Disable execmem for sparc

From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>
Date: Wed, 24 Mar 2010 17:52:57 -0400

> Attached is a patch which disables execmem for sparc. Without it,
> selinux does not work at all on SPARC64.
> 
> This patch should be reasonably non-controversial, because this is
> already being done for PPC32.
> 
> Tested-by: Tom "spot" Callaway <tcallawa@redhat.com> (Ultra 10, T5220)
>            Dennis Gilmore <dgilmore@redhat.com>
> Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com>

What is the reason why it doesn't work, I'm just curious?

Is there some dependency upon executable stacks or executable data
segments always working?  Why can't SELINUX protect be used with
that correctly?

And since we're touching selinux code we need to at a minimum
CC: them so they can have a look at your change.

--------------------
--
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Thursday 25 March 2010 03:24:58 pm David Miller wrote:
> From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>
> Date: Wed, 24 Mar 2010 17:52:57 -0400
> 
> > Attached is a patch which disables execmem for sparc. Without it,
> > selinux does not work at all on SPARC64.
> > 
> > This patch should be reasonably non-controversial, because this is
> > already being done for PPC32.
> > 
> > Tested-by: Tom "spot" Callaway <tcallawa@redhat.com> (Ultra 10, T5220)
> > 
> >            Dennis Gilmore <dgilmore@redhat.com>
> > 
> > Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com>
> 
> What is the reason why it doesn't work, I'm just curious?
> 
> Is there some dependency upon executable stacks or executable data
> segments always working?  Why can't SELINUX protect be used with
> that correctly?

what happens is that almost all binaries end up with execmem set  and selinux 
prevents them from running.  the system fails to even get close to coming up 
in a usable state

Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.160:3): avc:  denied  { 
execmem } for  pid=208 comm="consoletype" 
scontext=system_u:system_r:consoletype_t:s0 
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.315:4): avc:  denied  { 
execmem } for  pid=211 comm="hostname" 
scontext=system_u:system_r:hostname_t:s0 
tcontext=system_u:system_r:hostname_t:s0 tclass=process
Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.520:5): avc:  denied  { 
execmem } for  pid=213 comm="mount" scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:system_r:mount_t:s0 tclass=process
Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.570:6): avc:  denied  { 
execmem } for  pid=203 comm="readahead-colle" 
scontext=system_u:system_r:readahead_t:s0 
tcontext=system_u:system_r:readahead_t:s0 tclass=process

is a small sample of the logs you get  not everything fails but almost 
everything

> 
> And since we're touching selinux code we need to at a minimum
> CC: them so they can have a look at your change.
> 
> --------------------
> diff -up linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc
> linux-2.6.32.noarch/security/selinux/hooks.c ---
> linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc	2010-03-10
> 08:28:20.957571926 -0500 +++
> linux-2.6.32.noarch/security/selinux/hooks.c	2010-03-10 08:29:15.732698763
> -0500 @@ -3010,7 +3010,7 @@ static int file_map_prot_check(struct fi
>  	const struct cred *cred = current_cred();
>  	int rc = 0;
> 
> -#ifndef CONFIG_PPC32
> +#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC)
>  	if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
>  		/*
>  		 * We are making executable an anonymous mapping or a
> @@ -3082,7 +3082,7 @@ static int selinux_file_mprotect(struct
>  	if (selinux_checkreqprot)
>  		prot = reqprot;
> 
> -#ifndef CONFIG_PPC32
> +#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC)
>  	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
>  		int rc = 0;
>  		if (vma->vm_start >= vma->vm_mm->start_brk &&
> --
> To unsubscribe from this list: send the line "unsubscribe sparclinux" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Thu, 2010-03-25 at 15:48 -0500, Dennis Gilmore wrote:
> On Thursday 25 March 2010 03:24:58 pm David Miller wrote:
> > From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>
> > Date: Wed, 24 Mar 2010 17:52:57 -0400
> > 
> > > Attached is a patch which disables execmem for sparc. Without it,
> > > selinux does not work at all on SPARC64.
> > > 
> > > This patch should be reasonably non-controversial, because this is
> > > already being done for PPC32.
> > > 
> > > Tested-by: Tom "spot" Callaway <tcallawa@redhat.com> (Ultra 10, T5220)
> > > 
> > >            Dennis Gilmore <dgilmore@redhat.com>
> > > 
> > > Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com>
> > 
> > What is the reason why it doesn't work, I'm just curious?
> > 
> > Is there some dependency upon executable stacks or executable data
> > segments always working?  Why can't SELINUX protect be used with
> > that correctly?
> 
> what happens is that almost all binaries end up with execmem set  and selinux 
> prevents them from running.  the system fails to even get close to coming up 
> in a usable state
> 
> Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.160:3): avc:  denied  { 
> execmem } for  pid=208 comm="consoletype" 
> scontext=system_u:system_r:consoletype_t:s0 
> tcontext=system_u:system_r:consoletype_t:s0 tclass=process
> Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.315:4): avc:  denied  { 
> execmem } for  pid=211 comm="hostname" 
> scontext=system_u:system_r:hostname_t:s0 
> tcontext=system_u:system_r:hostname_t:s0 tclass=process
> Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.520:5): avc:  denied  { 
> execmem } for  pid=213 comm="mount" scontext=system_u:system_r:mount_t:s0 
> tcontext=system_u:system_r:mount_t:s0 tclass=process
> Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.570:6): avc:  denied  { 
> execmem } for  pid=203 comm="readahead-colle" 
> scontext=system_u:system_r:readahead_t:s0 
> tcontext=system_u:system_r:readahead_t:s0 tclass=process
> 
> is a small sample of the logs you get  not everything fails but almost 
> everything

