Bug 582009
Summary: | libffi shipped in python runs afoul of SELinux when embedded in apache | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Toshio Ernie Kuratomi <a.badger> |
Component: | python | Assignee: | Bohuslav "Slavek" Kabrda <bkabrda> |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 19 | CC: | dmalcolm, dwalsh, fschwarz, ivazqueznet, james.antill, john.haxby, jonathansteffan, ricky |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-17 13:16:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Toshio Ernie Kuratomi
2010-04-13 20:14:48 UTC
For reference, you mentioned this bug on IRC: https://dev.openwrt.org/ticket/6192 who worked around it by removing the CFUNCTYPE(c_int)(lambda: None) line from ctypes/__init__.py A simpler reproducer may be a wsgi script that does: import ctypes (i.e. do you need the second line to reproduce it? I don't think you do). My initial thought was to remove the line in our ctypes, given that it's only there as a workaround for a Win64 issue, but presumably the tk fix actually uses ctypes for something. It's unclear to me how to tell libffi which directory to use. The Python-level syntax is: import ctypes not something like import ctypes(tmpdir='/var/run') Potentially we could add an API hook to tell it which directory, but somehow mod_wsgi needs to call it to tell it to work one way, in a way that's different to how /usr/bin/python does it. Another approach might be to patch the MemoryError so that it provides a hint as to the SELinux booleans to tweak. Correct:
> The script should exit with MemoryError when it imports ctypes
Untested, so I included both lines.
Also correct that merely patching ctypes to not do this:
CFUNCTYPE(c_int)(lambda: None)
is just a temporary workaround.... Some app could legitimately use ctypes (or require a module that uses ctypes) that causes the problem.
I was thinking of the directories to use be a hardcoded list in python's libffi/ctypes. So no need to pass in a value. OTOH, passing in a value could work. We'd probably do it something like this:
* Patch ctypes to not call CFUNCTYPE(c_int)(lambda: None) as that's a hack that's causing us issues.
* Add an API call to tell which directory or a list of directories to try. The code then looks like:
import ctypes
ctypes.set_ffi_dir(['/var/tmp', '/var/run/httpd'])
* mod_wsgi and mod_python could be configured to call set_ffi_dir() but another possibility is for the application code to call set_ffi_dir(). As long as this occurs before any python code runs a problematic ctypes function it's not too bad. Although it still leaves us with a documentation issue.
* Simply patching the MemoryError doesn't seem like the best solution (as tweaking the boolean means apache can read anything in /tmp while these fixes limit it to a directory especially for this case) but it does address getting the documentation of what's going on out there. If it's simple, we might want to do it as a temporary measure.
Ricky found that this affects the Fedora Account System as well. That path lead through the tgcaptcha plugin. Since PIL is pretty much the only python package that manipulates images, it's a good guess that all python-based captcha software will hit this bug. This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Not yet fixed ping? I'm seeing this in F16. I get this from httpd: open("/dev/shm/ffifu9bni", O_RDWR|O_CREAT|O_EXCL, 0600) = 24 unlink("/dev/shm/ffifu9bni") = 0 ftruncate(24, 4096) = 0 mmap(NULL, 4096, PROT_READ|PROT_EXEC, MAP_SHARED, 24, 0) = -1 EACCES (Permission denied) close(24) = 0 which seems to be exactly the same problem. See further notes in bug 814391 (which is filed against RHEL 6) Downstream removal of the: CFUNCTYPE(c_int)(lambda: None) line committed to python "master" for Fedora 18. http://pkgs.fedoraproject.org/gitweb/?p=python.git;a=commitdiff;h=7461fe5163d36a83893db6a696f5cc6a74cb6b51 Building python-2.7.3-4.fc18 for dist-rawhide Task info: http://koji.fedoraproject.org/koji/taskinfo?taskID=4009760 I checked Python 3.2.3, and it exhibits the same behavior: python3 -m test.test_uuid only allocates a single thunk, and only because of that Win64 workaround. I've committed a similar downstream removal of that line for "python3" in Fedora 18: http://pkgs.fedoraproject.org/gitweb/?p=python3.git;a=commitdiff;h=8a28107df1670a03a12cf6a7787160f103d8d8c8 Building python3-3.2.3-4.fc18 for dist-rawhide Task info: http://koji.fedoraproject.org/koji/taskinfo?taskID=4009802 Also pushed to python on f17 and building: Building python-2.7.3-4.fc17 for f17-candidate Task info: http://koji.fedoraproject.org/koji/taskinfo?taskID=4009876 I can confirm that patching ctypes/__init__.py as above also eliminates the thunk allocation for doing: "from PIL import Image" in the initial report (which again comes from "import ctypes", via "FixTk"). This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Dave can't we close this as won't fix, and if you run apache with this python module you have to turn on the httpd_execmem boolean? We could but it strikes me as a bit insecure. Also, when reported, it was httpd_tmp_exec but maybe libffi detects on the fly that it can't execmem and fallsback to a temporary file? I haven't tested. This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |