[Gcl-devel] selinux support

gcl-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gcl-devel] selinux support

From:	Camm Maguire
Subject:	[Gcl-devel] selinux support
Date:	Thu, 21 Aug 2014 13:18:05 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

Greetings!  It has been known for some time that selinux by default
stands in the way of gcl's traditional development paradigm: brk,
compile, load, relocate, mprotect, execute, unexec, reexecute....  In
particular, it forbids mprotecting (at least unrandomized) brk'ed memory
PROT_EXEC.  Heretofore, the solution was to disable selinux on affected
systems, but now it appears we have a better way.

selinux appears to honor the READ_IMPLIES_EXEC personality bit.  It will
turn off this bit on exec of children, so this bit must be handled a
little differently than the existing gcl personality support of 1)
turning on ADDR_NO_RANDOMIZE, and 2) on 32bit, turning on
ADDR_LIMIT_3GB|ADDR_COMPAT_LAYOUT to get some immediate fixnum space, in
which case we set and reexec with the child inheriting the new
personality.

Its still early, but the following appears to work:

--- a/gcl/h/unrandomize.h
+++ b/gcl/h/unrandomize.h
@@ -10,7 +10,7 @@

   {

-    long pers = personality(0xffffffffUL);
+    long pers = personality(READ_IMPLIES_EXEC|personality(0xffffffffUL));
     long flag = ADDR_NO_RANDOMIZE;

     if (sizeof(long)==4) flag|=ADDR_LIMIT_3GB|ADDR_COMPAT_LAYOUT;

It would be nice if someone happened to be an expert in this field and
could reassure that this will continue to work in the future, and is not
some artifact.  The last useful thing I've seen on this is:

http://lwn.net/Articles/94068/

I'll be committing and testing this, as the final addition to 2.6.11 if
it passes muster.

Take care,

address@hidden writes:

> I changed the selinux setting to enforcing.
>
> So if I understand you correctly you're suggesting doing a build with
>
>  setarch i386 -X make 
>
> I am going to reboot and try this.
>
> You're currently on the machine but not answering the 'talk'
> invitation so this is going to come as a surprise.
>
> Tim
>
>
>
>

-- 
Camm Maguire                                        address@hidden
==========================================================================
"The earth is but one country, and mankind its citizens."  --  Baha'u'llah

[Prev in Thread]

Current Thread

[Next in Thread]

[Gcl-devel] selinux support, Camm Maguire <=
- Re: [Gcl-devel] selinux support, Jerry James, 2014/08/21
  - Re: [Gcl-devel] selinux support, Camm Maguire, 2014/08/21
    - Re: [Gcl-devel] selinux support, Jerry James, 2014/08/21
    - Re: [Gcl-devel] selinux support, Camm Maguire, 2014/08/28
- Re: [Gcl-devel] selinux support, daly, 2014/08/28

Prev by Date: Re: [Gcl-devel] aarch64
Next by Date: Re: [Gcl-devel] selinux support
Previous by thread: [Gcl-devel] aarch64
Next by thread: Re: [Gcl-devel] selinux support
Index(es):
- Date
- Thread