1 diff -urN linux-2.6.2/security/selinux/hooks.c linux-2.6.2-pax/security/selinux/hooks.c
2 --- linux-2.6.2/security/selinux/hooks.c 2004-02-08 02:41:59.000000000 -0600
3 +++ linux-2.6.2-pax/security/selinux/hooks.c 2004-02-07 23:40:47.000000000 -0600
8 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
9 +static void avc_pax_set_flags(struct linux_binprm * bprm);
12 #define XATTR_SELINUX_SUFFIX "selinux"
13 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
15 @@ -3738,12 +3742,104 @@
17 spin_unlock(&sb_security_lock);
18 spin_unlock(&sb_lock);
20 + #ifdef CONFIG_PAX_HOOK_ACL_FLAGS
21 + printk(KERN_DEBUG "SELinux: Setting PaX callback function\n");
22 + pax_set_flags_func = avc_pax_set_flags;
26 /* SELinux requires early initialization in order to label
27 all processes and objects when they are created. */
28 security_initcall(selinux_init);
30 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
32 +static void avc_pax_set_flags(struct linux_binprm * bprm)
34 + struct inode_security_struct *isec;
35 + struct av_decision avd;
36 + /* these are good default flags for i386 */
37 + unsigned long flags = (PF_PAX_SEGMEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP);
38 + unsigned long oldflags = current->flags;
45 + * get the security struct from the inode of the file
46 + * since the bprm security struct will just point to
47 + * the user running the binary
49 + struct inode *inode = bprm->file->f_dentry->d_inode;
50 + isec = inode->i_security;
52 + /* PAGEEXEC is disabled by default, we'll check if it should enabled */
53 + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__PAGEEXEC, &isec->avcr,NULL);
55 + flags |= PF_PAX_PAGEEXEC;
57 + /* EMUTRAMP is disabled by default, we'll check if it should enabled */
58 + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__EMUTRAMP, &isec->avcr, NULL);
60 + flags |= PF_PAX_EMUTRAMP;
62 + /* RANDEXEC is disabled by default, we'll check if it should enabled */
63 + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDEXEC, &isec->avcr, NULL);
65 + flags |= PF_PAX_RANDEXEC;
67 + /* MPROTECT is enabled by default, nomprotect disables */
68 + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOMPROTECT, &isec->avcr, NULL);
70 + flags &= ~PF_PAX_MPROTECT;
72 + /* RANDMMAP is enabled by default, norandmmap disables */
73 + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NORANDMMAP, &isec->avcr, NULL);
75 + flags &= ~PF_PAX_RANDMMAP;
77 + /* SEGMEXEC is enabled by default, nosegmexec disables */
78 + rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOSEGMEXEC, &isec->avcr, NULL);
80 + flags &= ~PF_PAX_SEGMEXEC;
83 + if (selinux_enforcing) {
85 + /* pull all the pax flags in current */
86 + current->flags &= ~(PF_PAX_PAGEEXEC | PF_PAX_EMUTRAMP | PF_PAX_MPROTECT | PF_PAX_RANDMMAP | PF_PAX_RANDEXEC | PF_PAX_SEGMEXEC);
88 + current->flags |= flags;
90 + printk( KERN_WARNING "avc: setting flags %lx\n", flags );
92 + if (pax_check_flags(¤t->flags) < 0)
94 + "avc: pax flags were changed from %lx to %lx by pax_check_flags, please check your policy for incompatible or disabled options\n",
99 + security_sid_to_context(isec->sid, &scontext, &scontext_len);
100 + if (current->flags != oldflags)
102 + "avc: pax changing flags for process %u (%s) %s to %lx from %lx \n",
115 +#endif /* CONFIG_PAX_HOOK_ACL_FLAGS */
117 #if defined(CONFIG_NETFILTER)
119 static struct nf_hook_ops selinux_ipv4_op = {