Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 593478

Summary: dev-lang/ruby and dev-ruby/ffi support for Hardened Gentoo
Product: Gentoo Linux Reporter: Hans de Graaff <graaff>
Component: Current packagesAssignee: Gentoo Ruby Team <ruby>
Status: CONFIRMED ---    
Severity: normal CC: hardened, kingjon3377
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Attachments: dev-ruby/ffi patch

Description Hans de Graaff gentoo-dev 2016-09-11 08:55:46 UTC
We currently don't support the combination of FFI with ruby and Hardened Gentoo (specifically PaX).

The easy solution/work-around is to use pax-mark m on /usr/bin/ruby to turn off mprotect altogether, but this is not really desirable from a security standpoint. It would be better to get EMUTRAMP support working as we already do for python. Then we only need pax-mark E.

This requires changes to the ruby ebuilds so set the marking similar to dev-lang/python, and changes to dev-ruby/ffi to work with EMUTRAMP.
Comment 1 Hans de Graaff gentoo-dev 2016-09-11 09:00:35 UTC
The current, unpatched, situation is that using FFI code causes a segmentation fault (actually a RuntimeError in ruby), due to the ruby ffi code calling mprotect with PROT_EXEC.

I have created a patch for this based on what is done with cffi. cffi only calls mmap, and here PROT_EXEC is set with mprotect, so the situation is not indentical, so my lack of grsecurity and memory allocation may be showing :-)

This patch leads to dmesg logs from grsecurity:

execution attempt in: <anonymous mapping>, 35f244e2000-35f244e3000 35f244e2000
Comment 2 Hans de Graaff gentoo-dev 2016-09-11 09:01:45 UTC
Created attachment 445462 [details]
dev-ruby/ffi patch
Comment 3 Magnus Granberg gentoo-dev 2016-12-13 20:47:46 UTC
Comment 4 Hans de Graaff gentoo-dev 2018-03-03 10:10:20 UTC
(In reply to Magnus Granberg from comment #3)

This pull request has been applied in dev-ruby/ffi-1.9.22