libaesni-intel-samba4.so and execstack flag

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

libaesni-intel-samba4.so and execstack flag

Samba - samba-technical mailing list
Hi all,

I've detected a problem with the new libaesni-intel library. Running
Samba with aesni support, SELinux denies loading the libaesni-intel
library because of execstack permissions. It throws the following error
message:

  cannot enable executable stack as shared object requires: Permission
denied"

SELinux logs something like:

  avc:  denied  { execstack } for comm="smbd"

The execstack command tells me, that the execstack is set:

execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
X ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so

So I've linked the library again and set the noexecstack option
(ADDITIONAL_LDFLAGS="-z noexecstack" ./configure.developer
--accel-aes=intelaesni && make)

Afterwards the flag is not set anymore:
execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
- ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so

The smbd is still running fine with accelerated aes encryption.

I see this on my Gentoo with gcc version 4.9.4 and on a rhel7 test
system, using gcc-Version 4.8.2.

Best regards,
Björn

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: libaesni-intel-samba4.so and execstack flag

Samba - samba-technical mailing list
On Mon, Oct 30, 2017 at 02:40:37PM +0100, Bjoern Baumbach via samba-technical wrote:

> Hi all,
>
> I've detected a problem with the new libaesni-intel library. Running
> Samba with aesni support, SELinux denies loading the libaesni-intel
> library because of execstack permissions. It throws the following error
> message:
>
>   cannot enable executable stack as shared object requires: Permission
> denied"
>
> SELinux logs something like:
>
>   avc:  denied  { execstack } for comm="smbd"
>
> The execstack command tells me, that the execstack is set:
>
> execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
> X ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
>
> So I've linked the library again and set the noexecstack option
> (ADDITIONAL_LDFLAGS="-z noexecstack" ./configure.developer
> --accel-aes=intelaesni && make)
>
> Afterwards the flag is not set anymore:
> execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
> - ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
>
> The smbd is still running fine with accelerated aes encryption.
>
> I see this on my Gentoo with gcc version 4.9.4 and on a rhel7 test
> system, using gcc-Version 4.8.2.

Hmmm. Can you figure out how to add this to the wscript build
so we can add this as a patch ?

Reply | Threaded
Open this post in threaded view
|

Re: libaesni-intel-samba4.so and execstack flag

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Mon, 2017-10-30 at 14:40 +0100, Bjoern Baumbach via samba-technical
wrote:

> Hi all,
>
> I've detected a problem with the new libaesni-intel library. Running
> Samba with aesni support, SELinux denies loading the libaesni-intel
> library because of execstack permissions. It throws the following error
> message:
>
>   cannot enable executable stack as shared object requires: Permission
> denied"
>
> SELinux logs something like:
>
>   avc:  denied  { execstack } for comm="smbd"
>
> The execstack command tells me, that the execstack is set:
>
> execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
> X ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
>
> So I've linked the library again and set the noexecstack option
> (ADDITIONAL_LDFLAGS="-z noexecstack" ./configure.developer
> --accel-aes=intelaesni && make)
>
> Afterwards the flag is not set anymore:
> execstack -q ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
> - ./bin/default/third_party/aesni-intel/libaesni-intel-samba4.so
>
> The smbd is still running fine with accelerated aes encryption.
>
> I see this on my Gentoo with gcc version 4.9.4 and on a rhel7 test
> system, using gcc-Version 4.8.2.

Is this some auto-collected flag triggered by the use of assembler?

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: libaesni-intel-samba4.so and execstack flag

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On 10/30/2017 05:00 PM, Jeremy Allison wrote:
> Hmmm. Can you figure out how to add this to the wscript build
> so we can add this as a patch ?

Please find attached a patch which solves the issue on my system. I've
verified that this does not overwrite other ldflags.

BUT this breaks the build when using the ADDITIONAL_LDFLAGS option. If I
specify for example ADDITIONAL_LDFLAGS="-z textoff", gcc is called with
a 'textoff' argument, without the '-z'. This produces the following error:

[3457/4105] Linking default/third_party/aesni-intel/libaesni-intel-samba4.so
gcc: error: textoff: No such file or directory


I'm not sure if we need to check if the '-z noexecstack' option is
available on the system or not, and also not how to add this to the waf
build.

Do we need a bug report?

Best regards,
Björn

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

0001-build-third_party-link-aesni-intel-library-with-z-no.patch (1K) Download Attachment