[Haskell-cafe] GHC 6.6.1 and SELinux issues

Stefan O'Rear stefanor at cox.net
Wed Aug 29 16:03:56 EDT 2007


On Wed, Aug 29, 2007 at 10:40:41PM +0400, Alexander Vodomerov wrote:
> On Wed, Aug 29, 2007 at 08:41:12AM -0700, Bryan O'Sullivan wrote:
> 
> > The underlying problem is harder to fix: the default SELinux policy doesn't 
> > allow PROT_EXEC pages to be mapped with PROT_WRITE, for obvious reasons.  
> > The solution is expensive in terms of address space and TLB entries: map 
> > the same pages twice, once only with PROT_EXEC, and once only with 
> > PROT_WRITE.
> Just for experiment I've removed PROT_EXEC from my_mmap function in
> rts/MBlock.c and recompiled GHC. The resulting GHC was able to compile
> itself and my code. Binaries, produced by it worked fine with SELinux.
> However, another problem related to GHCi ocurred. More details are
> available at the 738 ticket you mentioned.
> 
> So it is not clear if GHC does really need this PROT_EXEC. Can someone 
> familiar with GHC internals answer why PROT_EXEC is used in getMBlocks?

It's not possible to correctly implement 'foreign import ccall
"wrapper"' without self-modifying code on any mainstream computer
architecture.  Does this program work on your no-PROT_EXEC ghc? :

{-# OPTIONS_GHC -ffi #-}
import Foreign

foreign import ccall "wrapper" wrap :: IO () -> IO (FunPtr (IO ()))
foreign import ccall "dynamic" call :: FunPtr (IO ()) -> IO ()

main = call =<< wrap (print "hi!")


Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.haskell.org/pipermail/haskell-cafe/attachments/20070829/78d0dc2d/attachment.bin


More information about the Haskell-Cafe mailing list