Get libffi closures to cope with SELinux execmem/execmod

Andrew Haley aph@redhat.com
Thu Jan 18 12:30:00 GMT 2007 

Alexandre Oliva writes:
 > This is a patch that fixes the bug described at 
 > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202209
 > 
 > The problem is that SELinux security policies are often configured to
 > prevent pages from being mapped as both writable and executable, and
 > even to stop pages that were ever modified from being turned
 > executable.
 > 
 > The recommended way to implement dynamically-generated code is to map
 > pages from a file in an executable filesystem into separate locations
 > in the virtual memory, one writable, one executable.
 > http://people.redhat.com/drepper/selinux-mem.html
 > 
 > This is what I've done in libffi, if mmap fails to allocate anonymous
 > pages that are both writable and executable on GNU/Linux systems.
 > Various changes were need to enable closures to be created at one
 > address that would later be executed at another.
 > 
 > libjava needed changes to cope with these interface changes in libffi,
 > and manual memory management of closures.  Since they were not scanned
 > by the garbage collector, it turned out to be relatively simple to
 > make the change and arrange for class finalizers to deallocate them.
 > 
 > The first patch below adds dlmalloc.c to libffi as downloaded from
 > Doug Lea's web page (except for CRLF->LF conversion).  The second
 > patch does the rest of the work, including the minimal changes needed
 > for dlmalloc.c to support this custom separate-mapping behavior.
 > 
 > Tested on x86_64-linux-gnu.  Ok to install?

A few thoughts.  Firstly, including the entire malloc library seems
heavyweight.  I presume you've explored other solutions, but a word or
two here of explanation for the record would be good.  People will
ask.

I presume that the allocator is thread-safe.

When a Java object, such as a Class, is being finalized, it is
reachable.  So, disposing of the closures at this point is potentially
dangerous.  Please disable the call to
_Jv_ClosureList::releaseClosures for the time being, and we'll
investigate ways to defer the release until the class in unreachable.
I know this will cause a small memory leak, but we'll live with that
for the time being.  (One idea I have is to mark the closures as dead,
and then have a separate loop that reclaims them after all finalizers
have run.)

Andrew.

More information about the Gcc-patches mailing list