[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fwd: Re: [Tinycc-devel] re: Selinux patch fixup]
From: |
grischka |
Subject: |
[Fwd: Re: [Tinycc-devel] re: Selinux patch fixup] |
Date: |
Tue, 27 Apr 2010 13:29:56 +0200 |
User-agent: |
Thunderbird 2.0.0.23 (Windows/20090812) |
---------- Forwarded to the list ----------
From: Henry Kroll III <address@hidden>
On Mon, 2010-04-26 at 01:08 +0200, grischka wrote:
Anyway, do what you need to feel comfortable, and don't forget to tell
us what new features we now have and how people can try them out, at
some point.
The new options (*nix only)
* (Option) --with-selinux
* (Option) --disable-static
Todo: make sure these "options" don't interfere with what's already
there...
--disable-static
I should really add a line that says these options won't work
with win32 builds. It could be built as a .dll however, that is
over my head at the moment.
--disable-static is not a very good descriptive name. I think it
should be --enable-shared, but people will expect
--disable-static because so many other packages use it. :|
On *nix, these patches make static library, libtcc.a become a
shared library, libtcc.so.1.0 with links to libtcc.so and
libtcc.so.1. These extra links are apparently necessary for
linking against the library and loading it dynamically. The
file, libtcc_test is built dynamically against this library and
apparently works, loading the library, which now optionally
works under Selinux with --with-selinux, also known by me as the
mmap patch...
--with-selinux
Also incompatible with win32, this patch works by (optionally)
using mmap instead of malloc...return (*prog_main)(argc, argv).
Essentially, a /tmp file is created +wx and then immediately
unlinked, so no files remain if the process decides to take a
dump. Some memory is allocated for reading and writing through
this (non-existent) file pointer. After that is done, memory can
be accessed through 2 randomized pointers, one of them can be
written. The other can be executed. The docs on this say an
attacker will have a tough time writing and executing the same
block of memory, thus making programs written for tcc -run more
secure...I guess they are right. I certainly feel more secure
after wading through all these docs.
At least it gets around errors that Selinux pops up when tcc
-run is attempted on Fedora. The errors basically say that I am
trying to write to and execute the same block of memory and that
it has been disallowed. These changes work around these errors
in the recommended way.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Fwd: Re: [Tinycc-devel] re: Selinux patch fixup],
grischka <=