From 8b68b881281cad77a787a21c92c5bc18f669ade0 Mon Sep 17 00:00:00 2001 From: shiyunli Date: Tue, 15 Oct 2024 16:12:51 +0800 Subject: [PATCH 1/2] =?UTF-8?q?fix=20=EF=BC=88cherry=20picked=20commit=20f?= =?UTF-8?q?rom=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- xpm/core/xpm_security_hooks.c | 11 +++++++++-- xpm/validator/exec_signature_info.c | 14 ++++++++------ 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index 5fe5b37..288ede3 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -303,14 +303,21 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for xpm region vma prot */ if (vma->vm_flags & VM_XPM) { - if (is_anon || (prot & PROT_EXEC)) { - xpm_log_error("xpm region mmap not allow anonymous or exec permission"); + if (is_anon) { + vma->vm_flags &= ~VM_XPM; + goto next_check; + } + + if ((prot & PROT_WRITE) || (prot & PROT_EXEC)) { + xpm_log_error("xpm region mmap not allow write or exec permission"); + report_mmap_event("xpm_check", TYPE_ABC, vma, prot); return -EPERM; } return 0; } +next_check: /* check for anonymous vma prot, anonymous executable permission need * controled by selinux */ diff --git a/xpm/validator/exec_signature_info.c b/xpm/validator/exec_signature_info.c index 9c02c4f..2d0f02e 100644 --- a/xpm/validator/exec_signature_info.c +++ b/xpm/validator/exec_signature_info.c @@ -486,13 +486,15 @@ static void insert_new_signature_info(struct inode *file_node, int type, RB_CLEAR_NODE(&new_info->rb_node); if ((*old_info) != NULL) { write_lock(verity->lock); - rb_erase_node(verity->root, verity->node_count, *old_info); - (*old_info)->type |= FILE_SIGNATURE_DELETE; - write_unlock(verity->lock); - if (atomic_sub_return(1, &(*old_info)->reference) <= 0) { - kfree(*old_info); - *old_info = NULL; + if ((*old_info) != NULL) { + if (atomic_sub_return(1, &(*old_info)->reference) <= 0) { + rb_erase_node(verity->root, verity->node_count, *old_info); + (*old_info)->type |= FILE_SIGNATURE_DELETE; + kfree(*old_info); + *old_info = NULL; + } } + write_unlock(verity->lock); } write_lock(verity->lock); -- Gitee From 4310493c949d37539f4e31b82ce2e2071096f39f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=96=BD=E8=BF=90=E7=90=86?= Date: Tue, 22 Oct 2024 02:56:15 +0000 Subject: [PATCH 2/2] update xpm/core/xpm_security_hooks.c. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 施运理 --- xpm/core/xpm_security_hooks.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index 288ede3..5fe5b37 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -303,21 +303,14 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for xpm region vma prot */ if (vma->vm_flags & VM_XPM) { - if (is_anon) { - vma->vm_flags &= ~VM_XPM; - goto next_check; - } - - if ((prot & PROT_WRITE) || (prot & PROT_EXEC)) { - xpm_log_error("xpm region mmap not allow write or exec permission"); - report_mmap_event("xpm_check", TYPE_ABC, vma, prot); + if (is_anon || (prot & PROT_EXEC)) { + xpm_log_error("xpm region mmap not allow anonymous or exec permission"); return -EPERM; } return 0; } -next_check: /* check for anonymous vma prot, anonymous executable permission need * controled by selinux */ -- Gitee