[ATrpms-devel] libgcrypt selinux execstack
Tim Fenn
fenn at stanford.edu
Thu Jun 29 20:54:49 CEST 2006
On Thu, Jun 29, 2006 at 12:41:13PM +0200, Axel Thimm wrote:
> On Thu, Jun 29, 2006 at 03:16:12AM -0700, Tim Fenn wrote:
> > On Thu, Jun 29, 2006 at 11:47:09AM +0200, Axel Thimm wrote:
> > > On Wed, Jun 28, 2006 at 01:17:02PM -0700, Tim Fenn wrote:
> > > > Hi Axel:
> > > >
> > > > It seems like you've already been informed of at least one library
> > > > with an execstack problem:
> > > >
> > > > http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00024.html
> > > >
> > > > But I've noticed libgcrypt11 also has similar problems
> > > > (libgcrypt11-1.2.2-11.rhfc5.at, in my case), with the unfortunate side
> > > > effect of killing any daemons that try to use it in enforcing mode and
> > > > execstack checked.
> > >
> > > Have you tried using execstack -s? If that works, then I'll package it
> > > in.
> >
> > If by execstack -s you mean execstack -c, then yes, it does fix the
> > problem. ;)
>
> Indeed this is what is recommended, but I don't understand it, -c
> marks the binary as not requiring execstack, so that means that during
> the build process the toolchain got confused as to whether execstack
> is needed or not (due to unmarked assembly)?
>
> https://www.redhat.com/archives/fedora-devel-list/2005-March/msg00460.html
>
As far as I understand it, yes. (I'm no pro at this, but from what
little I've read the assembler can't determine the executability
requirement of assembler code on its own, whereas the linker always
defaults to no-executable stack.)
> In that case can we be certain that no executable stack is required
> w/o reviewing the source (and in doing so the assembly GNU-stack
> markers could be fixed, so no execstack -c is required at the end)?
>
In this case we'd have to audit the assembly code. o_O
> Ubuntu seems to think similar and simply disables assembly:
>
> https://launchpad.net/distros/ubuntu/+source/libgcrypt11/+bug/49192
>
Well, further down the page is a patch that seems more reasonable, by
telling the assembler to not set the executable stack bit. You
basically go through all the .S files and append ".section
.note.GNU-stack,"", at progbits" to each. Alternatively, just add
"-Wa,--execstack" to the build options.
> > Sorry - I should have made note of that in my OP.
> >
> > (BTW, do you prefer I just report these sorts of things in bugzilla?)
>
> bugzilla is nice as a reminder of things to do/fix and is a good URL
> pointer, but not as a discussion ground - it certainly has more the
> color of PM than a list discussion. I'd say it depends on the poster.
>
> Maybe the best is doing both, e.g. file a bugzilla report and notify
> the list, so whoever is interested can go to the bug report.
Will do.
-Tim
More information about the atrpms-devel
mailing list