pax_selinux_hooks-2.6.20.patch

   1 diff -urN linux-2.6.2/security/selinux/hooks.c linux-2.6.2-pax/security/selinux/hooks.c
   2 --- linux-2.6.2/security/selinux/hooks.c        2004-02-08 02:41:59.000000000 -0600
   3 +++ linux-2.6.2-pax/security/selinux/hooks.c    2004-02-07 23:40:47.000000000 -0600
   4 @@ -61,6 +61,10 @@
   5  #include "objsec.h"
   6  #include "netif.h"
   7
   8 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
   9 +static void avc_pax_set_flags(struct linux_binprm * bprm);
  10 +#endif
  11 +
  12  #define XATTR_SELINUX_SUFFIX "selinux"
  13  #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
  14
  15 @@ -3738,12 +3742,104 @@
  16         }
  17         spin_unlock(&sb_security_lock);
  18         spin_unlock(&sb_lock);
  19 +
  20 +        #ifdef CONFIG_PAX_HOOK_ACL_FLAGS
  21 +        printk(KERN_DEBUG "SELinux:  Setting PaX callback function\n");
  22 +        pax_set_flags_func = avc_pax_set_flags;
  23 +        #endif
  24  }
  25
  26  /* SELinux requires early initialization in order to label
  27     all processes and objects when they are created. */
  28  security_initcall(selinux_init);
  29
  30 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
  31 +
  32 +static void avc_pax_set_flags(struct linux_binprm * bprm)
  33 +{
  34 +        struct inode_security_struct *isec;
  35 +        struct av_decision avd;
  36 +        /* these are good default flags for i386 */
  37 +        unsigned long flags = (PF_PAX_SEGMEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP);
  38 +        unsigned long oldflags = current->flags;
  39 +        int rc;
  40 +
  41 +        char *scontext;
  42 +        u32 scontext_len;
  43 +
  44 +        /*
  45 +         * get the security struct from the inode of the file
  46 +         * since the bprm security struct will just point to
  47 +         * the user running the binary
  48 +         */
  49 +        struct inode *inode = bprm->file->f_dentry->d_inode;
  50 +        isec = inode->i_security;
  51 +
  52 +        /* PAGEEXEC is disabled by default, we'll check if it should enabled */
  53 +        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__PAGEEXEC, &isec->avcr,NULL);
  54 +        if (!rc) {
  55 +                flags |= PF_PAX_PAGEEXEC;
  56 +       }
  57 +        /* EMUTRAMP is disabled by default, we'll check if it should enabled */
  58 +        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__EMUTRAMP, &isec->avcr, NULL);
  59 +        if (!rc) {
  60 +                flags |= PF_PAX_EMUTRAMP;
  61 +       }
  62 +        /* RANDEXEC is disabled by default, we'll check if it should enabled */
  63 +        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDEXEC, &isec->avcr, NULL);
  64 +        if (!rc) {
  65 +                flags |= PF_PAX_RANDEXEC;
  66 +       }
  67 +       /* MPROTECT is enabled by default, nomprotect disables */
  68 +        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOMPROTECT, &isec->avcr, NULL);
  69 +        if (!rc) {
  70 +                flags &= ~PF_PAX_MPROTECT;
  71 +       }
  72 +       /* RANDMMAP is enabled by default, norandmmap disables */
  73 +        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NORANDMMAP, &isec->avcr, NULL);
  74 +        if (!rc) {
  75 +                flags &= ~PF_PAX_RANDMMAP;
  76 +       }
  77 +       /* SEGMEXEC is enabled by default, nosegmexec disables */
  78 +        rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__NOSEGMEXEC, &isec->avcr, NULL);
  79 +        if (!rc) {
  80 +                flags &= ~PF_PAX_SEGMEXEC;
  81 +       }
  82 +
  83 +       if (selinux_enforcing) {
  84 +
  85 +               /* pull all the pax flags in current */
  86 +               current->flags &= ~(PF_PAX_PAGEEXEC | PF_PAX_EMUTRAMP | PF_PAX_MPROTECT | PF_PAX_RANDMMAP | PF_PAX_RANDEXEC | PF_PAX_SEGMEXEC);
  87 +               /* and add ours */
  88 +               current->flags |= flags;
  89 +
  90 +               printk( KERN_WARNING "avc: setting flags %lx\n", flags );
  91 +
  92 +               if (pax_check_flags(&current->flags) < 0)
  93 +                       printk(KERN_WARNING
  94 +                               "avc: pax flags were changed from %lx to %lx by pax_check_flags, please check your policy for incompatible or disabled options\n",
  95 +                               flags,
  96 +                               current->flags
  97 +                               );
  98 +
  99 +               security_sid_to_context(isec->sid, &scontext, &scontext_len);
 100 +               if (current->flags != oldflags)
 101 +                       printk(KERN_INFO
 102 +                                "avc: pax changing flags for process %u (%s) %s to %lx from %lx \n",
 103 +                                current->pid,
 104 +                                scontext,
 105 +                                bprm->filename,
 106 +                                current->flags,
 107 +                                oldflags
 108 +                               );
 109 +               kfree(scontext);
 110 +       }
 111 +
 112 +        return;
 113 +}
 114 +
 115 +#endif /* CONFIG_PAX_HOOK_ACL_FLAGS */
 116 +
 117  #if defined(CONFIG_NETFILTER)
 118
 119  static struct nf_hook_ops selinux_ipv4_op = {