1723951 – libffi: Try the /run directory when searching for the exec tmpdir on hardened systems

Bug 1723951 - libffi: Try the /run directory when searching for the exec tmpdir on hardened systems

Summary: libffi: Try the /run directory when searching for the exec tmpdir on hardened...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libffi
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	DJ Delorie
QA Contact:	Michal Kolar
Docs Contact:	Zuzana Zoubkova
URL:
Whiteboard:
Depends On:	1722756
Blocks:	1819440 1825061
TreeView+	depends on / blocked

Reported:	2019-06-25 20:30 UTC by DJ Delorie
Modified:	2023-07-18 14:30 UTC (History)
CC List:	9 users (show)
Fixed In Version:	libffi-3.1-22.el8
Doc Type:	Enhancement
Doc Text:	.An additional libffi-specific temporary directory is available now Previously on hardened systems, the system-wide temporary directories may not have had permissions suitable for use with the `libffi` library. With this enhancement, system administrators can now set the `LIBFFI_TMPDIR` environment variable to point to a libffi-specific temporary directory with both `write` and `exec` mount or selinux permissions.
Clone Of:	1722756
Environment:
Last Closed:	2020-11-04 01:54:48 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1667620	unspecified	CLOSED	Limit mounts that libffi will try to write to	2021-11-30 16:13:50 UTC
Red Hat Knowledge Base (Solution)	4253591	Troubleshoot	None	firewalld triggers SELinux AVCs if /tmp, /var/tmp, and /dev/shm are mounted with noexec	2019-06-28 08:22:43 UTC
Red Hat Product Errata	RHBA-2020:4515	None	None	None	2020-11-04 01:54:50 UTC

Description DJ Delorie 2019-06-25 20:30:17 UTC

+++ This bug was initially created as a clone of Bug #1722756 +++

Description of problem:
libffi code searches for the tmpdir with exec to write and execute their temporal files from there. On hardened systems with most of the mounts mounted with noexec, it can fell through the explicit list of candidate dirs to the mtab search and then it can take the root directory ('/') which will result in SELinux AVCs. As most of the systems have /run mounted with exec, it could be worth adding it to the explicit list of candidates. Well, it will not solve the problem for everybody, because FHS doesn't say anything about exec/noexec of the /run, so customers could remount it noexec, but it would be definitely improvement. 

Version-Release number of selected component (if applicable):
libffi-3.0.13-18.el7.x86_64 

How reproducible:
Always

Steps to Reproduce:
1. check the code
2.
3.

Actual results:
/run is not in the explicit search list

Expected results:
/run could be in the explicit search list

--- Additional comment from Florian Weimer on 2019-06-21 05:28:23 EDT ---

I think the way forward here is to switch to a trampoline which does not need run-time code generation, only mapping of fixed, pre-compiled code.  Then all that dual-mapping and cache-flushing code can go away.

--- Additional comment from Carlos O'Donell on 2019-06-25 12:00:03 EDT ---

In RHEL7 we should just add the extra search directory and stop there, but in later releases we may have the opportunity to rework libffi.

Comment 4 Michal Kolar 2020-07-27 14:19:28 UTC

Verified against libffi-3.1-22.el8.

Comment 7 errata-xmlrpc 2020-11-04 01:54:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libffi bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4515

Note You need to log in before you can comment on or make changes to this bug.