[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 Илья Индиго changed: What|Removed |Added CC||i...@ilya.pp.ua --- Comment #53 from

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 Carlo Marcelo Arenas Belón changed: What|Removed |Added OS|Linux |All CC|

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #52 from Petr Pisar --- That could work. Maybe the counter could be incremented only in the child only. That would trigger recompilation in children only and thus affected only them. I think people usually do not do

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #51 from Zoltan Herczeg --- Yes, that is a very good point. SELinux is designed to prevent JIT compilation. Probably the solution could be recompiling everything after a fork (remember the JIT compiling options and do

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #49 from Petr Pisar --- I think this is the dead end. The only way to guard a fork is registering callbacks with pthread_atfork() function but I'm not familiar with it and it is said it has its own issues. Even if we

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #48 from Zoltan Herczeg --- (In reply to Petr Pisar from comment #47) > I worry that what you want is impossible. Because it's one file. The tmp file is storing the executable memory, and both process should manage

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #47 from Petr Pisar --- I worry that what you want is impossible. Because it's one file. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #46 from Zoltan Herczeg --- When you fork a process, does tmp files also "duplicated"? Copy-on-write just like memory? If not, how can I enable it? The same file cannot be used for both processes, since they write their

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #45 from Petr Pisar --- This code is now in PCRE2-10.30-RC1 and I found following bug in the deallocator when an application does a fork after some JIT operation. I have only a Perl reproducer using re-engine-PCRE2 PCRE2

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #44 from Petr Pisar --- I confirm the r327 revision works on ARM. I asked a Fedora PowerPC maintainer to give you SSH access to a PPC machine. I CC-ed you in the e-mail. -- You are receiving this mail because: You are

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #43 from Zoltan Herczeg --- > It's not good. > > Pass: aarch64, i686, x86_64 > Fail: armv7hl (SIGILL), ppc32 (SIGSEGV), ppc64be (SIGSEGV), ppc64le (SIGSEGV) > > You can see some results on >

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #42 from Philip Hazel --- (In reply to Philip Hazel from comment #39) > ( > It is trivial, of course, to make pcre2grep ignore JIT compile errors. I have now done this. -- You are receiving this mail because: You

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #41 from Petr Pisar --- (In reply to Zoltan Herczeg from comment #38) > I would be grateful if you could check the JIT compiler as well on these > systems. > > 1) Please checkout the compiler > > svn checkout

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #40 from Zoltan Herczeg --- Ok, then pcre2grep should just ignore the error. We can add an option to force an abort if it would be needed for testing. But I am not sure, pcregrep tests are not JIT tests. -- You are

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #38 from Zoltan Herczeg --- > All the tests were run without SELinux enforcing. Great news! Thank you very much for testing. > Running the tests with SELinux enforcing W^X pages on all of the platforms > would require

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #37 from Petr Pisar --- (In reply to Zoltan Herczeg from comment #36) > Landed another big patch which adds allocator support for other CPUs except > Tile-GX. The good (bad) news is that on-the-fly code modifications are >

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #36 from Zoltan Herczeg --- Landed another big patch which adds allocator support for other CPUs except Tile-GX. The good (bad) news is that on-the-fly code modifications are available again regardless of allocator.

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #35 from Christian Persch (GNOME) --- (In reply to Christoph Michael Becker from comment #31) > (In reply to Zoltan Herczeg from comment #29) > > Ok I will try to do these requests. Will take time. Is ./ a good idea to > >

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #34 from Petr Pisar --- glibc documents $TMPDIR, a macro that resolves to /tmp, and /tmp. Working directory isn't probably a good idea. -- You are

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #31 from Christoph Michael Becker --- (In reply to Zoltan Herczeg from comment #29) > Ok I will try to do these requests. Will take time. Is ./ a good idea to > create a temporary file? What other projects do btw? I don't

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #30 from Philip Hazel --- (In reply to Zoltan Herczeg from comment #29) > Ok I will try to do these requests. Will take time. Is ./ a good idea to > create a temporary file? What other projects do btw? I would like to

