I think "text relocation" has something to do with the way a dynamic library is compiled and/or loaded. This is not something which Protocol Buffers asks for specifically -- either libtool, your linker, or your binary loader chose to use this feature without being asked for it. It seems that SELinux feels that text relocation is risky because it means that the library image in memory is both executable and writable, which presumably makes it easier to exploit buffer overruns -- but first a buffer overrun has to exist, independently. So this isn't a security hole in itself, it's just something that could hypothetically make some other security hole more exploitable. Possible solutions: * Compile protobuf with static linking only. (configure --disable-shared) * Figure out how to compile protobuf with "text relocation" disabled, and do that. (Maybe CFLAGS=-fPIC will do it? But note that this will make the code a bit slower.) * Tell your OS to allow text relocation for protoc because protoc does not process data from potentially malicious users and therefore is not a security risk.
On Fri, Jul 31, 2009 at 6:43 PM, hw...@gear6.com <hw...@gear6.com> wrote: > > A question on the right behavior of libprotoc.so.4.0.0. > > On a CentOS 5.1, I downloaded and installed the latest protocol buffer > 2.1. Make check runs fine. Then when I tried to do make under the ./ > example directory, SELinux reports that "protoc attempted to load /usr/ > local/lib/libprotoc.so.4.0.0 which requires text relocation. This is a > potential security problem. " > > The command I run is simply: > protoc --cpp_out=. addressbook.proto > > which reports from CLI that "cannot restore segment proc after reloc: > Permission Denied" > > While I don't believe the code has malicious intention, just curious > that is this "text relocation" inside libprotoc.so.4.0.0 a correct > behavior? I hesitate to allow the this exception in SELinux before I > get confirmation. > > Thanks, > Hank > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To post to this group, send email to protobuf@googlegroups.com To unsubscribe from this group, send email to protobuf+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/protobuf?hl=en -~----------~----~----~----~------~----~------~--~---