Get libffi closures to cope with SELinux execmem/execmod

Alexandre Oliva aoliva@redhat.com
Thu Jan 18 07:14:00 GMT 2007 

This is a patch that fixes the bug described at 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202209

The problem is that SELinux security policies are often configured to
prevent pages from being mapped as both writable and executable, and
even to stop pages that were ever modified from being turned
executable.

The recommended way to implement dynamically-generated code is to map
pages from a file in an executable filesystem into separate locations
in the virtual memory, one writable, one executable.
http://people.redhat.com/drepper/selinux-mem.html

This is what I've done in libffi, if mmap fails to allocate anonymous
pages that are both writable and executable on GNU/Linux systems.
Various changes were need to enable closures to be created at one
address that would later be executed at another.

libjava needed changes to cope with these interface changes in libffi,
and manual memory management of closures.  Since they were not scanned
by the garbage collector, it turned out to be relatively simple to
make the change and arrange for class finalizers to deallocate them.

The first patch below adds dlmalloc.c to libffi as downloaded from
Doug Lea's web page (except for CRLF->LF conversion).  The second
patch does the rest of the work, including the minimal changes needed
for dlmalloc.c to support this custom separate-mapping behavior.

Tested on x86_64-linux-gnu.  Ok to install?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: libffi-closure-prot-exec-dlmalloc.patch
Type: text/x-patch
Size: 185459 bytes
Desc: not available
URL: <http://gcc.gnu.org/pipermail/java-patches/attachments/20070118/5debe4ab/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libffi-closure-prot-exec.patch
Type: text/x-patch
Size: 78986 bytes
Desc: not available
URL: <http://gcc.gnu.org/pipermail/java-patches/attachments/20070118/5debe4ab/attachment-0001.bin>
-------------- next part --------------

-- 
Alexandre Oliva         http://www.lsd.ic.unicamp.br/~oliva/
FSF Latin America Board Member         http://www.fsfla.org/
Red Hat Compiler Engineer   aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist  oliva@{lsd.ic.unicamp.br, gnu.org}

More information about the Java-patches mailing list