On Mon, 12 Jul 2010 19:22:47 +1000
Russell Coker <russell@xxxxxxxxxxxx> wrote:
> cli_bytecode_init_jit() in libclamav/c++/bytecode2llvm.cpp in the
> clamav source tree has the following:
>
> sys::MemoryBlock B = sys::Memory::AllocateRWX(4096, NULL,
> &ErrMsg); if (B.base() == 0) {
> errs() << MODULE << ErrMsg << "\n";
> #ifdef __linux__
> errs() << MODULE << "SELinux is preventing 'execmem' access.
> Run 'setsebool -P clamd_use_jit on' to allow access\n";
> #endif
> errs() << MODULE << "falling back to interpreter mode\n";
> return 0;
> } else {
> sys::Memory::ReleaseRWX(B);
> }
>
> The fact that the developers assumed that SE Linux is the only
> mechanism that prevents RWX access is interesting.
SELinux seems to be the only one which prevents RWX in a "nice
way" (i.e. mmap of RWX fails), which allows for ClamAV to fallback to
non-JIT mode [*].
PaX for example allows the mapping and just kills the program when RWX
is attempted.
>
> Now the boolean in question only applies to the clamd_t domain not
> the freshclam_t domain, but for some reason freshclam uses the jit
> anyway.
Starting with 0.96.1 freshclam loads the databases to test them, that
is why it suddenly needs the JIT.
> Should we put in a dontaudit rule for freshclam_t or include
> it in the boolean section so that it gets execmem access if clamd_t
> gets it?
IMHO clamd, clamscan and freshclam's execmem should be controlled
by the same boolean.
>
> Also on my system the error message about SE Linux doesn't seem to
> get written to the log file, so I only found it by reading the source.
>
Yes, unfortunately libclamav doesn't have access to clamd's logfile,
and clamd redirects stderr to /dev/null.
That might change in a future release.
[*]
I have some plans to make the JIT work without RWX, since ClamAV has 2
phases:
- load DB, JIT compile bytecode (should use only RW- mapping, but
currently needs RWX)
- execute (JIT compiled) bytecode (should change mapping to be R-X)
It requires some changes to the JIT though (it still emits some stubs
that need RWX during the DB load).
Best regards,
--Edwin
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
