Great find on libffi! This ought to be a good way forward for
security-focused distros.
On 30/07/17 00:30, Mark Montague wrote:
> However, an executable heap is still necessary even though an
> executable stack is not needed when MoarVM built to use libffi 3.1 or
> later:
>
> [markmont@f26docker rakudo-star-2017.07]$ getsebool deny_execmem
> deny_execmem --> off
> [markmont@f26docker rakudo-star-2017.07]$ perl6 -e "say 'hello, world';"
> hello, world
> [markmont@f26docker rakudo-star-2017.07]$ sudo setsebool deny_execmem on
> [markmont@f26docker rakudo-star-2017.07]$ getsebool deny_execmem
> deny_execmem --> on
> [markmont@f26docker rakudo-star-2017.07]$ perl6 -e "say 'hello, world';"
> Segmentation fault (core dumped)
> [markmont@f26docker rakudo-star-2017.07]$ sudo grep denied
> /var/log/audit/audit.log
> type=AVC msg=audit(1501367074.731:347): avc: denied { execmem } for
> pid=40078 comm="moar"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process permissive=0
> [markmont@f26docker rakudo-star-2017.07]$
This is most likely due to the jit, which allocates a frame, generates
machine code into it, then jumps into it. Can you check if the
environment variable MVM_JIT_DISABLE makes it work even with deny_execmem?
Maybe we can react to not being allowed to set the page executable and
just turn off the jit "forever" at run time.
thanks
- Timo
