This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1271501 - p11-kit utilizes libffi which cannot be used without executable+writable memory
p11-kit utilizes libffi which cannot be used without executable+writable memory
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: p11-kit (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Daiki Ueno
Fedora Extras Quality Assurance
:
Depends On: 1265106
Blocks: 1236526
  Show dependency treegraph
 
Reported: 2015-10-14 03:44 EDT by Nikos Mavrogiannopoulos
Modified: 2017-05-02 09:47 EDT (History)
4 users (show)

See Also:
Fixed In Version: p11-kit-0.23.5-1.fc26
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-02 09:47:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 97611 None None None 2017-05-02 09:47 EDT

  None (edit)
Description Nikos Mavrogiannopoulos 2015-10-14 03:44:38 EDT
Description of problem:
P11-kit cannot be used by applications such as apache which are under a strict SELinux policy which prevents executable+writable memory.

That is, because it relies on libffi, which uses a temp file to mmap memory for execution, and that's blocked by SELinux's policy. I find the policy of blocking execution in tmp quite reasonable, so I think that libffi and p11-kit are to blame here.

That issue is not there when SELinux is set to not enforcing. The
SELinux warning is:

"SELinux is preventing /usr/sbin/httpd from execute access on the file
/tmp/ffisox7RN (deleted)."


Possible solutions were discussed in the upstream thread at:
http://lists.freedesktop.org/archives/p11-glue/2015-September/000576.html
Comment 1 Stef Walter 2015-10-14 03:50:08 EDT
> P11-kit cannot be used by applications such as apache which are under a strict SELinux policy which prevents executable+writable memory.

Such applications can currently use the P11_KIT_UNMANAGED module loading option. This disables many of the features of p11-kit ... but that's to be expected, since those features are enabled by the closure support in libffi.
Comment 2 Nikos Mavrogiannopoulos 2015-10-14 04:11:31 EDT
The problem is that the applications don't even know they are using p11-kit. The way we go with transparent PKCS #11 support (in gnutls or engine_pkcs11) means that applications can't switch to unmanaged.

For engine_pkcs11 it is even worse because it relies on the proxy module which requires libffi.
Comment 3 Tomas Mraz 2015-10-14 04:50:51 EDT
Could the proxying be done out-of-process? Split the proxy module and call the real modules in a different process which would also solve the isolated keys problem.
Comment 4 Nikos Mavrogiannopoulos 2015-10-14 07:28:42 EDT
(In reply to Tomas Mraz from comment #3)
> Could the proxying be done out-of-process? Split the proxy module and call
> the real modules in a different process which would also solve the isolated
> keys problem.

Yes that could be a possible solution.
Comment 5 Stef Walter 2015-10-14 15:21:34 EDT
One of the reasons we use libffi clusures is remoting PKCS#11. Hence I don't think that would be an easy solution.

We should probably just break down and manually build in a fixed set of compiled closures into the p11-kit library that we can use generating closures dymanically with libffi fails.
Comment 6 Nikos Mavrogiannopoulos 2015-10-15 02:55:43 EDT
Another solution which is relevant for the apache/nginx use case, is having the proxy module in unmanaged mode if managed mode cannot be initialized. In these use-cases we don't have multiple consumers of PKCS #11 to care about managed mode.

That would also be a solution for mod_gnutls. If p11-kit cannot initialize the modules in managed mode and switches to unmanaged mode it would work.

That would effectively allow the operation of p11-kit without libffi.
Comment 7 Stef Walter 2015-10-16 04:56:50 EDT
Well, in p11-kit we have the concept of 'enable-in' and 'disable-in' These are configuration settings that only apply for certain processes. In theory we could have a mode where all modules are unmanaged in a given process, if so configured.

This is yet another solution to the problem, for you to consider.
Comment 8 Jan Kurik 2016-02-24 08:50:32 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 9 Jan Kurik 2016-07-26 01:05:31 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 10 Fedora End Of Life 2017-02-28 04:49:50 EST
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 11 Fedora Admin XMLRPC Client 2017-04-26 09:56:47 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 12 Daiki Ueno 2017-05-02 09:47:26 EDT
This should be fixed in the latest package in F26.

Note You need to log in before you can comment on or make changes to this bug.