Comment 1 Michael Haubenwallner (RETIRED) 2013-02-15 08:12:21 UTC

I'm not used to hardened, so: What is the problem here?

Looking at the pax-utils.eclass makes me think that unconditionally using pax-mark() may lead to that "Executables may be killed by PaX kernels." warning on non-Linux architectures, or on non-hardened profiles when neither paxctl nor scanelf is available: PAX_MARKINGS defaults to !=none, but I fail to find any profile setting PAX_MARKINGS at all - I'm wondering if non-hardened profiles (or prefix profiles at least) should have PAX_MARKINGS=none.

(In reply to comment #1)
> I'm not used to hardened, so: What is the problem here?

I'm sorry, I should have documented it here. The problem is this:

$ sqlplus
sqlplus: error while loading shared libraries: libnnz11.so: cannot enable executable stack as shared object requires: Permission denied

> Looking at the pax-utils.eclass makes me think that unconditionally using
> pax-mark() may lead to that "Executables may be killed by PaX kernels."
> warning on non-Linux architectures, or on non-hardened profiles when neither
> paxctl nor scanelf is available: PAX_MARKINGS defaults to !=none, but I fail
> to find any profile setting PAX_MARKINGS at all - I'm wondering if
> non-hardened profiles (or prefix profiles at least) should have
> PAX_MARKINGS=none.

I'd think PAX_MARKINGS should be set within the hardened profile only and left unset otherwise. pax-utils.eclass should abstain from setting a default value.

When I created the patch, I was convinced "pax-mark" would not do anything outside of the hardened environment. Now, when loooking closer at what the eclass really does, I recognize that this was an overly optimistic assumption.

/usr/portage/eclass/pax-utils.eclass (as installed by portage-2.1.11.51):

1.)  PAX_MARKINGS=${PAX_MARKINGS:="PT"}
2.)  if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then
3.)  elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then

So if PAX_MARKINGS was previously unset, "has PT" is always true and consequently PAX_MARKING is also unequal to "none", with scanelf always being installed. 

$ grep -R PAX_MARKINGS /usr/portage/profiles/  does not find anything.

Here is what I get when I put trace statements around PAX_MARKINGS=${PAX_MARKINGS:="PT"}:

 PAX_MARKINGS before set default: ''
 PAX_MARKINGS after set default: 'PT'

The package manager specification (app-doc/pms-5) does not say anything about harden.* or pax.*

Comment 3 Michael Haubenwallner (RETIRED) 2013-02-15 14:35:41 UTC

(In reply to comment #2)
> $ sqlplus
> sqlplus: error while loading shared libraries: libnnz11.so: cannot enable
> executable stack as shared object requires: Permission denied

Let me understand what's going on here:
Besides being the first sharedlib to be loaded for sqlplus (due to deep DT_NEEDED deps), libnnz11.so does have some flag set indicating it requires an executable stack.
Now the sqlplus executable also needs some flag to be set to tell the kernel to allow for an executable stack in this process. Right so far?

Which kind of flag does 'paxctl -c' actually set into the binary?

Question now is:
Does libnnz11.so really /need/ an executable stack,
or is it just the flag being set in the sharedlib?

(In reply to comment #3)
> (In reply to comment #2)

> Let me understand what's going on here:
> Besides being the first sharedlib to be loaded for sqlplus (due to deep
> DT_NEEDED deps), libnnz11.so does have some flag set indicating it requires
> an executable stack.
> Now the sqlplus executable also needs some flag to be set to tell the kernel
> to allow for an executable stack in this process. Right so far?

As I understand it, the library tries to mmap memory segments with write and exec flags set at the same time. Often this is only due to careless programming and actually not really needed, which is why pax recently startet to silently demote such requests to r-x. But I doubt that the error message reflects the real cause.

> Which kind of flag does 'paxctl -c' actually set into the binary?

It adds a PT_PAX_FLAGS header with no explicit flags set, and this leaves the system default pax flags active. However, while this works I still do not understand why it is needed at all. Here is the output of scanelf on sqlplus before paxctl -c was applied:

# scanelf -a /usr/bin/sqlplus 
   TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC PeMRxS   0755 LE     RW- --- RW-    -  /ade/aime_sqlplus_12363/oracle/lib LAZY /usr/bin/sqlplus

Type is ET_EXEC! I thought PAX does not care about ET_EXEC type files?  And note the PAX flags... (well, also note rpath -- but this is a different story)

I feel like I had to prove that I'm really using the the unmodified file:

# sqlplus
sqlplus: error while loading shared libraries: libnnz11.so: cannot enable executable stack as shared object requires: Permission denied

Ok.

# paxctl -v /usr/bin/sqlplus
file /usr/bin/sqlplus does not have a PT_PAX_FLAGS program header, try conversion

# paxctl -cv /usr/bin/sqlplus
file /usr/bin/sqlplus had a PT_GNU_STACK program header, converted
- PaX flags: -------x-e-- [/usr/bin/sqlplus]
        RANDEXEC is disabled
        EMUTRAMP is disabled

# scanelf -a /usr/bin/sqlplus 
   TYPE    PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_EXEC ---xe- 0755 LE     --- --- RW-    -    /ade/aime_sqlplus_12363/oracle/lib LAZY /usr/bin/sqlplus 


> Question now is:
> Does libnnz11.so really /need/ an executable stack,
> or is it just the flag being set in the sharedlib?

Before I opened this bug I've also tried this, for the sake of completness. It did not changed anything noticeable. I remember to have read somewhere that the pax flags must be set on the first ET_DYN object to become effective. But sqlplus is of type ET_EXEC.

Comment 5 Michael Haubenwallner (RETIRED) 2013-03-08 15:34:46 UTC

Fixed in oracle-instantclient-sqlplus-11.2.0.3-r1, thank you!