Re: selinux alert from gccgo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/09/2011 09:19 AM, Neal Becker wrote: I just compiled 'hello world.go' with gccgo on F15 and got selinux alert about mmap_zero when executable was run. THen I would open a big bug with gccgo and tell them to fix their code. mmap_zero is a known attack vector for exploiting kernel flaws, and almost no applications should need this access. Here is a discussion on it, and the problems that it caused SELinux. http://eparis.livejournal.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3w5iIACgkQrlYvE4MpobOnKQCg3FCu3jArgpz/yLv2G8QmHQz9 IKAAoJU22S+PFm0Z+HrnlVQENxv5N/4e =QDp5 -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: selinux alert from gccgo
On 06/09/2011 04:26 PM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/09/2011 09:19 AM, Neal Becker wrote: I just compiled 'hello world.go' with gccgo on F15 and got selinux alert about mmap_zero when executable was run. THen I would open a big bug with gccgo and tell them to fix their code. I'd ping Ian Lance Taylor i...@google.com too. Andrew. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: selinux alert from gccgo
On Thu, Jun 09, 2011 at 11:26:26AM -0400, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/09/2011 09:19 AM, Neal Becker wrote: I just compiled 'hello world.go' with gccgo on F15 and got selinux alert about mmap_zero when executable was run. THen I would open a big bug with gccgo and tell them to fix their code. mmap_zero is a known attack vector for exploiting kernel flaws, and almost no applications should need this access. Here is a discussion on it, and the problems that it caused SELinux. http://eparis.livejournal.com/ See https://bugzilla.redhat.com/show_bug.cgi?id=693143 mmap_zero audit message sounds like a kernel bug rather than gccgo, all it needs is executable stack (well, I think it really wants executable heap but is marked as needing executable stack). It has been reported to Ian, but nothing has been rewritten upstream yet. Jakub -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel