grsecurity forums

[sumacsucks]

Hello,

I'm trying to get mod_wsgi, Python and apache to work together for a system with a django application. Apparently libffi is causing these:

Code: Select all

...U:/usr/sbin/apache2) denied untrusted exec of /var/tmp/ffiCERLME by /usr/sbin/apache2[apache2:22643] uid/euid:1009/1009 gid/egid:1028/1028, parent /usr/sbin/apache2[apache2:20010] uid/euid:0/0 gid/egid:0/0


The ffi parameter seems to have something to do with libffi from CPython. The wsgi apache process crashes, which might or might not be related to this. What would be the best course of action here? RWX for the /tmp directory is clearly no good.
This is a Gentoo Hardened system.

[sumacsucks]

I just confirmed:

Code: Select all

/* Open a temporary file in the named directory.  */
static int
open_temp_exec_file_dir (const char *dir)
{
  static const char suffix[] = "/ffiXXXXXX";
  int lendir = strlen (dir);
  char *tempname = __builtin_alloca (lendir + sizeof (suffix));

  if (!tempname)
    return -1;

  memcpy (tempname, dir, lendir);
  memcpy (tempname + lendir, suffix, sizeof (suffix));

  return open_temp_exec_file_name (tempname);


That comes from libffi, and the library contains checks for SELinux. It tries to mmap files... hence the RWX.
This is Red Hat's hand at play, as usual.