
77 | + /* SEGMEXEC is enabled by default, nosegmexec disables */ | |
78 | + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOSEGMEXEC, &isec->avcr, NULL); | |
79 | + if (!rc) { | |
80 | + flags &= ~PF_PAX_SEGMEXEC; | |
81 | + } | |
82 | + | |
83 | + if (selinux_enforcing) { | |
84 | + | |
85 | + /* pull all the pax flags in current */ | |
86 | + current->flags &= ~(PF_PAX_PAGEEXEC | PF_PAX_EMUTRAMP | PF_PAX_MPROTECT | PF_PAX_RANDMMAP | PF_PAX_RANDEXEC | PF_PAX_SEGMEXEC); | |
87 | + /* and add ours */ | |
88 | + current->flags |= flags; | |
89 | + | |
90 | + printk( KERN_WARNING "avc: setting flags %lx\n", flags ); | |
91 | + | |
92 | + if (pax_check_flags(¤t->flags) < 0) | |
93 | + printk(KERN_WARNING | |
94 | + "avc: pax flags were changed from %lx to %lx by pax_check_flags, please check your policy for incompatible or disabled options\n", | |
95 | + flags, | |
96 | + current->flags | |
97 | + ); | |
98 | + | |
99 | + security_sid_to_context(isec->sid, &scontext, &scontext_len); | |
100 | + if (current->flags != oldflags) | |
101 | + printk(KERN_INFO | |
102 | + "avc: pax changing flags for process %u (%s) %s to %lx from %lx \n", | |
103 | + current->pid, | |
104 | + scontext, | |
105 | + bprm->filename, | |
106 | + current->flags, | |
107 | + oldflags | |
108 | + ); | |
109 | + kfree(scontext); | |
110 | + } | |
111 | + | |
112 | + return; | |
113 | +} | |
114 | + | |
115 | +#endif /* CONFIG_PAX_HOOK_ACL_FLAGS */ | |
116 | + | |
117 | #if defined(CONFIG_NETFILTER) | |
118 | ||
119 | static struct nf_hook_ops selinux_ipv4_op = { |