Bug 468412 - avc denied execstack for nspluginscan when flash plugin is installed
avc denied execstack for nspluginscan when flash plugin is installed
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-10-24 12:33 EDT by Orion Poplawski
Modified: 2008-10-27 17:06 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-27 17:06:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2008-10-24 12:33:12 EDT
Description of problem:

I have flash-plugin from the adobe-linux repo installed.  When nspluginscan runs I get:

Oct 24 10:05:13 test kernel: type=1400 audit(1224864313.154:572): avc:  denied  { execstack } for  pid=3671 comm="nspluginscan" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

nspluginscan seems to load each plugin that it scans:

3671  open("/usr/lib/mozilla/plugins/libflashplayer.so", O_RDONLY) = 9
3671  read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\360\2\0004\0\0\0\24"..., 512) = 512
3671  fstat64(9, {st_mode=S_IFREG|0755, st_size=10017140, ...}) = 0
3671  mmap2(NULL, 10939008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x404da000
3671  mmap2(0x40e2b000, 208896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE,9, 0x950) = 0x40e2b000
3671  mmap2(0x40e5e000, 961152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1, 0) = 0x40e5e000
3671  mprotect(0x85f000, 3792, PROT_READ|PROT_WRITE) = 0
3671  mprotect(0x85f000, 3792, PROT_READ) = 0
3671  mprotect(0xbf9e8000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = -1 EACCES (Permission denied)

# ls -Z /usr/bin/nspluginscan
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/bin/nspluginscan

No idea if this actually causes any problems.

Version-Release number of selected component (if applicable):
Comment 1 Rex Dieter 2008-10-24 13:40:57 EDT
reassinging selinux-policy-targetted (assuming that's what you're using here).

Having said that, I've already seen this reported at least once or twice already.  iirc, the latest policy should work correctly if nspluginwrapper is installed.  Maybe something has changed, or my recollection is flawed.
Comment 2 Daniel Walsh 2008-10-24 15:02:00 EDT
Well if you label nspluginscan nsplugin_exec_t does it work?

chcon -t nsplugin_exec_t /usr/bin/nspluginscan
Comment 3 Orion Poplawski 2008-10-24 15:35:29 EDT
(In reply to comment #2)
> Well if you label nspluginscan nsplugin_exec_t does it work?

Comment 4 Kevin Kofler 2008-10-24 21:03:45 EDT
And allow browser plugins to disable buffer overflow protection? Looks like a security disaster to me.
IMHO nsplugin_exec_t should not exist and this is a CANTFIX. Adobe should fix their proprietary crap.
Comment 5 Daniel Walsh 2008-10-27 17:06:31 EDT
Except nsplugin is a confined domain while firefox is running in unconfined_t.

So we are confining the applications we know are susceptible to buffer overflow.

And attempting to protect all other processes run by the user from exec* problems.

Changing labeling in selinux-policy-3.5.13-9.fc10

Note You need to log in before you can comment on or make changes to this bug.