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #29 from Zoltan Herczeg --- Ok I will try to do these requests. Will take time. Is ./ a good idea to create a temporary file? What other projects do btw? -- You are receiving this mail because: You are on the CC list

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #28 from Petr Pisar --- I confirm it works even if SELinux is configured to deny RWX pages (deny_execmem SELinux boolean set to 1). Now to the mkstemp(). If you make /tmp nonwritable, JIT compilation fails with "no more

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #27 from Zoltan Herczeg --- I reworked the protected allocator to use temporary files, and added the support for x86. The code is available in PCRE2 repository. Please check whether it works on SE Linux. I will update

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #26 from Zoltan Herczeg --- Thank you for working on this. However I will probably just drop the current protected allocator implementation since mprotect does not seems the right way to support "security enhanced"

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #25 from Petr Pisar --- Created attachment 961 --> https://bugs.exim.org/attachment.cgi?id=961=edit Attempt to propagate mprotect() failure Attached patch tries to handle failed mprotect() call so that an application

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 Petr Pisar changed: What|Removed |Added Attachment #959 is|0 |1 obsolete|

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #23 from Petr Pisar --- No, it does not help. Change to R-- passes, subsequent change to R-X is denied. After reading Linux security/selinux/hooks.c (search for default_noexec variable), I think it simply refuses PROT_EXEC

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #21 from Petr Pisar --- The error code is visible in the strace output I quoted in the comment #16. Return value is -1 and errno is EACCES. This failure is result of the SELinux policy that not only prevents from having

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #20 from Zoltan Herczeg --- > And it segfaults because mprotect() return value is not checked and it jumps > into a non-executable page. Hm, what is the error code? The command is issued to an area returned by mmap, so

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 Petr Pisar changed: What|Removed |Added Attachment #958 is|0 |1 obsolete|

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #17 from Petr Pisar --- Despite all this I think your approach still has security benefits since it creates a one-way transition to PROT_EXEC only memory without possibility to modify once compiled code. I appreciate you

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #16 from Petr Pisar --- I tried the code. It indeed stopped using pages with both PROT_WRITE and PROT_EXEC, but it still does not work with restricting SELinux: mmap(NULL, 788, PROT_READ|PROT_WRITE,

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #15 from Zoltan Herczeg --- This temporary file(s) approach is a bit complicated to me, so I finally decided to allocate separate memory blocks with mmap for each compiled pattern. This obviously increases the memory

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #14 from Giuseppe D'Angelo --- Well, if the mapping is file-backed, you'll "just" need to call ftruncate on the file to resize it (and then you'll be able to create new mappings or resize the mapping)... -- You are

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #13 from Zoltan Herczeg --- Executable memory is allocated by an executable allocator. It allocates memory chunks with mmap and manages memory allocation for patterns. This reduces the total memory consumption when

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #12 from Giuseppe D'Angelo --- (In reply to Zoltan Herczeg from comment #10) > It seems the trick is mapping it twice: > > > One is writeable, the other is executable. > > So one thread can write a new code while

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #10 from Zoltan Herczeg --- It seems the trick is mapping it twice: > One is writeable, the other is executable. So one thread can write a new code while another executes an existing pattern. Next question: how can

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #8 from Zoltan Herczeg --- > Then mmap it once writable to edit the JIT code; when you're finished, mmap > it execable instead. Here comes the first question: PCRE-JIT support multithreading, where one thread can

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #7 from Thomas Klausner --- (please read the whole thread mentioned in the previous entry for more discussion/details) -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 --- Comment #4 from Zoltan Herczeg --- Without fully understanding the concept I may end up creating a code which is even less secure than the original one :) I know little about these security mechanisms so I really need help to

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 Christoph Michael Becker changed: What|Removed |Added CC||cmbecke...@gmx.de

[pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction

https://bugs.exim.org/show_bug.cgi?id=1749 Zoltan Herczeg changed: What|Removed |Added CC||hzmes...@freemail.hu ---