F39 Proposal: LIBFFI34 static trampolines (System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://fedoraproject.org/wiki/Changes/LIBFFI34_static_trampolines

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.


== Summary ==
Libffi is currently configured to use dynamic trampolines, which
require some source of memory which is both writable and executable.
This is an obvious security issue, and selinux and system defaults
have made it more and more difficult to safely provide this memory to
libffi clients.  With this change, libffi will be configured to use
static trampolines, which do not require such memory, and will not
pose those security and administrative risks.

== Owner ==

* Name: [[User:djdelorie| DJ Delorie]]
* Email: dj@xxxxxxxxxx



== Detailed Description ==
The change itself is simple - libffi will no longer be configured with
--disable-exec-static-tramp, which changes how closures are generated.
Closures, and libffi, are used in many interpreted languages.  There
are about 145 packages that depend, directly or indirectly, on libffi.
I ran the Mass Prebuilder.  Of those 145, 10 already FTBFS, and 1 saw
a new failure.

The Mass PreBuilder has indicated that cjs (Javascript Bindings for
Cinnamon) will fail to build with static trampolines.  We debugged
this a bit and noted that cjs's upstream seems to be behind the gjs
upstream (the gjs package builds OK) it tracks, and is missing at
least two closure-related changes (although simply adding those two
changes proved nontrivial).

== Feedback ==


== Benefit to Fedora ==

This change is needed to fully secure Fedora systems against attacks
that use self-modifying code.

The cjs build failure affects the Cinnamon spin.

== Scope ==
* Proposal owners:
The change is a single line in the spec file.

* Other developers:

The cjs package will need to be fixed to build with the new libffi.

Other libffi users will need to be aware of this change if they make
closure-related changes to their packages, but should not need to take
any actions at this time.

* Release engineering: [https://pagure.io/releng/issues #Releng issue number]

This change does not affect release engineering or any other packaging
issues.  No mass rebuild is required.

* Policies and guidelines: N/A (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)


* Alignment with Community Initiatives: N/A

== Upgrade/compatibility impact ==

This change does not change ABI but that assumes clients are not
abusing the ABI; the static vs dynamic trampoline change is an
internal implementation.


== How To Test ==

Testing static trampolines is the same as testing libffi, with the
exception that the tests should pass despite having all writable
filesystems locked with selinux such that executable maps cannot be
requested.  A security context that does not allow the memfd_create()
syscall would further isolate this change.


== User Experience ==

Users will be able to follow latest security recommendations without
concern for whether interpreters will stop working.

== Dependencies ==

As noted above, the cjs package requires work before this change can
go through.  They have noted that they'll be rebasing to 5.8.x:
https://bugzilla.redhat.com/show_bug.cgi?id=2193287

Note that cjs has rebased to 5.6.1 in the interim, just to fix this
bug.  I've tested it and it works with static trampolines.


== Contingency Plan ==

Reverting the one line spec file change will revert this change, with
no changes needed elsewhere.  Not completing this change in time does
not negatively impact other package, or Fedora's ability to ship on
time.

* Contingency mechanism: We can revert the change at any time, without
needing to rebuild any other packages.

* Contingency deadline: Any time before shipping.

* Blocks release? No.


== Documentation ==

This is an internal change that should not need nor affect any documentation.

== Release Notes ==

This change should not require any release notes.


--
Aoife Moloney

Product Owner

Community Platform Engineering Team

Red Hat EMEA

Communications House

Cork Road

Waterford
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux