Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593478 - dev-lang/ruby and dev-ruby/ffi support for Hardened Gentoo
Summary: dev-lang/ruby and dev-ruby/ffi support for Hardened Gentoo
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Ruby Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-11 08:55 UTC by Hans de Graaff
Modified: 2018-03-03 10:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
dev-ruby/ffi patch (ffi.patch,2.22 KB, text/plain)
2016-09-11 09:01 UTC, Hans de Graaff
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2016-09-11 08:55:46 UTC
We currently don't support the combination of FFI with ruby and Hardened Gentoo (specifically PaX).

The easy solution/work-around is to use pax-mark m on /usr/bin/ruby to turn off mprotect altogether, but this is not really desirable from a security standpoint. It would be better to get EMUTRAMP support working as we already do for python. Then we only need pax-mark E.

This requires changes to the ruby ebuilds so set the marking similar to dev-lang/python, and changes to dev-ruby/ffi to work with EMUTRAMP.
Comment 1 Hans de Graaff gentoo-dev 2016-09-11 09:00:35 UTC
The current, unpatched, situation is that using FFI code causes a segmentation fault (actually a RuntimeError in ruby), due to the ruby ffi code calling mprotect with PROT_EXEC.

I have created a patch for this based on what is done with cffi. cffi only calls mmap, and here PROT_EXEC is set with mprotect, so the situation is not indentical, so my lack of grsecurity and memory allocation may be showing :-)

This patch leads to dmesg logs from grsecurity:

execution attempt in: <anonymous mapping>, 35f244e2000-35f244e3000 35f244e2000
Comment 2 Hans de Graaff gentoo-dev 2016-09-11 09:01:45 UTC
Created attachment 445462 [details]
dev-ruby/ffi patch
Comment 3 Magnus Granberg gentoo-dev 2016-12-13 20:47:46 UTC
https://github.com/ffi/ffi/pull/540
Comment 4 Hans de Graaff gentoo-dev 2018-03-03 10:10:20 UTC
(In reply to Magnus Granberg from comment #3)
> https://github.com/ffi/ffi/pull/540

This pull request has been applied in dev-ruby/ffi-1.9.22