On 2017-07-29 08:28, Timo Paulssen wrote:
>> The reliance on W^X violating behavior is something I would like >> to see
removed,
Actually what they are refering to is that dyncall and libffi both
require an executable stack. We can't get around that without making
changes to libffi and dyncall, sadly.
I believe that libffi versions 3.1 and later do not require executable
stacks per
https://access.redhat.com/security/cve/CVE-2017-1000376
I've tested this with rakudo-star-2017.07 under Fedora 26. A default
build of Rakudo Star does NOT use libffi and DOES require an executable
stack:
[markmont@f26test rakudo-star-2017.07]$ getsebool selinuxuser_execstack
selinuxuser_execstack --> on
[markmont@f26test rakudo-star-2017.07]$ perl6 -e "say 'hello, world';"
hello, world
[markmont@f26test rakudo-star-2017.07]$ sudo setsebool
selinuxuser_execstack off
[markmont@f26test rakudo-star-2017.07]$ getsebool selinuxuser_execstack
selinuxuser_execstack --> off
[markmont@f26test rakudo-star-2017.07]$ perl6 -e "say 'hello, world';"
/home/markmont/perl6/perl6/bin/moar: error while loading shared
libraries: libmoar.so: cannot enable executable stack as shared object
requires: Permission denied
[markmont@f26test rakudo-star-2017.07]$
I then made sure I had the libffi and libffi-devel RPMs installed,
edited MoarVM/Configure.pl to turn on "--has-libffi", and rebuilt all of
Rakudo Star. When using libffi 3.1 or later, executable stacks are no
longer required:
[markmont@f26test rakudo-star-2017.07]$ getsebool selinuxuser_execstack
selinuxuser_execstack --> off
[markmont@f26test rakudo-star-2017.07]$ perl6 -e "say 'hello, world';"
hello, world
[markmont@f26test rakudo-star-2017.07]$ make rakudo-test | tail -4
All tests successful.
Files=47, Tests=616, 26 wallclock secs ( 0.12 usr 0.04 sys + 23.96
cusr 2.84 csys = 26.96 CPU)
Result: PASS
make[1]: Leaving directory '/home/markmont/perl6/rakudo-star-2017.07/rakudo'
[markmont@f26test rakudo-star-2017.07]$ make rakudo-spectest | tail -3
Files=1092, Tests=51281, 895 wallclock secs ( 5.86 usr 1.34 sys +
632.08 cusr 69.38 csys = 708.66 CPU)
Result: PASS
make[1]: Leaving directory '/home/markmont/perl6/rakudo-star-2017.07/rakudo'
[markmont@f26test rakudo-star-2017.07]$
However, an executable heap is still necessary even though an executable
stack is not needed when MoarVM built to use libffi 3.1 or later:
[markmont@f26docker rakudo-star-2017.07]$ getsebool deny_execmem
deny_execmem --> off
[markmont@f26docker rakudo-star-2017.07]$ perl6 -e "say 'hello, world';"
hello, world
[markmont@f26docker rakudo-star-2017.07]$ sudo setsebool deny_execmem on
[markmont@f26docker rakudo-star-2017.07]$ getsebool deny_execmem
deny_execmem --> on
[markmont@f26docker rakudo-star-2017.07]$ perl6 -e "say 'hello, world';"
Segmentation fault (core dumped)
[markmont@f26docker rakudo-star-2017.07]$ sudo grep denied
/var/log/audit/audit.log
type=AVC msg=audit(1501367074.731:347): avc: denied { execmem } for
pid=40078 comm="moar"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process permissive=0
[markmont@f26docker rakudo-star-2017.07]$
--
Mark Montague
m...@catseye.org
