How can firefox (sometimes) make memory executable?

Göran Uddeborg goeran at uddeborg.se
Sun Jun 19 08:32:47 UTC 2011


After your hints and some further investigation, I believe I've
figured out why my two systems behave differently.  It turns out that
either allow_execmem or allow_execstack is enough for firefox to run.
Since the denial was for execmem, I didn't investigate allow_execstack
at first.  But if I turn off both on the fresh install, I trigger the
problem there too.  Both were disabled on the system I upgraded.

Dominick Grift:
> You can change the context of the firefox executable to
> execmem_exec_t

It works, and it sounds like the least intrusive change.  I still have
the protection on the rest of the system.  I'll make a bugzilla asking
if that maybe would be the default.  (I guess firefox is one of the
important targets for attacks though.  So having to do this looses a
bit of protection.)

drago01:
> Its the JS JIT, pre firefox4 it was only available on i686 starting
> with firefox4 it works on x86_64 too.

Ah!  That explains why this started to happen after the upgrade.

Dominick Grift:
> Strange, as i never noticed this issues on any of my x86_64 systems

Are you running with default settings?  Unless I'm mistaken, the
default is for both allow_execmem and allow_execstack to be enabled,
and the problem won't appear.

> It is possible to silently deny this access

This is not just about an annoying alert.  The denial does prevent
firefox from running.  Firefox crashes when it happens.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110619/0eeea455/attachment.bin 


More information about the selinux mailing list