From 350758b887853ed6ab8bfa5e6687017b40033f40 Mon Sep 17 00:00:00 2001 From: shiyunli Date: Tue, 15 Oct 2024 16:12:51 +0800 Subject: [PATCH 1/2] fix Signed-off-by: shiyunli --- xpm/core/xpm_security_hooks.c | 11 +++++++++-- xpm/validator/exec_signature_info.c | 14 ++++++++------ 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index bb60507..ba12873 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -309,14 +309,21 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for xpm region vma prot */ if (vma->vm_flags & VM_XPM) { - if (is_anon || (prot & PROT_EXEC)) { - xpm_log_error("xpm region mmap not allow anonymous or exec permission"); + if (is_anon) { + vma->vm_flags &= ~VM_XPM; + goto next_check; + } + + if ((prot & PROT_WRITE) || (prot & PROT_EXEC)) { + xpm_log_error("xpm region mmap not allow write or exec permission"); + report_mmap_event("xpm_check", TYPE_ABC, vma, prot); return -EPERM; } return 0; } +next_check: /* check for anonymous vma prot, anonymous executable permission need * controled by selinux */ diff --git a/xpm/validator/exec_signature_info.c b/xpm/validator/exec_signature_info.c index 9c02c4f..2d0f02e 100644 --- a/xpm/validator/exec_signature_info.c +++ b/xpm/validator/exec_signature_info.c @@ -486,13 +486,15 @@ static void insert_new_signature_info(struct inode *file_node, int type, RB_CLEAR_NODE(&new_info->rb_node); if ((*old_info) != NULL) { write_lock(verity->lock); - rb_erase_node(verity->root, verity->node_count, *old_info); - (*old_info)->type |= FILE_SIGNATURE_DELETE; - write_unlock(verity->lock); - if (atomic_sub_return(1, &(*old_info)->reference) <= 0) { - kfree(*old_info); - *old_info = NULL; + if ((*old_info) != NULL) { + if (atomic_sub_return(1, &(*old_info)->reference) <= 0) { + rb_erase_node(verity->root, verity->node_count, *old_info); + (*old_info)->type |= FILE_SIGNATURE_DELETE; + kfree(*old_info); + *old_info = NULL; + } } + write_unlock(verity->lock); } write_lock(verity->lock); -- Gitee From 03ed4f4dc57719a41a235dab536fc245b21ce39d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=96=BD=E8=BF=90=E7=90=86?= Date: Thu, 17 Oct 2024 13:20:42 +0000 Subject: [PATCH 2/2] update xpm/core/xpm_security_hooks.c. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 施运理 --- xpm/core/xpm_security_hooks.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/xpm/core/xpm_security_hooks.c b/xpm/core/xpm_security_hooks.c index ba12873..bb60507 100644 --- a/xpm/core/xpm_security_hooks.c +++ b/xpm/core/xpm_security_hooks.c @@ -309,21 +309,14 @@ static int xpm_check_prot(struct vm_area_struct *vma, unsigned long prot) /* check for xpm region vma prot */ if (vma->vm_flags & VM_XPM) { - if (is_anon) { - vma->vm_flags &= ~VM_XPM; - goto next_check; - } - - if ((prot & PROT_WRITE) || (prot & PROT_EXEC)) { - xpm_log_error("xpm region mmap not allow write or exec permission"); - report_mmap_event("xpm_check", TYPE_ABC, vma, prot); + if (is_anon || (prot & PROT_EXEC)) { + xpm_log_error("xpm region mmap not allow anonymous or exec permission"); return -EPERM; } return 0; } -next_check: /* check for anonymous vma prot, anonymous executable permission need * controled by selinux */ -- Gitee