Skip to content
This repository was archived by the owner on Jan 6, 2025. It is now read-only.

get_min_address: Do not shorten if SELinux enabled. Fixes 4 tests on RedHat 7. #136

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

get_min_address: Do not shorten if SELinux enabled. Fixes 4 tests on RedHat 7. #136

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 90 additions & 2 deletions src/intercept_desc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,6 +545,89 @@ crawl_text(struct intercept_desc *desc)
intercept_disasm_destroy(context);
}

/*
* get_selinux_enforced
* Identifies if SELinux is active on the system.
*/
static int
get_selinux_enforced(void)
{
static int selinux_enforced = -1;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that this function will only be called once I don't see a reason to cache the result like this.


if (selinux_enforced != -1)
return selinux_enforced;

selinux_enforced = 0;

int fd = syscall_no_intercept(SYS_open, "/proc/mounts",
O_RDONLY);
if (fd >= 0) {
char *selinux_path = 0;
size_t selinux_path_len;

/* parse /proc/mounts to find selinux_mnt */
char line[1024];
size_t off = 0;
ssize_t r = syscall_no_intercept(
SYS_read, fd, line, sizeof(line));
size_t len = r;
while (r > 0) {
char *mntpt = (char *)memchr(
line + off, ' ', len - off);
char *fstype = mntpt ? (char *)memchr(
mntpt + 1, ' ',
line + len - mntpt) : 0;
char *next = fstype ? (char *)memchr(
fstype + 1, '\n',
line + len - fstype) : 0;
if (!next) {
len -= off;
memmove(line, line + off, len);
off = 0;
r = syscall_no_intercept(
SYS_read, fd, line + len,
sizeof(line) - len);
len += r;
} else {
if (memcmp(fstype, " selinuxfs ",
strlen(" selinuxfs ")) == 0) {
++ mntpt;
selinux_path_len = fstype - mntpt;
memmove(line, mntpt, selinux_path_len);
selinux_path = line;
break;
}
off = next + 1 - line;
}
}

syscall_no_intercept(SYS_close, fd);

if (selinux_path) {
/* read mode from /enforce file */
memcpy(selinux_path + selinux_path_len, "/enforce",
strlen("/enforce") + 1);
fd = syscall_no_intercept(
SYS_open, selinux_path, O_RDONLY);

if (fd >= 0) {
char mode;

r = syscall_no_intercept(
SYS_read, fd, &mode, 1);

if (r > 0 && mode == '1') {
selinux_enforced = 1;
}

syscall_no_intercept(SYS_close, fd);
}
}
}

return selinux_enforced;
}

/*
* get_min_address
* Looks for the lowest address that might be mmap-ed. This is
Expand All @@ -559,18 +642,23 @@ get_min_address(void)
if (min_address != 0)
return min_address;

min_address = 0x10000; /* best guess */
min_address = 0x10000; /* common value for CONFIG_LSM_MMAP_MIN_ADDR */

int fd = syscall_no_intercept(SYS_open, "/proc/sys/vm/mmap_min_addr",
O_RDONLY);

if (fd >= 0) {
static uintptr_t proc_min_address;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't need to be static either.

char line[64];
ssize_t r;
r = syscall_no_intercept(SYS_read, fd, line, sizeof(line) - 1);
if (r > 0) {
line[r] = '\0';
min_address = (uintptr_t)atoll(line);
proc_min_address = (uintptr_t)atoll(line);

if (proc_min_address >= min_address ||
!get_selinux_enforced())
min_address = proc_min_address;
}

syscall_no_intercept(SYS_close, fd);
Expand Down