[packages/kernel.git] / pax_selinux_hooks-2.6.20.patch

diff -urN linux-2.6.2/security/selinux/hooks.c linux-2.6.2-pax/security/selinux/hooks.c
--- linux-2.6.2/security/selinux/hooks.c	2004-02-08 02:41:59.000000000 -0600
+++ linux-2.6.2-pax/security/selinux/hooks.c	2004-02-07 23:40:47.000000000 -0600
@@ -61,6 +61,10 @@
 #include "objsec.h"
 #include "netif.h"
 
+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
+static void avc_pax_set_flags(struct linux_binprm * bprm);
+#endif
+
 #define XATTR_SELINUX_SUFFIX "selinux"
 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
 
@@ -3738,12 +3742,104 @@
 	}
 	spin_unlock(&sb_security_lock);
 	spin_unlock(&sb_lock);
+
+        #ifdef CONFIG_PAX_HOOK_ACL_FLAGS
+        printk(KERN_DEBUG "SELinux:  Setting PaX callback function\n");
+        pax_set_flags_func = avc_pax_set_flags;
+        #endif
 }
 
 /* SELinux requires early initialization in order to label
    all processes and objects when they are created. */
 security_initcall(selinux_init);
 
+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
+
+static void avc_pax_set_flags(struct linux_binprm * bprm)
+{
+        struct inode_security_struct *isec;
+        struct av_decision avd;
+        /* these are good default flags for i386 */
+        unsigned long flags = (PF_PAX_SEGMEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP);
+        unsigned long oldflags = current->flags;
+        int rc;
+
+        char *scontext;
+        u32 scontext_len;
+
+        /*
+         * get the security struct from the inode of the file 
+         * since the bprm security struct will just point to 
+         * the user running the binary
+         */
+        struct inode *inode = bprm->file->f_dentry->d_inode;
+        isec = inode->i_security;
+
+        /* PAGEEXEC is disabled by default, we'll check if it should enabled */
+        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__PAGEEXEC, &isec->avcr,NULL);
+        if (!rc) {
+                flags |= PF_PAX_PAGEEXEC;
+	}
+        /* EMUTRAMP is disabled by default, we'll check if it should enabled */
+        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__EMUTRAMP, &isec->avcr, NULL);
+        if (!rc) {
+                flags |= PF_PAX_EMUTRAMP;
+	}
+        /* RANDEXEC is disabled by default, we'll check if it should enabled */
+        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDEXEC, &isec->avcr, NULL);
+        if (!rc) {
+                flags |= PF_PAX_RANDEXEC;
+	}
+	/* MPROTECT is enabled by default, nomprotect disables */
+        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOMPROTECT, &isec->avcr, NULL);
+        if (!rc) {
+                flags &= ~PF_PAX_MPROTECT;
+	}
+	/* RANDMMAP is enabled by default, norandmmap disables */
+        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NORANDMMAP, &isec->avcr, NULL);
+        if (!rc) {
+                flags &= ~PF_PAX_RANDMMAP;
+	}
+	/* SEGMEXEC is enabled by default, nosegmexec disables */
+        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOSEGMEXEC, &isec->avcr, NULL);
+        if (!rc) {
+                flags &= ~PF_PAX_SEGMEXEC;
+	}
+
+	if (selinux_enforcing) {
+
+		/* pull all the pax flags in current */
+	        current->flags &= ~(PF_PAX_PAGEEXEC | PF_PAX_EMUTRAMP | PF_PAX_MPROTECT | PF_PAX_RANDMMAP | PF_PAX_RANDEXEC | PF_PAX_SEGMEXEC);
+        	/* and add ours */
+	        current->flags |= flags;
+
+		printk( KERN_WARNING "avc: setting flags %lx\n", flags );
+
+        	if (pax_check_flags(&current->flags) < 0)
+                	printk(KERN_WARNING
+                        	"avc: pax flags were changed from %lx to %lx by pax_check_flags, please check your policy for incompatible or disabled options\n",
+        	                flags,
+                	        current->flags
+                        	);
+	
+	        security_sid_to_context(isec->sid, &scontext, &scontext_len);
+        	if (current->flags != oldflags)
+                	printk(KERN_INFO
+	                         "avc: pax changing flags for process %u (%s) %s to %lx from %lx \n",
+        	                 current->pid,
+                	         scontext,
+                        	 bprm->filename,
+	                         current->flags,
+        	                 oldflags
+                	        );
+	        kfree(scontext);
+	}
+
+        return;
+}
+
+#endif /* CONFIG_PAX_HOOK_ACL_FLAGS */
+
 #if defined(CONFIG_NETFILTER)
 
