[MPlayer-dev-eng] Mplayer: PT_GNU_STACK RWE

Reimar Döffinger Reimar.Doeffinger at stud.uni-karlsruhe.de
Wed Feb 23 12:53:48 CET 2005


Hi,
On Wed, Feb 23, 2005 at 06:41:26AM -0500, Ivan Gyurdiev wrote:
> On Wed, 2005-02-23 at 11:06 +0100, Reimar Döffinger wrote:
> >On Tue, Feb 22, 2005 at 09:20:12PM -0500, Ivan Gyurdiev wrote:
> >> It would be a lot easier to write the mplayer security policy
> >> if it didn't require executable stack.
> >
> >Just try what it break if it doesn't get it and tell us. Anyway one case
> >where it was really needed (one of the software scalers) was recently
> >fixed.
> 
> Well, the thing is, if it's marked RWE, and it isn't granted
> the appropriate privileges in SELinux, it doesn't work at all. 
> The problem is, I think, that the kernel translates all PROT_READ
> requests in mmap and mprotect to PROT_READ | PROT_EXEC for things
> marked PT_GNU_STACK RWE, or for things missing PT_GNU_STACK. 

Well, and how are these settings changed??
Also, I know that the stack protection works correctly on AMD64 without
any special measures (which is why one code part was changed), so I don't
really understand what the problem with SELinux is...

> >Chances are that even if it needs it you wont notice it because you
> >don't need that particular feature ;-).
> 
> Well, if that's the case then I don't know how me testing it will help.
> If you're saying this only occurs for some less frequently features,
> then you (the developers) are probably more qualified to find out
> what they are.

No, as at least I don't run SELinux I am not. Also I doubt I use MPlayer
any more than you do.

> I think linking with -z noexecstack should fix it - not sure.

If applications don't work at all (without giving special permissions)
on SELinux I'd consider it a bug that this flag is not default.
At least 99% of all MPlayer code should run fine with a non-executable
stack. The most critical parts are binary codec support, but IMHO you
won't want that anyway in an environment that justifies using SELinux...

Greetings,
Reimar Döffinger




More information about the MPlayer-dev-eng mailing list