Bug 1723951

Summary: libffi: Try the /run directory when searching for the exec tmpdir on hardened systems
Product: Red Hat Enterprise Linux 8 Reporter: DJ Delorie <dj>
Component: libffiAssignee: DJ Delorie <dj>
Status: CLOSED ERRATA QA Contact: Michal Kolar <mkolar>
Severity: unspecified Docs Contact: Zuzana Zoubkova <zzoubkov>
Priority: unspecified    
Version: 8.2CC: codonell, dj, fkrska, fweimer, jskarvad, lmanasko, mcermak, qe-baseos-tools-bugs, vmukhame
Target Milestone: rcKeywords: FutureFeature, Patch, Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libffi-3.1-22.el8 Doc Type: Enhancement
Doc Text:
.An additional libffi-specific temporary directory is available now Previously on hardened systems, the system-wide temporary directories may not have had permissions suitable for use with the `libffi` library. With this enhancement, system administrators can now set the `LIBFFI_TMPDIR` environment variable to point to a libffi-specific temporary directory with both `write` and `exec` mount or selinux permissions.
 Story Points: ---
Clone Of: 1722756 Environment:
Last Closed: 2020-11-04 01:54:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1722756    
Bug Blocks: 1819440, 1825061    

Description DJ Delorie 2019-06-25 20:30:17 UTC 
+++ This bug was initially created as a clone of Bug #1722756 +++

Description of problem:
libffi code searches for the tmpdir with exec to write and execute their temporal files from there. On hardened systems with most of the mounts mounted with noexec, it can fell through the explicit list of candidate dirs to the mtab search and then it can take the root directory ('/') which will result in SELinux AVCs. As most of the systems have /run mounted with exec, it could be worth adding it to the explicit list of candidates. Well, it will not solve the problem for everybody, because FHS doesn't say anything about exec/noexec of the /run, so customers could remount it noexec, but it would be definitely improvement. 

Version-Release number of selected component (if applicable):
libffi-3.0.13-18.el7.x86_64 

How reproducible:
Always

Steps to Reproduce:
1. check the code
2.
3.

Actual results:
/run is not in the explicit search list

Expected results:
/run could be in the explicit search list

--- Additional comment from Florian Weimer on 2019-06-21 05:28:23 EDT ---

I think the way forward here is to switch to a trampoline which does not need run-time code generation, only mapping of fixed, pre-compiled code.  Then all that dual-mapping and cache-flushing code can go away.

--- Additional comment from Carlos O'Donell on 2019-06-25 12:00:03 EDT ---

In RHEL7 we should just add the extra search directory and stop there, but in later releases we may have the opportunity to rework libffi.
Comment 4 Michal Kolar 2020-07-27 14:19:28 UTC 
Verified against libffi-3.1-22.el8.
Comment 7 errata-xmlrpc 2020-11-04 01:54:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libffi bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4515