From Fedora Project Wiki

Revision as of 13:17, 22 June 2023 by Amoloney (talk | contribs) (Change Accepted)


Change Proposal Name Changes/LIBFFI_34_static_trampolines

Summary

Libffi is currently configured to use dynamic trampolines, which require some source of memory which is both writable and executable. This is an obvious security issue, and selinux and system defaults have made it more and more difficult to safely provide this memory to libffi clients. With this change, libffi will be configured to use static trampolines, which do not require such memory, and will not pose those security and administrative risks.

Owner


Current status

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/7PPI2WF3M5WJA6IKTVYN3U2I4GTCXQMI/

  • FESCo issue: #3001
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The change itself is simple - libffi will no longer be configured with --disable-exec-static-tramp, which changes how closures are generated. Closures, and libffi, are used in many interpreted languages. There are about 145 packages that depend, directly or indirectly, on libffi. I ran the Mass Prebuilder. Of those 145, 10 already FTBFS, and 1 saw a new failure.

The Mass PreBuilder has indicated that cjs (Javascript Bindings for Cinnamon) will fail to build with static trampolines. We debugged this a bit and noted that cjs's upstream seems to be behind the gjs upstream (the gjs package builds OK) it tracks, and is missing at least two closure-related changes (although simply adding those two changes proved nontrivial).

Feedback

Benefit to Fedora

This change is needed to fully secure Fedora systems against attacks that use self-modifying code.

The cjs build failure affects the Cinnamon spin.

Scope

  • Proposal owners:

The change is a single line in the spec file.

  • Other developers:

The cjs package will need to be fixed to build with the new libffi.

Other libffi users will need to be aware of this change if they make closure-related changes to their packages, but should not need to take any actions at this time.

This change does not affect release engineering or any other packaging issues. No mass rebuild is required.

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)


  • Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

This change does not change ABI but that assumes clients are not abusing the ABI; the static vs dynamic trampoline change is an internal implementation.


How To Test

Testing static trampolines is the same as testing libffi, with the exception that the tests should pass despite having all writable filesystems locked with selinux such that executable maps cannot be requested. A security context that does not allow the memfd_create() syscall would further isolate this change.


User Experience

Users will be able to follow latest security recommendations without concern for whether interpreters will stop working.

Dependencies

As noted above, the cjs package requires work before this change can go through. They have noted that they'll be rebasing to 5.8.x: https://bugzilla.redhat.com/show_bug.cgi?id=2193287

Note that cjs has rebased to 5.6.1 in the interim, just to fix this bug. I've tested it and it works with static trampolines.


Contingency Plan

Reverting the one line spec file change will revert this change, with no changes needed elsewhere. Not completing this change in time does not negatively impact other package, or Fedora's ability to ship on time.

  • Contingency mechanism: We can revert the change at any time, without needing to rebuild any other packages.
  • Contingency deadline: Any time before shipping.
  • Blocks release? No.


Documentation

This is an internal change that should not need nor affect any documentation.

Release Notes

This change should not require any release notes.