[issue11912] Python shouldn't use the mprotect() system call

2011-04-29 Thread Terry J. Reedy 

Terry J. Reedy  added the comment:

Is there any reason not to close this as a CPython issue?

--
nosy: +terry.reedy

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-25 Thread Nils Breunese 

Nils Breunese  added the comment:

I contacted the author of iotop and he told me iotop does not use mprotect (but 
it does use dlopen).

Guess I'll have to do some more digging to find what is exactly doing the call 
to mprotect.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-24 Thread Jesús Cea Avión 

Changes by Jesús Cea Avión :


--
nosy: +jcea

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-24 Thread Charles-Francois Natali 

Charles-Francois Natali  added the comment:

PaX doesn't block mprotect in itself, but prevents pages from being both 
writable and executable.
Andreas's right, it's probably due to a dlopen of an object requiring 
executable stack via ctypes.
So you should report this to iotop's developpers. In the meantime, you could 
use "paxctl -m /usr/bin/python".

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-23 Thread Andreas Stührk 

Andreas Stührk  added the comment:

glibc's `dlopen()` can call `mprotect()`, which is used for loading C 
extensions.

--
nosy: +Trundle

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-23 Thread Nils Breunese 

Nils Breunese  added the comment:

I haven't had any problems with other Python applications like this, Python 
seems fine otherwise.

I just noticed that iotop has a dependency on python-ctypes, which sounds like 
it could be iotop doing the mprotect() calls via ctypes. Does that make sense?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-23 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

> /usr/bin/iotop is a Python script and according to that log message
> grsecurity detected a call to mprotect().

Well, does Python itself run ok? That Python script could use
third-party extension modules which issue the offending mprotect() call.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-23 Thread Nils Breunese 

Nils Breunese  added the comment:

I got this error message in /var/log/messages when trying to start iotop:


Apr 13 08:49:37 hostname kernel: grsec: From xxx.xxx.xxx.xxx: denied RWX 
mprotect of /lib64/ld-2.5.so by /usr/bin/iotop[iotop:9836] uid/euid:0/0 
gid/egid:0/0, parent /bin/bash[bash:9351] uid/euid:0/0 gid/egid:0/0
Apr 13 08:49:37 hostname kernel: iotop[9836]: segfault at 6248c405dda0 ip 
6248c3e489ec sp 7fffa52e8410 error 7 in ld-2.5.so[6248c3e42000+1c000]


/usr/bin/iotop is a Python script and according to that log message grsecurity 
detected a call to mprotect().

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-23 Thread Antoine Pitrou 

Antoine Pitrou  added the comment:

Where have you seen that Python is calling mprotect()? There's no sign of it in 
the whole source tree.

--
nosy: +neologix, pitrou

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11912] Python shouldn't use the mprotect() system call

2011-04-23 Thread Nils Breunese 

New submission from Nils Breunese :

When I try to run iotop [0] on CentOS 5.6 on a kernel with grsecurity [1] then 
iotop won't start because grsecurity is blocking Python because of its use of 
the mprotect() system call.

Please see 
http://www.atomicorp.com/wiki/index.php/ASL_FAQ#grsec:_denied_RWX_mprotect for 
more information. The authors of this hardened Linux kernel suggested to file a 
bug with Python because using mprotect() is apparently a very bad thing to do.

[0] http://guichaz.free.fr/iotop/
[1] http://grsecurity.net/

--
messages: 134314
nosy: breun
priority: normal
severity: normal
status: open
title: Python shouldn't use the mprotect() system call
type: security
versions: 3rd party

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com