[MLton] reason for mprotect with PROT_EXEC ?

Adam Goode adam at spicenitz.org
Fri Feb 8 22:24:57 PST 2008 

Wesley W. Terpstra wrote:
> On Feb 7, 2008, at 2:26 AM, Adam Goode wrote:
>> runtime/platform/mmap-protect.c line 10 contains an mprotect with
>> PROT_READ | PROT_WRITE | PROT_EXEC.
>>
>> Is PROT_EXEC needed? I'm asking because MLton compiled executables will
>> fail on Fedora 9 with this.
> 
> Why does it fail? This must be possible because mprotect is also used to
> setup the maps of the executable itself.
> 

It fails because Fedora has been gradually ratcheting up the SELinux
memory protections described here:
http://people.redhat.com/~drepper/selinux-mem.html

Now in Fedora 9 Alpha, all of these booleans are disabled by default.
That means by default, an application cannot make various kinds of
memory executable. The mprotect call fails with EACCES. Note that the
executable pages of the application itself are setup by the kernel's ELF
loader.

>> The function is GC_mmapAnon_safe_protect, and it looks like it is only
>> called once, through GC_init and initSignalStack. I doubt the signal
>> stack needs to be executable, but I am not totally sure. Am I right that
>> profiling is the only thing that uses the signal stack?
> 
> On some platforms the linux kernel places a "trampoline" on the stack as
> part of invoking a signal handler. If the stack is not executable, this
> will cause the program to segfault. In MLton, having an executable stack
> isn't as much of a concern as it would be in most programs, since
> hopefully the usage of C is small and stack overflows are impossible in ML.
> 

Hmm, you seem to be right. I guess these SELinux features won't work on
HPPA, and perhaps others.


>> I think we should take out the PROT_EXEC. If we don't, all MLton
>> compiled executables will need to be given special privileges to run on
>> Fedora 9.
> 
> What architecture are we talking about? i386 and amd64? If so, then I
> see no harm in removing PROT_EXEC for those specifically, but you can't
> get rid of it.
> 

Yeah, the architectures supported by Fedora. (i386, x86_64, ppc, ppc64)

> Is Fedora 9 using some sort of SELinux? Since when does using PROT_EXEC
> require extra privileges?
> 

My saying "extra privileges" is perhaps misleading. What actually
happens is that you must mark the file to have a special security
context (with chcon) that allows it to use PROT_EXEC. On Fedora 9, that
context is "system_u:object_r:unconfined_execmem_exec_t". If it were
just MLton, that would be ok, since I can mark that in the package. But
since all programs compiled with MLton do PROT_EXEC, they would all need
the chcon.


Hmm, I will probably just patch MLton in Fedora to not PROT_EXEC. But
this is still not perfect since if someone gives me a binary to run from
another machine, I will have to chcon it first. Oh well, nothing's
perfect. :-)



Thanks,

Adam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://mlton.org/pipermail/mlton/attachments/20080209/595c9700/signature.pgp

More information about the MLton mailing list