Threaded applications and "execmem" privilege

Threaded applications and "execmem" privilege

[Erich Schubert]

Hi,
I've been trying to find out how to avoid the "execmem" errors you e.g.
get in "host" (from the bind package, using the resolver library from
bind...), "dig" and "bind" itself.

Apaprently this is due to using threads - as far as I can tell, any
application using threads on Linux will do a mmap with "PROT_READ |
PROT_WRITE | PROT_EXEC",
which will trigger the execmem hook of SELinux.

Now that is really annyoing: either I need to enable "execmem" for most
domains, or write new domains for stuff like "host" and "dig" and add
appropriate execute transitions to tons of domains. :-(

It would probably be possible to remove PROT_EXEC from the mmap in the
threads library, but I bet there are some applications relying on
it... :-(
Another option would be to modify the threads library to try with
PROT_EXEC first, then retry without. Then a "dontaudit" rule for some
applications should be fine as well...

Anyone here deep enough in the thread libraries to know whether
PROT_EXEC is actually needed and/or what it's going to break?

Can some people try to run "dig" or the "host" command from bind (NOT
the dnsutils version, which probably doesn't use libpthread) and check
wheter they need the execmem permission for it, too?
And otherwise maybe find out how their thread library avoids using both
PROT_WRITE and PROT_EXEC on the same mmap...

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C   (o_
   There was never a good war or a bad peace. - Benjamin Franklin   //\
               Für jedes Problem gibt es eine Lösung,               V_/_
                  die einfach, klar und falsch ist.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Threaded applications and "execmem" privilege

[Erich Schubert]

Hello,
I've built debian stable libc6 package which do not use PROT_EXEC for
the stack, meaning they do not require the execmem privilege. executable
stacks are a bad idea anyway, aren't they?
This is not heavily tested... I've just installed it on one machine, and
can now run "dig" in enforcing mode. ;-)
I'm trying to upload them to alioth right now.

Here's the patch I used:
--- nptl/allocatestack.c.orig   2005-11-21 01:18:07.000000000 +0100
+++ nptl/allocatestack.c        2005-11-21 01:18:17.000000000 +0100
@@ -392,7 +392,7 @@
            size += pagesize_m1 + 1;
 #endif

-         mem = mmap (NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC,
+         mem = mmap (NULL, size, PROT_READ | PROT_WRITE,
                      MAP_PRIVATE | MAP_ANONYMOUS | ARCH_MAP_FLAGS, -1,
0);

          if (__builtin_expect (mem == MAP_FAILED, 0))

>From a quick scan of the "Debian unstable" source I'd expect a similar
patch is needed there, too... but maybe one of the debian-patches
already does a similar change.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
                 Friends are those who reach out for                 //\
                   your hand but touch your heart.                   V_/_
   Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für
         eine Stunde wie eine Heimat aus. --- Herrmann Hesse



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Threaded applications and "execmem" privilege

[Stephen Smalley]

On Tue, 2005-11-22 at 16:17 +0100, Erich Schubert wrote:
> Hello,
> I've built debian stable libc6 package which do not use PROT_EXEC for
> the stack, meaning they do not require the execmem privilege. executable
> stacks are a bad idea anyway, aren't they?
> This is not heavily tested... I've just installed it on one machine, and
> can now run "dig" in enforcing mode. ;-)
> I'm trying to upload them to alioth right now.
> 
> Here's the patch I used:
> --- nptl/allocatestack.c.orig   2005-11-21 01:18:07.000000000 +0100
> +++ nptl/allocatestack.c        2005-11-21 01:18:17.000000000 +0100
> @@ -392,7 +392,7 @@
>             size += pagesize_m1 + 1;
>  #endif
> 
> -         mem = mmap (NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC,
> +         mem = mmap (NULL, size, PROT_READ | PROT_WRITE,
>                       MAP_PRIVATE | MAP_ANONYMOUS | ARCH_MAP_FLAGS, -1,
> 0);
> 
>           if (__builtin_expect (mem == MAP_FAILED, 0))
> 
> >From a quick scan of the "Debian unstable" source I'd expect a similar
> patch is needed there, too... but maybe one of the debian-patches
> already does a similar change.