I think we need to understand why this is happening - it usually
reflects a toolchain problem (that was the case in the ppc32 situation,
and was later fixed in Fedora through an updated toolchain and rebuilt
userland).  eu-readelf -l /bin/hostname shows what?

> > 
> > And since we're touching selinux code we need to at a minimum
> > CC: them so they can have a look at your change.
> > 
> > --------------------
> > diff -up linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc
> > linux-2.6.32.noarch/security/selinux/hooks.c ---
> > linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc	2010-03-10
> > 08:28:20.957571926 -0500 +++
> > linux-2.6.32.noarch/security/selinux/hooks.c	2010-03-10 08:29:15.732698763
> > -0500 @@ -3010,7 +3010,7 @@ static int file_map_prot_check(struct fi
> >  	const struct cred *cred = current_cred();
> >  	int rc = 0;
> > 
> > -#ifndef CONFIG_PPC32
> > +#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC)
> >  	if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
> >  		/*
> >  		 * We are making executable an anonymous mapping or a
> > @@ -3082,7 +3082,7 @@ static int selinux_file_mprotect(struct
> >  	if (selinux_checkreqprot)
> >  		prot = reqprot;
> > 
> > -#ifndef CONFIG_PPC32
> > +#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC)
> >  	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
> >  		int rc = 0;
> >  		if (vma->vm_start >= vma->vm_mm->start_brk &&
> > --
> > To unsubscribe from this list: send the line "unsubscribe sparclinux" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
>

