[PATCH] selinux: fix and cleanup mprotect checks

Fix the SELinux mprotect checks on executable mappings so that they are not
re-applied when the mapping is already executable as well as cleaning up
the code.  This avoids a situation where e.g.  an application is prevented
from removing PROT_WRITE on an already executable mapping previously
authorized via execmem permission due to an execmod denial.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b9f8d9731c3d54ba345ef7f2b24c09ffc7cad1ad..1bb5eea3b8c1262b617e9574e87b3f8710516122 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2454,35 +2454,27 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
                prot = reqprot;
 
 #ifndef CONFIG_PPC32
-       if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
-          (vma->vm_start >= vma->vm_mm->start_brk &&
-           vma->vm_end <= vma->vm_mm->brk)) {
-               /*
-                * We are making an executable mapping in the brk region.
-                * This has an additional execheap check.
-                */
-               rc = task_has_perm(current, current, PROCESS__EXECHEAP);
-               if (rc)
-                       return rc;
-       }
-       if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
-               /*
-                * We are making executable a file mapping that has
-                * had some COW done. Since pages might have been written,
-                * check ability to execute the possibly modified content.
-                * This typically should only occur for text relocations.
-                */
-               int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
-               if (rc)
-                       return rc;
-       }
-       if (!vma->vm_file && (prot & PROT_EXEC) &&
-               vma->vm_start <= vma->vm_mm->start_stack &&
-               vma->vm_end >= vma->vm_mm->start_stack) {
-               /* Attempt to make the process stack executable.
-                * This has an additional execstack check.
-                */
-               rc = task_has_perm(current, current, PROCESS__EXECSTACK);
+       if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
+               rc = 0;
+               if (vma->vm_start >= vma->vm_mm->start_brk &&
+                   vma->vm_end <= vma->vm_mm->brk) {
+                       rc = task_has_perm(current, current,
+                                          PROCESS__EXECHEAP);
+               } else if (!vma->vm_file &&
+                          vma->vm_start <= vma->vm_mm->start_stack &&
+                          vma->vm_end >= vma->vm_mm->start_stack) {
+                       rc = task_has_perm(current, current, PROCESS__EXECSTACK);
+               } else if (vma->vm_file && vma->anon_vma) {
+                       /*
+                        * We are making executable a file mapping that has
+                        * had some COW done. Since pages might have been
+                        * written, check ability to execute the possibly
+                        * modified content.  This typically should only
+                        * occur for text relocations.
+                        */
+                       rc = file_has_perm(current, vma->vm_file,
+                                          FILE__EXECMOD);
+               }
                if (rc)
                        return rc;
        }