On Wed, 2005-02-23 at 10:06 +0000, Mike Hearn wrote:
On Tue, 22 Feb 2005 21:43:21 -0500, Ivan Gyurdiev wrote:
The inkscape binary is marked with PT_GNU_STACK RWE. This creates problems for the SELinux strict policy, and requires that special privileges be granted for inkscape as a "legacy domain".
Interesting, I thought SELinux was orthogonal to the execstack stuff.
I'm not familiar with all the details - it has to do with the way linking works, I think. It triggers execmem and execmod denials described here: http://www.nsa.gov/selinux/list-archive/0412/9720.cfm
Also, the kernel translates PROT_READ to PROT_READ | PROT_EXECUTE in mmap and mprotect if PT_GNU_STACK is missing, or is RWE. The SElinux people are writing a patch to address this issue separately, but the proposed solution so far further reduces the security of the system.
The question is, does inkscape really require an executable stack?
Almost certainly the answer is no.
Can it be corrected, then?
I'm not a gcc expert of any kind, but from what I've read I understand that asm code causes gcc to mark the binary as requiring executable stack. I think it can be overridden with ld -z noexecstack.
What version of GCC are you using? AFAIK assembly has not triggered PT_GNU_STACK generation for a while now but you'd have to check with Ingo Molnar. I'm not sure it's wise to override GCCs heuristics though.
Well, I wouldn't know why exactly it gets marked RWE, but that's what happens. This is gcc-3.4.3-19
It would be a lot easier to write the inkscape security policy if it didn't require executable stack.
Can't you just tell SELinux not to care about executable stacks? You can still restrict read/writes.
Well, I think the idea of SELinux is to not give programs privileges they don't actually need.
Though given that Inkscape has to be able to save files pretty much anywhere I'm not sure how much you can really lock it down.
Yes, all of those issues can be worked around in the policy, but that makes the policy less secure. The case of inkscape would require writing a brand new policy for inkscape to place it in its own domain. That's because right now it runs in a "generic" user_t domain, which is used for all programs without their own policy. I don't think the SELinux people will agree to a workaround that applies to every other program in this domain.
In other words, yes, but it would be better if that wasn't necessary.