Bug 1290432
Summary: | PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Lautrbach <plautrba> |
Component: | pcre | Assignee: | Petr Pisar <ppisar> |
Status: | CLOSED CANTFIX | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> |
Severity: | medium | Docs Contact: | Vladimír Slávik <vslavik> |
Priority: | medium | ||
Version: | 7.2 | CC: | carl, jkejda, mgrepl, mjahoda, phracek, plautrba, ppisar, qe-baseos-daemons, rcollet, ssekidde |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
URL: | https://bugs.exim.org/show_bug.cgi?id=1749 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
Performance of regular expressions cannot be boosted with the JIT technique if executable stack is disabled
When the *SELinux* policy disallows executable stack, the *PCRE* library cannot use JIT compilation to speed up regular expressions. As a result, attempting JIT compilation for regular expressions is ignored and their performance is not boosted.
To work around this problem, amend the *SELinux* policy with a rule for enabling the "execmem" action on affected *SELinux* domains to enable JIT compilation. Some of the rules are already provided and can be enabled by specific SELinux booleans. To list these booleans, see the output of the following command:
getsebool -a | grep execmem
An alternative workaround is changing application code to not request JIT compilation with calls to the *pcre_study()* function.
|
Story Points: | --- |
Clone Of: | 1290205 | Environment: | |
Last Closed: | 2018-03-02 14:48:02 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1298243, 1420851 |
Description
Petr Lautrbach
2015-12-10 13:55:48 UTC
pcre-8.32-15.el7 is affected. Enhancement request forwarded to PCRE upstream <https://bugs.exim.org/show_bug.cgi?id=1749>. Notice: this may also affects rh-php70 SCL when pcre.jit=1 (but default value is 0) Upstream is working on the double mapping technique (currently x86, x86_64 and aarch64 JIT compilers work). But the technique has a drawback of a need for temporary files. If a process is not allowed to create them, the JIT compilation will fail. Therefore PCRE applications are still will be advised to cope with unavailable JIT at run time. We tried hard together with PCRE authors to bring a reliable solution. However it turned there are corner cases where it does not work (multi-threaded applications calling fork()). At the end any solution would actually break the security hardening: If a policy disallows modifying an executable memory, then it's on a purpose. Just-in-time compilation is intrinsically incompatible with this restriction and the tested imperfect implementation only relied on imperfect policy enforcement in the Linux kernel. Therefore we officially decline this request for enhancing pcre package. This resolution applies to pcre as well as to pcre2 software. Users who want to benefit from a JIT have to enable execmem action on affected SELinux domains (or stop enforcing noexecmem global policy). If users are missing such knob in existing SELinux policy (getsebool -a | grep execmem), they should report a future request against the affected program or against selinux-policy Bugzilla component. |