[MPlayer-dev-eng] Mplayer: PT_GNU_STACK RWE

Ivan Gyurdiev ivg2 at cornell.edu
Wed Feb 23 13:20:02 CET 2005 

>> Well, the thing is, if it's marked RWE, and it isn't granted
>> the appropriate privileges in SELinux, it doesn't work at all. 
>> The problem is, I think, that the kernel translates all PROT_READ
>> requests in mmap and mprotect to PROT_READ | PROT_EXEC for things
>> marked PT_GNU_STACK RWE, or for things missing PT_GNU_STACK. 
>
>Well, and how are these settings changed??

These settings are changed by giving more permissions to mplayer
in the SELinux security policy than it currently has.

The PT_GNU_STACK marking is changed (as far as I understand it, though
I could be wrong), by:
	a) Changing the code, so gcc does not emit the execute flag, or
	b) Adding the LD flag -z noexecstack, which forces noexec

>Also, I know that the stack protection works correctly on AMD64 without
>any special measures (which is why one code part was changed), so I don't
>really understand what the problem with SELinux is...

The problem is that mplayer has to be given broader permissions
than it currently has in the SElinux policy. If it really needs those
permissions, than that is fine. However, if mplayer doesn't actually
need the stack to be executable, those permissions should not be
granted, because they reduce the security of the system. The idea of
SELinux is to not give applications more permissions than they need.

That's why I asked if you really need the stack to be executable.
It's not that mplayer doesn't work. It does work - if it is given
the proper permissions. It's just that they seem too broad. 

Very few binaries on my system are actually marked RWE.
Basically mplayer, lame, gpg, inkscape, and the Sun JRE.
I've filed bugs with all of the above, so this list will hopefully 
go down. Executable stack = bad.


>> I think linking with -z noexecstack should fix it - not sure.
>
>If applications don't work at all (without giving special permissions)
>on SELinux I'd consider it a bug that this flag is not default.

You're misunderstanding. The applications would work, but they would
require permissions we don't want to give them.

Most applications do not require exec. stack and are not marked by gcc
as requiring that. Therefore they work on SElinux with no change. 
The applications that are marked as requiring executable stack need to
have a special policy written for them, with broader permissions
than the default generic domain. That's only on the Fedora strict
policy, not on the targeted policy. 

If the app works without exec. stack, it would be better if it was
marked PT_GNU_STACK RW, so it wouldn't need extra privileges and pose
extra security risk when those are granted to it.

>At least 99% of all MPlayer code should run fine with a non-executable
>stack. The most critical parts are binary codec support, but IMHO you
>won't want that anyway in an environment that justifies using SELinux...

So, you're saying binary codec support requires the executable stack,
therefore you can't get rid of it? If that's the case, then maybe 
I should just give mplayer the appropriate permissions.

-- 
Ivan Gyurdiev <ivg2 at cornell.edu>
Cornell University

More information about the MPlayer-dev-eng mailing list