selinux: apply execstack check on thread stacks The execstack check was only being applied on the main process stack. Thread stacks allocated via mmap were only subject to the execmem permission check. Augment the check to apply to the current thread stack as well. Note that this does NOT prevent making a different thread's stack executable. Suggested-by: Nick Kralevich <nnk@google.com> Acked-by: Nick Kralevich <nnk@google.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>

commit: c2316dbf124257ae19fd2e29cb5ec51060649d38 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Fri Apr 08 13:55:03 2016 -0400
committer: Paul Moore <paul@paul-moore.com> Tue Apr 26 15:47:57 2016 -0400
tree: a17220dace4ef3946ee7185a344fa9e735472a56
parent: 8e4ff6f228e4722cac74db716e308d1da33d744f [diff]
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bbff80c..a00ab81 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -3479,8 +3479,9 @@
 		    vma->vm_end <= vma->vm_mm->brk) {
 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
 		} else if (!vma->vm_file &&
-			   vma->vm_start <= vma->vm_mm->start_stack &&
-			   vma->vm_end >= vma->vm_mm->start_stack) {
+			   ((vma->vm_start <= vma->vm_mm->start_stack &&
+			     vma->vm_end >= vma->vm_mm->start_stack) ||
+			    vma_is_stack_for_task(vma, current))) {
 			rc = current_has_perm(current, PROCESS__EXECSTACK);
 		} else if (vma->vm_file && vma->anon_vma) {
 			/*
commit	c2316dbf124257ae19fd2e29cb5ec51060649d38	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Fri Apr 08 13:55:03 2016 -0400
committer	Paul Moore <paul@paul-moore.com>	Tue Apr 26 15:47:57 2016 -0400
tree	a17220dace4ef3946ee7185a344fa9e735472a56
parent	8e4ff6f228e4722cac74db716e308d1da33d744f [diff]