| Summary: | Please do not hardcode SELinux identifiers in the code | ||
|---|---|---|---|
| Product: | Mesa | Reporter: | Laurent Bigonville <bigon> |
| Component: | Mesa core | Assignee: | mesa-dev |
| Status: | RESOLVED WONTFIX | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | CC: | bigon |
| Version: | 10.2 | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
An other question might also arise is why An other question might also arise is why would a failure of the mmap() function considered as an error in one case and not in the case where SELinux would prevent it to succeed? In Fedora the allow_exemem boolean is not set, and this boolean would only effect user space. getsebool -a | grep execmem boinc_execmem --> on cluster_use_execmem --> off cups_execmem --> off deny_execmem --> off httpd_execmem --> off virt_use_execmem --> off xserver_execmem --> off Currently we add booleans for confined services if we see them as necessary. It would be better if your code just checked if you got EPERM or EACCESS for errno, and then if you want check if SELInux is enabled and continue with no error. Especially since you code works fine without WRITEABLE/EXECUTABLE memory. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Hello, Currently the mesa code is checking for SELinux booleans ("allow_execmem") to check whether SELinux will allow mapped memory to be executed and otherwise turns the function in a noop. Hardcoding such booleans (and other identifiers) is probably a bad habit, since custom policies might be written and may perfectly omit these identifiers. Fedora policy for example doesn't have this boolean anymore. You should probably to try to mmap() in all cases and react accordingly in case of failure when SELinux is enabled (by checking errno maybe?)