Trivial SELinux awareness. Enable with --enable-selinux.

Avoids AVC warnings when allocating executable memory by first checking if the current process has permission to do so.
2024-11-25 00:09:54 +00:00 · 2008-02-15 13:49:12 -05:00 · 2008-02-15 13:49:12 -05:00 · 66611f2298
commit 66611f2298
parent bf4a0fafc8
2 changed files with 33 additions and 6 deletions
--- a/configure.ac
+++ b/configure.ac
@ -325,6 +325,17 @@ xlib|dri)
    ;;
 esac

+# SELinux awareness.
+AC_ARG_ENABLE(selinux, AS_HELP_STRING([--enable-selinux], [Build SELinux-aware Mesa (default: disabled)]), [MESA_SELINUX=$enableval], [MESA_SELINUX=no])
+if test "x$enable_selinux" = "xyes"; then
+    AC_CHECK_HEADER(selinux/selinux.h,,
+		    AC_MSG_ERROR([SELinux headers not found]))
+    AC_CHECK_LIB(selinux,is_selinux_enabled,,
+		 AC_MSG_ERROR([SELinux library not found]))
+    SELINUX_LIBS="-lselinux"
+    DEFINES="$DEFINES -DMESA_SELINUX"
+fi
+
 dnl
 dnl libGL configuration per driver
 dnl
@ -339,7 +350,7 @@ xlib)
        X11_INCLUDES="$X11_INCLUDES $X_CFLAGS"
        GL_LIB_DEPS="$X_LIBS -lX11 -lXext"
    fi
-    GL_LIB_DEPS="$GL_LIB_DEPS -lm -lpthread"
+    GL_LIB_DEPS="$GL_LIB_DEPS $SELINUX_LIBS -lm -lpthread"

    # if static, move the external libraries to the programs
    # and empty the libraries for libGL
@ -519,7 +530,7 @@ if test "$mesa_driver" = dri; then
        AC_MSG_ERROR([Expat required for DRI.]))

    # put all the necessary libs together
-    DRI_LIB_DEPS="$LIBDRM_LIBS $EXPAT_LIB -lm -lpthread -ldl"
+    DRI_LIB_DEPS="$SELINUX_LIBS $LIBDRM_LIBS $EXPAT_LIB -lm -lpthread -ldl"
 fi
 AC_SUBST(DRI_DIRS)
 AC_SUBST(EXPAT_INCLUDES)
@ -574,7 +585,7 @@ case "$mesa_driver" in
 osmesa)
    # only link librararies with osmesa if shared
    if test "$enable_static" = no; then
-        OSMESA_LIB_DEPS="-lm -lpthread"
+        OSMESA_LIB_DEPS="-lm -lpthread $SELINUX_LIBS"
    else
        OSMESA_LIB_DEPS=""
    fi
--- a/src/mesa/main/execmem.c
+++ b/src/mesa/main/execmem.c
@ -47,6 +47,10 @@
 #include <sys/mman.h>
 #include "mm.h"

+#ifdef MESA_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #define EXEC_HEAP_SIZE (10*1024*1024)

 _glthread_DECLARE_STATIC_MUTEX(exec_mutex);
@ -55,9 +59,17 @@ static struct mem_block *exec_heap = NULL;
 static unsigned char *exec_mem = NULL;


-static void
+static int
 init_heap(void)
 {
+#ifdef MESA_SELINUX
+   if (is_selinux_enabled()) {
+      if (!security_get_boolean_active("allow_execmem") ||
+	  !security_get_boolean_pending("allow_execmem"))
+         return 0;
+   }
+#endif
+
   if (!exec_heap)
      exec_heap = mmInit( 0, EXEC_HEAP_SIZE );
   
@ -65,6 +77,8 @@ init_heap(void)
      exec_mem = (unsigned char *) mmap(0, EXEC_HEAP_SIZE, 
 					PROT_EXEC | PROT_READ | PROT_WRITE, 
 					MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+   return (exec_mem != NULL);
 }


@ -76,7 +90,8 @@ _mesa_exec_malloc(GLuint size)

   _glthread_LOCK_MUTEX(exec_mutex);

-   init_heap();
+   if (!init_heap())
+      goto bail;

   if (exec_heap) {
      size = (size + 31) & ~31;
@ -87,7 +102,8 @@ _mesa_exec_malloc(GLuint size)
      addr = exec_mem + block->ofs;
   else 
      _mesa_printf("_mesa_exec_malloc failed\n");
-   
+
+bail:
   _glthread_UNLOCK_MUTEX(exec_mutex);
   
   return addr;