[Haskell-cafe] Re: GHC 6.6.1 and SELinux issues
Simon Marlow
simonmarhaskell at gmail.com
Mon Sep 3 16:19:29 EDT 2007
Bryan O'Sullivan wrote:
> Alexander Vodomerov wrote:
>
>> I've put GHC in unconfined_execmem_t and it started to work fine. But
>> the problem is not in GHC -- it is in programs compiled by GHC. They
>> also require exec/write memory. Only root can grant unconfined_execmem
>> privileges, so simple user can not run binaries compiled by GHC. How do
>> you solve this problem?
>
> Running "chcon -t unconfined_execmem_exec_t" as root will let you run
> the binaries, which you probably already knew.
>
> The underlying problem is harder to fix: the default SELinux policy
> doesn't allow PROT_EXEC pages to be mapped with PROT_WRITE, for obvious
> reasons. The solution is expensive in terms of address space and TLB
> entries: map the same pages twice, once only with PROT_EXEC, and once
> only with PROT_WRITE.
>
> There's already a Trac ticket filed against this problem, but Simon
> Marlow marked it as closed because he couldn't test the code he wrote to
> try to fix it, and nobody stepped in to help out at the time:
> http://hackage.haskell.org/trac/ghc/ticket/738
IIRC, what I did was work around execheap, not execmem (and similar
problems with "Data Execution Prevention" on Windows). There aren't any
uncommitted patches.
Does anyone know how the dynamic linker works? Does it map the pages
writable first, then mprotect them executable/read-only after relocation?
I guess we should do this in the RTS linker, and use the double-mapping
trick for foreign-import-wrapper stuff.
Cheers,
Simon
More information about the Haskell-Cafe
mailing list