Hmm...take a look at:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/nptl/allocatestack.c.diff?r1=1.37&r2=1.38&cvsroot=glibc

That alters the mmap call to only apply PROT_EXEC when the binary is
marked as requiring an executable stack or the binary lacks marking (I
assume that execstack -q `which host` shows - /usr/bin/host). That
change is dated Sep 24 2003, and further changes have occurred since
that time.  How old is the Debian libc?

On Fedora, I do not encounter such execmem denials on host, dig, etc.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Threaded applications and "execmem" privilege

[Erich Schubert]

Hello Stephen,
> That alters the mmap call to only apply PROT_EXEC when the binary is
> marked as requiring an executable stack or the binary lacks marking (I
> assume that execstack -q `which host` shows - /usr/bin/host). That

Okay, that probably means that most apps (maybe not java and x.org, but
I don't have these on my selinux boxes anyway) should work just fine.
And others probably too, since IIRC i386 doesn't enforce that anyway...
But I'll switch to the patch you posted.

> change is dated Sep 24 2003, and further changes have occurred since
> that time.  How old is the Debian libc?

Debian *stable* libc is version 2.3.2 with tons of patches. Unstable has
2.3.5 with apparently a different thread library?

I don't have this "execstack -q" application. Seems to be
Redhat-specific.

Debian includes a lintian check for executeable stack since october, but
that means rather few packages have been tested yet...

Some more information on the issue:
http://wiki.debian-hardened.org/SSP/ProPolice_Implementations

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
    Go away or i'll replace you with a very small shell script.     //\
    Der Anfang aller Erkenntnis ist das Staunen. --- Aristoteles    V_/_


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Threaded applications and "execmem" privilege

[Stephen Smalley]

On Mon, 2005-11-28 at 16:18 +0100, Erich Schubert wrote:
> Okay, that probably means that most apps (maybe not java and x.org, but
> I don't have these on my selinux boxes anyway) should work just fine.
> And others probably too, since IIRC i386 doesn't enforce that anyway...
> But I'll switch to the patch you posted.

I'd suggest just using a newer upstream glibc altogether if possible.
There are a number of diffs to that file in the cvs.

> I don't have this "execstack -q" application. Seems to be
> Redhat-specific.

Provided by the prelink package in Fedora.  Looks like Jakub Jelinek of
Red Hat is the upstream maintainer of prelink.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Threaded applications and "execmem" privilege

[Lorenzo Hernandez Garcia-Hierro]

[-- Attachment #1: Type: text/plain, Size: 1486 bytes --]

El lun, 28-11-2005 a las 16:18 +0100, Erich Schubert escribió:
> Okay, that probably means that most apps (maybe not java and x.org, but
> I don't have these on my selinux boxes anyway) should work just fine.
> And others probably too, since IIRC i386 doesn't enforce that anyway...
> But I'll switch to the patch you posted.

In IA32 PROT_READ implies PROT_EXEC, but "separation" can be enforced:
 http://pearls.tuxedo-es.org/papers/linuxsec-lsm2005/img61.jpg
 http://pearls.tuxedo-es.org/papers/linuxsec-lsm2005/img50.jpg

> Some more information on the issue:
> http://wiki.debian-hardened.org/SSP/ProPolice_Implementations

Please note that information is obsoleted (Hardened Debian used libssp
for ProPolice implementation, although SSP got merged into gcc-4.1
later). Take it as an experiment, and a reliable way of introducing
changes in the SSP code without recompiling everything but just libssp.

Some people are switching to Gentoo (Hardened) due to the problems
caused by some changes introduced in Debian's libc. Some vserver and
grsec users. What's the status now? Is it going to be worked out?

BTW, I would like to help out with anything regarding SELinux deployment
in Debian. I'm trying to work out stuff for Ubuntu Linux, but if it gets
into Debian first, then Ubuntu guys will sync, avoiding efforts
duplication.

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: Esta parte del mensaje está firmada digitalmente --]
[-- Type: application/pgp-signature, Size: 198 bytes --]