Trivial SELinux awareness. Enable with --enable-selinux.

Avoids AVC warnings when allocating executable memory by first checking
if the current process has permission to do so.

diff --git a/configure.ac b/configure.ac
index 89328486b4a570f7e3fa7b770aa1a9642e4e44ef..19f9fcfcb009cd33ad3d673f765b8f459a733f5d 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -325,6 +325,17 @@ xlib|dri)
     ;;
 esac
 
+# SELinux awareness.
+AC_ARG_ENABLE(selinux, AS_HELP_STRING([--enable-selinux], [Build SELinux-aware Mesa (default: disabled)]), [MESA_SELINUX=$enableval], [MESA_SELINUX=no])
+if test "x$enable_selinux" = "xyes"; then
+    AC_CHECK_HEADER(selinux/selinux.h,,
+                   AC_MSG_ERROR([SELinux headers not found]))
+    AC_CHECK_LIB(selinux,is_selinux_enabled,,
+                AC_MSG_ERROR([SELinux library not found]))
+    SELINUX_LIBS="-lselinux"
+    DEFINES="$DEFINES -DMESA_SELINUX"
+fi
+
 dnl
 dnl libGL configuration per driver
 dnl
@@ -339,7 +350,7 @@ xlib)
         X11_INCLUDES="$X11_INCLUDES $X_CFLAGS"
         GL_LIB_DEPS="$X_LIBS -lX11 -lXext"
     fi
-    GL_LIB_DEPS="$GL_LIB_DEPS -lm -lpthread"
+    GL_LIB_DEPS="$GL_LIB_DEPS $SELINUX_LIBS -lm -lpthread"
 
     # if static, move the external libraries to the programs
     # and empty the libraries for libGL
@@ -519,7 +530,7 @@ if test "$mesa_driver" = dri; then
         AC_MSG_ERROR([Expat required for DRI.]))
 
     # put all the necessary libs together
-    DRI_LIB_DEPS="$LIBDRM_LIBS $EXPAT_LIB -lm -lpthread -ldl"
+    DRI_LIB_DEPS="$SELINUX_LIBS $LIBDRM_LIBS $EXPAT_LIB -lm -lpthread -ldl"
 fi
 AC_SUBST(DRI_DIRS)
 AC_SUBST(EXPAT_INCLUDES)
@@ -574,7 +585,7 @@ case "$mesa_driver" in
 osmesa)
     # only link librararies with osmesa if shared
     if test "$enable_static" = no; then
-        OSMESA_LIB_DEPS="-lm -lpthread"
+        OSMESA_LIB_DEPS="-lm -lpthread $SELINUX_LIBS"
     else
         OSMESA_LIB_DEPS=""
     fi

diff --git a/src/mesa/main/execmem.c b/src/mesa/main/execmem.c
index 40f66d7da2d5d64b94ece7cd14908694630239e4..b40a2de8fa42bc5dbfc7480bbe50e3d77a0681a1 100644 (file)
--- a/src/mesa/main/execmem.c
+++ b/src/mesa/main/execmem.c
@@ -47,6 +47,10 @@
 #include <sys/mman.h>
 #include "mm.h"
 
+#ifdef MESA_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #define EXEC_HEAP_SIZE (10*1024*1024)
 
 _glthread_DECLARE_STATIC_MUTEX(exec_mutex);
@@ -55,9 +59,17 @@ static struct mem_block *exec_heap = NULL;
 static unsigned char *exec_mem = NULL;
 
 
-static void
+static int
 init_heap(void)
 {
+#ifdef MESA_SELINUX
+   if (is_selinux_enabled()) {
+      if (!security_get_boolean_active("allow_execmem") ||
+         !security_get_boolean_pending("allow_execmem"))
+         return 0;
+   }
+#endif
+
    if (!exec_heap)
       exec_heap = mmInit( 0, EXEC_HEAP_SIZE );
    
@@ -65,6 +77,8 @@ init_heap(void)
       exec_mem = (unsigned char *) mmap(0, EXEC_HEAP_SIZE, 
                                        PROT_EXEC | PROT_READ | PROT_WRITE, 
                                        MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+   return (exec_mem != NULL);
 }
 
 
@@ -76,7 +90,8 @@ _mesa_exec_malloc(GLuint size)
 
    _glthread_LOCK_MUTEX(exec_mutex);
 
-   init_heap();
+   if (!init_heap())
+      goto bail;
 
    if (exec_heap) {
       size = (size + 31) & ~31;
@@ -87,7 +102,8 @@ _mesa_exec_malloc(GLuint size)
       addr = exec_mem + block->ofs;
    else 
       _mesa_printf("_mesa_exec_malloc failed\n");
-   
+
+bail:
    _glthread_UNLOCK_MUTEX(exec_mutex);
    
    return addr;