 static struct nf_hook_ops selinux_ipv4_op = {
Commit	Line	Data
79af5832	1	diff -urN linux-2.6.2/security/selinux/hooks.c linux-2.6.2-pax/security/selinux/hooks.c
	2	--- linux-2.6.2/security/selinux/hooks.c 2004-02-08 02:41:59.000000000 -0600
	3	+++ linux-2.6.2-pax/security/selinux/hooks.c 2004-02-07 23:40:47.000000000 -0600
	4	@@ -61,6 +61,10 @@
	5	#include "objsec.h"
	6	#include "netif.h"
	7
	8	+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
	9	+static void avc_pax_set_flags(struct linux_binprm * bprm);
	10	+#endif
	11	+
	12	#define XATTR_SELINUX_SUFFIX "selinux"
	13	#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
	14
	15	@@ -3738,12 +3742,104 @@
	16	}
	17	spin_unlock(&sb_security_lock);
	18	spin_unlock(&sb_lock);
	19	+
	20	+ #ifdef CONFIG_PAX_HOOK_ACL_FLAGS
	21	+ printk(KERN_DEBUG "SELinux: Setting PaX callback function\n");
	22	+ pax_set_flags_func = avc_pax_set_flags;
	23	+ #endif
	24	}
	25
	26	/* SELinux requires early initialization in order to label
	27	all processes and objects when they are created. */
	28	security_initcall(selinux_init);
	29
	30	+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
	31	+
	32	+static void avc_pax_set_flags(struct linux_binprm * bprm)
	33	+{
	34	+ struct inode_security_struct *isec;
	35	+ struct av_decision avd;
	36	+ /* these are good default flags for i386 */
	37	+ unsigned long flags = (PF_PAX_SEGMEXEC \| PF_PAX_MPROTECT \| PF_PAX_RANDMMAP);
	38	+ unsigned long oldflags = current->flags;
	39	+ int rc;
	40	+
	41	+ char *scontext;
	42	+ u32 scontext_len;
	43	+
	44	+ /*
	45	+ * get the security struct from the inode of the file
	46	+ * since the bprm security struct will just point to
	47	+ * the user running the binary
	48	+ */
	49	+ struct inode *inode = bprm->file->f_dentry->d_inode;
	50	+ isec = inode->i_security;
	51	+
	52	+ /* PAGEEXEC is disabled by default, we'll check if it should enabled */
	53	+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__PAGEEXEC, &isec->avcr,NULL);
	54	+ if (!rc) {
	55	+ flags \|= PF_PAX_PAGEEXEC;
	56	+ }
	57	+ /* EMUTRAMP is disabled by default, we'll check if it should enabled */
	58	+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__EMUTRAMP, &isec->avcr, NULL);
	59	+ if (!rc) {
	60	+ flags \|= PF_PAX_EMUTRAMP;
	61	+ }
	62	+ /* RANDEXEC is disabled by default, we'll check if it should enabled */
	63	+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDEXEC, &isec->avcr, NULL);
	64	+ if (!rc) {
65	+ flags \|= PF_PAX_RANDEXEC;
66	+ }
67	+ /* MPROTECT is enabled by default, nomprotect disables */
68	+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOMPROTECT, &isec->avcr, NULL);
69	+ if (!rc) {
70	+ flags &= ~PF_PAX_MPROTECT;
71	+ }
72	+ /* RANDMMAP is enabled by default, norandmmap disables */
73	+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NORANDMMAP, &isec->avcr, NULL);
74	+ if (!rc) {
75	+ flags &= ~PF_PAX_RANDMMAP;
76	+ }
77	+ /* SEGMEXEC is enabled by default, nosegmexec disables */
78	+ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOSEGMEXEC, &isec->avcr, NULL);
79	+ if (!rc) {
80	+ flags &= ~PF_PAX_SEGMEXEC;
81	+ }
82	+
83	+ if (selinux_enforcing) {
84	+
85	+ /* pull all the pax flags in current */
86	+ current->flags &= ~(PF_PAX_PAGEEXEC \| PF_PAX_EMUTRAMP \| PF_PAX_MPROTECT \| PF_PAX_RANDMMAP \| PF_PAX_RANDEXEC \| PF_PAX_SEGMEXEC);
87	+ /* and add ours */
88	+ current->flags \|= flags;
89	+
90	+ printk( KERN_WARNING "avc: setting flags %lx\n", flags );
91	+
92	+ if (pax_check_flags(&current->flags) < 0)
93	+ printk(KERN_WARNING
94	+ "avc: pax flags were changed from %lx to %lx by pax_check_flags, please check your policy for incompatible or disabled options\n",
95	+ flags,
96	+ current->flags
97	+ );
98	+
99	+ security_sid_to_context(isec->sid, &scontext, &scontext_len);
100	+ if (current->flags != oldflags)
101	+ printk(KERN_INFO
102	+ "avc: pax changing flags for process %u (%s) %s to %lx from %lx \n",
103	+ current->pid,
104	+ scontext,
105	+ bprm->filename,
106	+ current->flags,
107	+ oldflags
108	+ );
109	+ kfree(scontext);
110	+ }
111	+
112	+ return;
113	+}
114	+
115	+#endif /* CONFIG_PAX_HOOK_ACL_FLAGS */
116	+
117	#if defined(CONFIG_NETFILTER)
118
119	static struct nf_hook_ops selinux_ipv4_op = {