From patchwork Thu Mar 25 20:24:58 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Miller X-Patchwork-Id: 48589 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 0E221B7CCD for ; Fri, 26 Mar 2010 07:24:37 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754747Ab0CYUYf (ORCPT ); Thu, 25 Mar 2010 16:24:35 -0400 Received: from 74-93-104-97-Washington.hfc.comcastbusiness.net ([74.93.104.97]:45171 "EHLO sunset.davemloft.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752606Ab0CYUYf (ORCPT ); Thu, 25 Mar 2010 16:24:35 -0400 Received: from localhost (localhost [127.0.0.1]) by sunset.davemloft.net (Postfix) with ESMTP id A9AC624C096; Thu, 25 Mar 2010 13:24:58 -0700 (PDT) Date: Thu, 25 Mar 2010 13:24:58 -0700 (PDT) Message-Id: <20100325.132458.08954631.davem@davemloft.net> To: tcallawa@redhat.com Cc: sparclinux@vger.kernel.org, dgilmore@redhat.com, sds@tycho.nsa.gov, jmorris@namei.org, eparis@parisplace.org Subject: Re: [PATCH] Disable execmem for sparc From: David Miller In-Reply-To: <4BAA89B9.2030102@redhat.com> References: <4BAA89B9.2030102@redhat.com> X-Mailer: Mew version 6.3 on Emacs 23.1 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Sender: sparclinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: sparclinux@vger.kernel.org From: "Tom \"spot\" Callaway" Date: Wed, 24 Mar 2010 17:52:57 -0400 > Attached is a patch which disables execmem for sparc. Without it, > selinux does not work at all on SPARC64. > > This patch should be reasonably non-controversial, because this is > already being done for PPC32. > > Tested-by: Tom "spot" Callaway (Ultra 10, T5220) > Dennis Gilmore > Signed-off-by: Tom "spot" Callaway What is the reason why it doesn't work, I'm just curious? Is there some dependency upon executable stacks or executable data segments always working? Why can't SELINUX protect be used with that correctly? And since we're touching selinux code we need to at a minimum CC: them so they can have a look at your change. -------------------- --- To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff -up linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc linux-2.6.32.noarch/security/selinux/hooks.c --- linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc 2010-03-10 08:28:20.957571926 -0500 +++ linux-2.6.32.noarch/security/selinux/hooks.c 2010-03-10 08:29:15.732698763 -0500 @@ -3010,7 +3010,7 @@ static int file_map_prot_check(struct fi const struct cred *cred = current_cred(); int rc = 0; -#ifndef CONFIG_PPC32 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC) if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { /* * We are making executable an anonymous mapping or a @@ -3082,7 +3082,7 @@ static int selinux_file_mprotect(struct if (selinux_checkreqprot) prot = reqprot; -#ifndef CONFIG_PPC32 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC) if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { int rc = 0; if (vma->vm_start >= vma->vm_mm->start_brk &&