On Friday 26 March 2010 10:33:50 am Stephen Smalley wrote:
> On Thu, 2010-03-25 at 15:48 -0500, Dennis Gilmore wrote:
> > On Thursday 25 March 2010 03:24:58 pm David Miller wrote:
> > > From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>
> > > Date: Wed, 24 Mar 2010 17:52:57 -0400
> > > 
> > > > Attached is a patch which disables execmem for sparc. Without it,
> > > > selinux does not work at all on SPARC64.
> > > > 
> > > > This patch should be reasonably non-controversial, because this is
> > > > already being done for PPC32.
> > > > 
> > > > Tested-by: Tom "spot" Callaway <tcallawa@redhat.com> (Ultra 10,
> > > > T5220)
> > > > 
> > > >            Dennis Gilmore <dgilmore@redhat.com>
> > > > 
> > > > Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com>
> > > 
> > > What is the reason why it doesn't work, I'm just curious?
> > > 
> > > Is there some dependency upon executable stacks or executable data
> > > segments always working?  Why can't SELINUX protect be used with
> > > that correctly?
> > 
> > what happens is that almost all binaries end up with execmem set  and
> > selinux prevents them from running.  the system fails to even get close
> > to coming up in a usable state
> > 
> > Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.160:3): avc:  denied 
> > { execmem } for  pid=208 comm="consoletype"
> > scontext=system_u:system_r:consoletype_t:s0
> > tcontext=system_u:system_r:consoletype_t:s0 tclass=process
> > Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.315:4): avc:  denied 
> > { execmem } for  pid=211 comm="hostname"
> > scontext=system_u:system_r:hostname_t:s0
> > tcontext=system_u:system_r:hostname_t:s0 tclass=process
> > Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.520:5): avc:  denied 
> > { execmem } for  pid=213 comm="mount"
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:system_r:mount_t:s0 tclass=process
> > Dec 31 18:00:40 sparcbook kernel: type=1400 audit(8.570:6): avc:  denied 
> > { execmem } for  pid=203 comm="readahead-colle"
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:readahead_t:s0 tclass=process
> > 
> > is a small sample of the logs you get  not everything fails but almost
> > everything
> 
> I think we need to understand why this is happening - it usually
> reflects a toolchain problem (that was the case in the ppc32 situation,
> and was later fixed in Fedora through an updated toolchain and rebuilt
> userland).  eu-readelf -l /bin/hostname shows what?
eu-readelf -l /bin/hostname
Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz  MemSiz   Flg Align
  PHDR           0x000034 0x00010034 0x00010034 0x000100 0x000100 R E 0x4
  INTERP         0x000134 0x00010134 0x00010134 0x000013 0x000013 R   0x1
        [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x00010000 0x00010000 0x002204 0x002204 R E 0x10000
  LOAD           0x002204 0x00022204 0x00022204 0x000284 0x0002ac RWE 0x10000
  DYNAMIC        0x002218 0x00022218 0x00022218 0x0000d0 0x0000d0 RW  0x4
  NOTE           0x000148 0x00010148 0x00010148 0x000044 0x000044 R   0x4
  GNU_EH_FRAME   0x002110 0x00012110 0x00012110 0x00003c 0x00003c R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x000000 0x000000 RW  0x4

 Section to Segment mapping:
  Segment Sections...
   00     
   01      [RO: .interp]
   02      [RO: .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym 
.dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .text .fini 
.rodata .eh_frame_hdr .eh_frame]
   03      .ctors .dtors .jcr .dynamic .got .plt .data .bss
   04      .dynamic
   05      [RO: .note.ABI-tag .note.gnu.build-id]
   06      [RO: .eh_frame_hdr]
   07     

> 
> > > And since we're touching selinux code we need to at a minimum
> > > CC: them so they can have a look at your change.
> > > 
> > > --------------------
> > > diff -up linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc
> > > linux-2.6.32.noarch/security/selinux/hooks.c ---
> > > linux-2.6.32.noarch/security/selinux/hooks.c.mprotect-sparc	2010-03-10
> > > 08:28:20.957571926 -0500 +++
> > > linux-2.6.32.noarch/security/selinux/hooks.c	2010-03-10
> > > 08:29:15.732698763 -0500 @@ -3010,7 +3010,7 @@ static int
> > > file_map_prot_check(struct fi
> > > 
> > >  	const struct cred *cred = current_cred();
> > >  	int rc = 0;
> > > 
> > > -#ifndef CONFIG_PPC32
> > > +#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC)
> > > 
> > >  	if ((prot & PROT_EXEC) && (!file || (!shared && (prot &
> > >  	PROT_WRITE)))) {
> > >  	
> > >  		/*
> > >  		
> > >  		 * We are making executable an anonymous mapping or a
> > > 
> > > @@ -3082,7 +3082,7 @@ static int selinux_file_mprotect(struct
> > > 
> > >  	if (selinux_checkreqprot)
> > >  	
> > >  		prot = reqprot;
> > > 
> > > -#ifndef CONFIG_PPC32
> > > +#if !defined(CONFIG_PPC32) && !defined(CONFIG_SPARC)
> > > 
> > >  	if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
> > >  	
> > >  		int rc = 0;
> > >  		if (vma->vm_start >= vma->vm_mm->start_brk &&
> > > 
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe sparclinux"
> > > in the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html

Ping?  We need to figure out why this is actually happening
instead of just blindly adding this ifdef and saying "oh well."
--
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html