Bug 1723951 - libffi: Try the /run directory when searching for the exec tmpdir on hardened systems
Summary: libffi: Try the /run directory when searching for the exec tmpdir on hardened...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libffi
Version: 8.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: DJ Delorie
QA Contact: Michal Kolar
Zuzana Zoubkova
Depends On: 1722756
Blocks: 1825061 1819440
TreeView+ depends on / blocked
Reported: 2019-06-25 20:30 UTC by DJ Delorie
Modified: 2021-09-17 12:20 UTC (History)
9 users (show)

Fixed In Version: libffi-3.1-22.el8
Doc Type: Enhancement
Doc Text:
.An additional libffi-specific temporary directory is available now Previously on hardened systems, the system-wide temporary directories may not have had permissions suitable for use with the `libffi` library. With this enhancement, system administrators can now set the `LIBFFI_TMPDIR` environment variable to point to a libffi-specific temporary directory with both `write` and `exec` mount or selinux permissions.
Clone Of: 1722756
Last Closed: 2020-11-04 01:54:48 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1667620 0 unspecified NEW Limit mounts that libffi will try to write to 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution) 4253591 0 Troubleshoot None firewalld triggers SELinux AVCs if /tmp, /var/tmp, and /dev/shm are mounted with noexec 2019-06-28 08:22:43 UTC
Red Hat Product Errata RHBA-2020:4515 0 None None None 2020-11-04 01:54:50 UTC

Description DJ Delorie 2019-06-25 20:30:17 UTC
+++ This bug was initially created as a clone of Bug #1722756 +++

Description of problem:
libffi code searches for the tmpdir with exec to write and execute their temporal files from there. On hardened systems with most of the mounts mounted with noexec, it can fell through the explicit list of candidate dirs to the mtab search and then it can take the root directory ('/') which will result in SELinux AVCs. As most of the systems have /run mounted with exec, it could be worth adding it to the explicit list of candidates. Well, it will not solve the problem for everybody, because FHS doesn't say anything about exec/noexec of the /run, so customers could remount it noexec, but it would be definitely improvement. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. check the code

Actual results:
/run is not in the explicit search list

Expected results:
/run could be in the explicit search list

--- Additional comment from Florian Weimer on 2019-06-21 05:28:23 EDT ---

I think the way forward here is to switch to a trampoline which does not need run-time code generation, only mapping of fixed, pre-compiled code.  Then all that dual-mapping and cache-flushing code can go away.

--- Additional comment from Carlos O'Donell on 2019-06-25 12:00:03 EDT ---

In RHEL7 we should just add the extra search directory and stop there, but in later releases we may have the opportunity to rework libffi.

Comment 4 Michal Kolar 2020-07-27 14:19:28 UTC
Verified against libffi-3.1-22.el8.

Comment 7 errata-xmlrpc 2020-11-04 01:54:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libffi bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.