On 08/23/2012 02:33 PM, Andrew Bernat wrote:
> On Aug 23, 2012, at 4:04 PM, Josh Stone <jistone@xxxxxxxxxx> wrote:
>
>> Incidentally, another SELinux hit on my plate is allow_execstack. If
>> this boolean is not enabled, then libdyninstAPI_RT.so is completely
>> blocked. Now, it's obvious why Dyninst needs to both write and execute
>> the same memory, but the default security settings are understandably
>> wary of such games. See:
>>
>> http://www.akkadia.org/drepper/selinux-mem.html
>>
>> I'm not certain why Dyninst is triggering execstack rather than execmem,
>> but anyway...
>>
>> To avoid these protections, it suggests mapping the same memory at two
>> locations, once writable and once executable. So this is another thing
>> I might look into doing for Dyninst, if you're game.
>
> I believe that Dyninst is anathema to SELinux. But hey...
Perhaps, but advice to turn off SELinux makes engineers here cranky. ;)
These particular issues will hit even "unconfined" users, which is why
I'm keen to solve them at least.
When it comes to targeting confined processes, I'm sure the issues will
be greater and perhaps impossible to solve. Confinement is meant to
restrict what's normal behavior for a process, and injecting Dyninst
clearly changes the game. So for that kind of use, I think we'd have to
just set SELinux permissive (or disabled) temporarily.
> Again, that would be appreciated.
Great.
Josh
|