Skip to content

Commit c2316db

Browse files
stephensmalleypcmoore
stephensmalley
authored and
pcmoore
committed
selinux: apply execstack check on thread stacks
The execstack check was only being applied on the main process stack. Thread stacks allocated via mmap were only subject to the execmem permission check. Augment the check to apply to the current thread stack as well. Note that this does NOT prevent making a different thread's stack executable. Suggested-by: Nick Kralevich <nnk@google.com> Acked-by: Nick Kralevich <nnk@google.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
1 parent 8e4ff6f commit c2316db

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

security/selinux/hooks.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3479,8 +3479,9 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
34793479
vma->vm_end <= vma->vm_mm->brk) {
34803480
rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
34813481
} else if (!vma->vm_file &&
3482-
vma->vm_start <= vma->vm_mm->start_stack &&
3483-
vma->vm_end >= vma->vm_mm->start_stack) {
3482+
((vma->vm_start <= vma->vm_mm->start_stack &&
3483+
vma->vm_end >= vma->vm_mm->start_stack) ||
3484+
vma_is_stack_for_task(vma, current))) {
34843485
rc = current_has_perm(current, PROCESS__EXECSTACK);
34853486
} else if (vma->vm_file && vma->anon_vma) {
34863487
/*

0 commit comments

Comments
 (0)