Bug 499065 - Avoid unnecessary allow_execmem by using PT_GNU_STACK
Avoid unnecessary allow_execmem by using PT_GNU_STACK
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-04 23:23 EDT by Adam Goode
Modified: 2010-12-05 01:55 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-05 01:55:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Goode 2009-05-04 23:23:43 EDT
Description of problem:
Currently, because of reasons in bug #211271, allow_execstack implies allow_execmem. This means that allow_execmem is effectively on for most programs. Instead of unconditionally setting allow_execstack, it should only be for those applications that require it. This information is conveyed via the PT_GNU_STACK mechanism, that the kernel already uses. (See fs/binfmt_elf.c)

If allow_execstack were only to apply to programs that require executable stack, then the majority of programs could benefit from execmem/execstack protection.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-23.fc11.noarch
kernel-2.6.29.1-111.fc11.x86_64


See also bug #495614.
Comment 1 Ulrich Drepper 2009-05-05 11:01:40 EDT
(In reply to comment #0)
> Instead of unconditionally setting allow_execstack, it should only be
> for those applications that require it. This information is conveyed via the
> PT_GNU_STACK mechanism, that the kernel already uses. (See fs/binfmt_elf.c)

Do you mean this isn't done like this?  it certain was at some time and always should be.
Comment 2 Eric Paris 2009-05-05 11:18:39 EDT
What is this 'unconditional setting of allow_execstack' that you mention?  Can you provide a specific example of the problem you mention?
Comment 3 Stephen Smalley 2009-05-05 11:19:15 EDT
I think there is some confusion here.
SELinux defines policy based on domains (equivalence classes), not individual programs, although each program can potentially have its own domain.  So we don't allow or deny execmem or execstack to individual programs per se but rather to domains.

It is true that SELinux defaults to ignoring PROT_EXEC added by the kernel for read-implies-exec behavior, only checking the protection bits specifically requested by the application, unless /selinux/checkreqprot is set to 0.  So we don't end up checking execmem if the application only requested a RW mapping and it was the kernel that added PROT_EXEC to honor the PT_GNU_STACK behavior.
Comment 4 Daniel Walsh 2009-05-05 11:46:45 EDT
BTW allow_execstack  and all of the other allow_exec* booleans only affect unconfined domains.  They do not allow a confined domain like httpd_t to run execstack or execmem.
Comment 5 Adam Goode 2009-05-05 13:29:06 EDT
Right, this is all for unconfined domains. This bug report stems from my surprise that allow_execmem=false wasn't stopping mmap from mapping WRITE|EXEC on unconfined apps.

Then I learned that allow_execstack -> allow_execmem. This is my attempt to figure out how to get execmem protection back for virtually all unconfined apps. 

I think that allow_execstack is not required in cases where programs don't need executable stack. This wouldn't be as big a problem if not for that implication.
Comment 6 Bug Zapper 2009-06-09 11:09:23 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Bug Zapper 2010-04-27 10:07:34 EDT
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 Ulrich Drepper 2010-04-27 10:31:11 EDT
Well, this is actually still a problem.

Eric, just take a look at a program like this:

#include <stdio.h>
#include <sys/mman.h>

int
main()
{
  void *p = mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
  printf("p = %p\n", p);
  return 0;
}


If you run this with allow allow_exec* set to 0 the mmap call fails.  With allow_execstack it works.

This is with F12.
Comment 9 Stephen Smalley 2010-04-27 10:57:21 EDT
That's expected behavior.
The allow_execstack boolean turns on both execstack and execmem permission since they are both checked when making the stack executable.
Comment 10 Ulrich Drepper 2010-04-27 11:04:00 EDT
(In reply to comment #9)
> That's expected behavior.
> The allow_execstack boolean turns on both execstack and execmem permission
> since they are both checked when making the stack executable.    

Looks like a significant shortcoming in the hooks.  The kernel knows when the memory is allocated for the stack or not.  allow_execstack should only cover these cases.
Comment 11 Stephen Smalley 2010-04-27 11:26:32 EDT
Well, only in the case for the process stack, not for thread stacks, right?

execmem was originally introduced as a generic check performed upon both mmap and mprotect over making anonymous mappings executable.  Executable stack is a specific instance of that.

Later the execstack check was added as a more specific check, but only on mprotect() and only for the main process stack.

Yes, we could change selinux_file_mprotect() to skip the later execmem check if we have already checked execstack and it passed, but then you can't say for certain that if you've disallowed execmem then no anonymous mappings can be made executable.

If you've allowed execstack, what point is there in denying execmem - they already have everything they need via the stack?
Comment 12 Bug Zapper 2010-11-04 07:17:09 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Bug Zapper 2010-12-05 01:55:10 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.