https://bugs.winehq.org/show_bug.cgi?id=56650
Bug ID: 56650 Summary: Report on SELinux 'execheap' Issues with wine-preloader Product: Wine Version: 9.8 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: chplee@gmail.com Distribution: ---
This report was prepared by ChatGPT. I'm sorry that my own ability is not enough to support such a large amount of code analysis, so I have to turn to ChatGPT.
I'm filing this report because a lot of people are suffering from this problem.
Please refer to: https://bugzilla.redhat.com/show_bug.cgi?id=2247299
### Report on SELinux 'execheap' Issues with `wine-preloader`
#### Introduction The `wine-preloader` program is a crucial part of the Wine software, which allows Windows applications to run on Unix-like operating systems. An issue has been identified where SELinux prevents `wine-preloader` from executing code in writable memory regions, raising security alerts related to 'execheap' accesses. This report identifies potential sources of the issue in the program and provides recommendations for modifications.
#### Potential Issues Identified 1. **Memory Mapping and Protection Setup**: In `wine-preloader`, memory mapping is handled with protections set that could potentially include both write and execute permissions. This is particularly evident in the function calls to `wld_mmap`, where memory protection flags are set based on the segment flags parsed from ELF headers.
```c wld_mmap((void *)(l->l_addr + c->mapstart), c->mapend - c->mapstart, c->prot, MAP_FIXED | MAP_COPY | MAP_FILE, fd, c->mapoff); ```
Here, the `c->prot` can contain combinations of `PROT_READ`, `PROT_WRITE`, and `PROT_EXEC` based on the segment's flags.
2. **Dynamic Code Generation**: Dynamic generation or modification of code could potentially occur, though not explicitly shown in the code snippets provided, it could be inferred from the overall functionality where executable code may be modified or generated on-the-fly.
3. **Modifying Memory Protection Attributes**: The use of `wld_mprotect` to change the protection attributes of memory pages could lead to states where pages are both writable and executable.
```c wld_mprotect((caddr_t) (zero & ~page_mask), page_size, c->prot|PROT_WRITE); ```
Although this snippet aims to make pages writable temporarily, if combined inappropriately with executable flags elsewhere, it could trigger SELinux policies.
#### Recommendations - **Restricting Memory Permissions**: Enforce strict separations between writable and executable pages. Modify the logic that sets memory protections to ensure that no memory page is both writable and executable at the same time. This can be achieved by adjusting the ELF segment loading routines to separate code and data segments clearly.
- **Use of Memory Protection Changes**: Implement a clear two-step process for handling memory that needs to be executable: - Initially, set memory to writable to modify or generate code. - Once modifications are complete, change the memory protection to executable only (removing write permissions).
- **Code Audit and Testing**: Conduct a thorough audit of the places where memory permissions are set. Test under a SELinux-enforced environment to ensure that the adjustments meet security policies without hindering functionality.
- **SELinux Policy Adjustments**: If `wine-preloader` inherently requires certain operations that SELinux policies restrict, consider creating custom SELinux policy modules that allow specific actions while maintaining overall security. This should be done cautiously to avoid creating unnecessary security holes.
#### Conclusion Adjustments to `wine-preloader` should focus on ensuring that memory regions are either writable or executable but never both. By adhering to security best practices and possibly adjusting SELinux policies, `wine-preloader` can function effectively without triggering security violations in SELinux environments.
https://bugs.winehq.org/show_bug.cgi?id=56650
Ken Sharp imwellcushtymelike@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, source
https://bugs.winehq.org/show_bug.cgi?id=56650
--- Comment #1 from Alexandre Julliard julliard@winehq.org --- (In reply to chplee@gmail.com from comment #0)
This report was prepared by ChatGPT. I'm sorry that my own ability is not enough to support such a large amount of code analysis, so I have to turn to ChatGPT.
Please don't do that. ChatGPT is clearly not smart enough to generate useful bug reports.
https://bugs.winehq.org/show_bug.cgi?id=56650
--- Comment #2 from Ken Sharp imwellcushtymelike@gmail.com --- Invalid?
https://bugs.winehq.org/show_bug.cgi?id=56650
chplee@gmail.com chplee@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://github.com/ValveSof | |tware/Proton/issues/7285 URL| |https://bugzilla.redhat.com | |/show_bug.cgi?id=2247299
https://bugs.winehq.org/show_bug.cgi?id=56650
--- Comment #3 from chplee@gmail.com chplee@gmail.com --- (In reply to Alexandre Julliard from comment #1)
(In reply to chplee@gmail.com from comment #0)
This report was prepared by ChatGPT. I'm sorry that my own ability is not enough to support such a large amount of code analysis, so I have to turn to ChatGPT.
Please don't do that. ChatGPT is clearly not smart enough to generate useful bug reports.
I showed ChatGPT the source code from `https://github.com/wine-mirror/wine/blob/master/loader/preloader.c%60 and it pointed out some code snippets that might be related to the bug. But unfortunately I am unable to judge whether its opinion is correct due to my ability. If this causes trouble to your work, please ignore this part.
The maintainer of selinux-policy suggests that this is a wine component issue, but if the action that triggers this SELinux rule is necessary for wine-preloader, I think I should report this to him and ask him to set up an exception to the SELinux rule .
This bug has appeared for more than half a year, and there are 17 Duplicates about it on Redhat's Bugzilla.
https://bugs.winehq.org/show_bug.cgi?id=56650
Zeb Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com Summary|Report on SELinux |wine cannot be used with |'execheap' Issues with |SELinux 'execheap' policy |wine-preloader |
--- Comment #4 from Zeb Figura z.figura12@gmail.com --- What exactly does 'execheap' do (in your own words, please)? Is there source code for it?
There shouldn't be any point at which we flip the executable bit on memory returned from malloc(). However, we may need to allocate memory (allocated directly from mmap and not through malloc) which is both writable and executable, because Windows programs require it.
https://bugs.winehq.org/show_bug.cgi?id=56650
--- Comment #5 from chplee@gmail.com chplee@gmail.com --- (In reply to Zeb Figura from comment #4)
What exactly does 'execheap' do (in your own words, please)? Is there source code for it?
Sorry I can't explain it in my own words, but I found a comment from the maintainer of selinux-policy and he said this:
The Linux implementation of mprotect (unlike POSIX) allows changing the access protection of memory on the heap, e. g. allocated using malloc. This AVC denial indicates that heap memory was supposed to be made executable. While the permission can be granted turning the selinuxuser_execheap boolean on as suggested by setroubleshoot, it should not be done without a thorough code review as in most cases it indicates a bug in the code. If anonymous executable memory is needed, another method should be considered, e. g. allocating memory using mmap.
Please refer to the boolean description:
# semanage boolean -l|grep execheap selinuxuser_execheap (off , off) Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Switching the component to wine for further assessment.
https://bugs.winehq.org/show_bug.cgi?id=56650
Mikhail mikhail.v.gavrilov@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mikhail.v.gavrilov@gmail.co | |m
https://bugs.winehq.org/show_bug.cgi?id=56650
--- Comment #6 from Zeb Figura z.figura12@gmail.com --- The question is really whether this is about the libc "heap" (which is not something that I thought the kernel had any concept of?), or if it's a blanket W^X imposition on the whole process. If the former, that's surprising and deserves investigation, because if I'm not mistaken we should never do that. If the latter, it's an immediate WONTFIX.
Finding any trace of documentation on execheap, or really SELinux in general, and which of these two is the case, proves very difficult.
https://bugs.winehq.org/show_bug.cgi?id=56650
agurenko@protonmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |agurenko@protonmail.com
-
WineHQ Bugzilla