From patchwork Thu Mar 25 20:24:58 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Disable execmem for sparc
Date: Thu, 25 Mar 2010 10:24:58 -0000
From: David Miller <davem@davemloft.net>
X-Patchwork-Id: 48589
Message-Id: <20100325.132458.08954631.davem@davemloft.net>
To: tcallawa@redhat.com
Cc: sparclinux@vger.kernel.org, dgilmore@redhat.com, sds@tycho.nsa.gov,
 jmorris@namei.org, eparis@parisplace.org

From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>
Date: Wed, 24 Mar 2010 17:52:57 -0400

> Attached is a patch which disables execmem for sparc. Without it,
> selinux does not work at all on SPARC64.
> 
> This patch should be reasonably non-controversial, because this is
> already being done for PPC32.
> 
> Tested-by: Tom "spot" Callaway <tcallawa@redhat.com> (Ultra 10, T5220)
>            Dennis Gilmore <dgilmore@redhat.com>
> Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com>

What is the reason why it doesn't work, I'm just curious?

Is there some dependency upon executable stacks or executable data
segments always working?  Why can't SELINUX protect be used with
that correctly?

And since we're touching selinux code we need to at a minimum
CC: them so they can have a look at your change.

--------------------

---
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff -up linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc linux-2.6.32.noarch/security/selinux/hooks.c
--- linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc	2010-03-10 08:28:20.957571926 -0500
+++ linux-2.6.32.noarch/security/selinux/hooks.c	2010-03-10 08:29:15.732698763 -0500
@@ -3010,7 +3010,7 @@ static int file_map_prot_check(struct fi
 	const struct cred *cred = current_cred();
 	int rc = 0;
 
-#ifndef CONFIG_PPC32
+#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC)
 	if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
 		/*
 		 * We are making executable an anonymous mapping or a
@@ -3082,7 +3082,7 @@ static int selinux_file_mprotect(struct 
 	if (selinux_checkreqprot)
 		prot = reqprot;
 
-#ifndef CONFIG_PPC32
+#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC)
 	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
 		int rc = 0;
 		if (vma->vm_start >= vma->vm_mm->start_brk &&