From 66611f2298539fa28a3667c02ca4013602634d3d Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Fri, 15 Feb 2008 13:49:12 -0500 Subject: Trivial SELinux awareness. Enable with --enable-selinux. Avoids AVC warnings when allocating executable memory by first checking if the current process has permission to do so. --- configure.ac | 17 ++++++++++++++--- src/mesa/main/execmem.c | 22 +++++++++++++++++++--- 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index 89328486b4..19f9fcfcb0 100644 --- a/configure.ac +++ b/configure.ac @@ -325,6 +325,17 @@ xlib|dri) ;; esac +# SELinux awareness. +AC_ARG_ENABLE(selinux, AS_HELP_STRING([--enable-selinux], [Build SELinux-aware Mesa (default: disabled)]), [MESA_SELINUX=$enableval], [MESA_SELINUX=no]) +if test "x$enable_selinux" = "xyes"; then + AC_CHECK_HEADER(selinux/selinux.h,, + AC_MSG_ERROR([SELinux headers not found])) + AC_CHECK_LIB(selinux,is_selinux_enabled,, + AC_MSG_ERROR([SELinux library not found])) + SELINUX_LIBS="-lselinux" + DEFINES="$DEFINES -DMESA_SELINUX" +fi + dnl dnl libGL configuration per driver dnl @@ -339,7 +350,7 @@ xlib) X11_INCLUDES="$X11_INCLUDES $X_CFLAGS" GL_LIB_DEPS="$X_LIBS -lX11 -lXext" fi - GL_LIB_DEPS="$GL_LIB_DEPS -lm -lpthread" + GL_LIB_DEPS="$GL_LIB_DEPS $SELINUX_LIBS -lm -lpthread" # if static, move the external libraries to the programs # and empty the libraries for libGL @@ -519,7 +530,7 @@ if test "$mesa_driver" = dri; then AC_MSG_ERROR([Expat required for DRI.])) # put all the necessary libs together - DRI_LIB_DEPS="$LIBDRM_LIBS $EXPAT_LIB -lm -lpthread -ldl" + DRI_LIB_DEPS="$SELINUX_LIBS $LIBDRM_LIBS $EXPAT_LIB -lm -lpthread -ldl" fi AC_SUBST(DRI_DIRS) AC_SUBST(EXPAT_INCLUDES) @@ -574,7 +585,7 @@ case "$mesa_driver" in osmesa) # only link librararies with osmesa if shared if test "$enable_static" = no; then - OSMESA_LIB_DEPS="-lm -lpthread" + OSMESA_LIB_DEPS="-lm -lpthread $SELINUX_LIBS" else OSMESA_LIB_DEPS="" fi diff --git a/src/mesa/main/execmem.c b/src/mesa/main/execmem.c index 40f66d7da2..b40a2de8fa 100644 --- a/src/mesa/main/execmem.c +++ b/src/mesa/main/execmem.c @@ -47,6 +47,10 @@ #include #include "mm.h" +#ifdef MESA_SELINUX +#include +#endif + #define EXEC_HEAP_SIZE (10*1024*1024) _glthread_DECLARE_STATIC_MUTEX(exec_mutex); @@ -55,9 +59,17 @@ static struct mem_block *exec_heap = NULL; static unsigned char *exec_mem = NULL; -static void +static int init_heap(void) { +#ifdef MESA_SELINUX + if (is_selinux_enabled()) { + if (!security_get_boolean_active("allow_execmem") || + !security_get_boolean_pending("allow_execmem")) + return 0; + } +#endif + if (!exec_heap) exec_heap = mmInit( 0, EXEC_HEAP_SIZE ); @@ -65,6 +77,8 @@ init_heap(void) exec_mem = (unsigned char *) mmap(0, EXEC_HEAP_SIZE, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + + return (exec_mem != NULL); } @@ -76,7 +90,8 @@ _mesa_exec_malloc(GLuint size) _glthread_LOCK_MUTEX(exec_mutex); - init_heap(); + if (!init_heap()) + goto bail; if (exec_heap) { size = (size + 31) & ~31; @@ -87,7 +102,8 @@ _mesa_exec_malloc(GLuint size) addr = exec_mem + block->ofs; else _mesa_printf("_mesa_exec_malloc failed\n"); - + +bail: _glthread_UNLOCK_MUTEX(exec_mutex); return addr; -- cgit v1.2.3