Bug 488396

Summary: python ctypes triggers selinux execmem denial
Product: [Fedora] Fedora Reporter: Adam Goode <adam>
Component: pythonAssignee: James Antill <james.antill>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: ivazqueznet, james.antill, jonathansteffan, jorton, psplicha
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-30 23:12:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 490573    
Bug Blocks: 481453, 489239, 516996    
Attachments:
Description Flags
Patch to use selinux-friendly libffi alloc/free (requires system libffi) none

Description Adam Goode 2009-03-04 03:47:41 UTC
Description of problem:
ctypes doesn't import.


Version-Release number of selected component (if applicable):
python-2.6-5.fc11.x86_64

How reproducible:
Always.


Steps to Reproduce:
1. python
2. import ctypes
  

Actual results:
>>> import ctypes
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.6/ctypes/__init__.py", line 546, in <module>
    CFUNCTYPE(c_int)(lambda: None)
MemoryError

Comment 1 Adam Goode 2009-03-16 02:26:45 UTC
This is caused by line 73 of malloc_closure.c. SELinux won't allow PROT_WRITE and PROT_EXEC on mmap. Any problems with patching this line to remove the PROT_EXEC?

Or is this known and required, and I am simply mislabeled?

Comment 2 Adam Goode 2009-03-17 02:09:37 UTC
Just removing PROT_EXEC causes a segfault instead. I'm guessing libffi writes some glue here.

Oddly enough, this should be failing at least sometimes on F10, but I cannot get selinux to reject my execmem request, even though the booleans are set.

Comment 3 Adam Goode 2009-03-17 02:14:05 UTC
Basically, something like this must be implemented:
http://gcc.gnu.org/ml/java-patches/2007-q1/msg00089.html

Comment 4 Adam Goode 2009-03-17 02:39:21 UTC
Ok, the solution is to remove malloc_closure.c and use ffi_closure_alloc and ffi_closure_free. libffi has the correct support for selinux and does execmem in a safe way. I will see if I have time to whip up a patch.

Comment 5 Adam Goode 2009-03-17 04:18:50 UTC
Created attachment 335477 [details]
Patch to use selinux-friendly libffi alloc/free (requires system libffi)

Comment 6 James Antill 2009-03-17 14:20:11 UTC
 It looks like we're between a rock and a hard place here, as this looks like it's changing the API and ABI for ctypes. Saying that nothing outside of the ctypes.so seems to use it. We could also minimize the change by keeping the variable pcl and putting pcl_exec at the end of the struct.

 It'd be nice if you could get this upstream :).

 Jeremy, ivazquez ... opinions?

Comment 7 Adam Goode 2009-03-17 15:01:31 UTC
Interesting. I don't believe that this changes API, since ctypes.h is not installed anywhere, and the Python interfaces don't seem to change. You can verify this by doing in Python:

>>> import _ctypes
>>> dir(_ctypes)

And the ABI is I believe safe too, since I think CThunkObject is completely private and only used internally to the module, not exposed anywhere.

I am not 100% sure I didn't miss something.

As a side note, building with system libffi definitely changes the ABI, since ffi functions are no longer exported from this module. But I would say _ctypes.so is a totally private thing, and so this doesn't matter. It starts with an underscore after all.

Comment 8 Adam Goode 2009-03-18 03:58:44 UTC
http://bugs.python.org/issue5504 is the upstream bug.

Comment 9 James Antill 2009-03-18 14:23:09 UTC
Cool, thanks.

I built it into rawhide after comment#7 and some more grepping, so it should be fixed now. Can you test?

Comment 10 Adam Goode 2009-03-18 15:06:22 UTC
Yes, it looks good now. I had to pull from koji, since it is not tagged into the f11-beta.

Comment 11 James Antill 2009-03-18 18:10:38 UTC
Added rel-eng request to tag into the beta:

https://fedorahosted.org/rel-eng/ticket/1400

Comment 12 Bug Zapper 2009-06-09 11:50:44 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 13 Joe Orton 2009-09-09 21:39:04 UTC
Is this supposed to be fixed in current F11 python?

I'm seeing an apparently ffi-related execmem denial with a django app in F11, which I just extended to use ctypes.

python-2.6-9.fc11.x86_64

open("/tmp/ffiUce9Wm", O_RDWR|O_CREAT|O_EXCL, 0600) = 24
unlink("/tmp/ffiUce9Wm")                = 0
ftruncate(24, 4096)                     = 0
mmap(NULL, 4096, PROT_READ|PROT_EXEC, MAP_SHARED, 24, 0) = -1 EACCES (Permission denied)
close(24)                               = 0

shortly after _ctypes.so was loaded - will try to narrow down to a repro case.

Comment 14 Joe Orton 2009-09-11 08:34:19 UTC
Filed bug 522731 for the fact that ctypes still breaks if used with httpd in an embedded interpreter.