➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2011-04-23 23:39 by breun, last changed 2022-04-11 14:57 by admin. This issue is now closed.
| Messages (10) | |||
|---|---|---|---|
| msg134314 - (view) | Author: Nils Breunese (breun) | Date: 2011-04-23 23:39 | |
When I try to run iotop [0] on CentOS 5.6 on a kernel with grsecurity [1] then iotop won't start because grsecurity is blocking Python because of its use of the mprotect() system call. Please see http://www.atomicorp.com/wiki/index.php/ASL_FAQ#grsec:_denied_RWX_mprotect for more information. The authors of this hardened Linux kernel suggested to file a bug with Python because using mprotect() is apparently a very bad thing to do. [0] http://guichaz.free.fr/iotop/ [1] http://grsecurity.net/ |
|||
| msg134315 - (view) | Author: Antoine Pitrou (pitrou) *  |
Date: 2011-04-23 23:48 | |
Where have you seen that Python is calling mprotect()? There's no sign of it in the whole source tree. |
|||
| msg134316 - (view) | Author: Nils Breunese (breun) | Date: 2011-04-24 00:00 | |
I got this error message in /var/log/messages when trying to start iotop: ---- Apr 13 08:49:37 hostname kernel: grsec: From xxx.xxx.xxx.xxx: denied RWX mprotect of /lib64/ld-2.5.so by /usr/bin/iotop[iotop:9836] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9351] uid/euid:0/0 gid/egid:0/0 Apr 13 08:49:37 hostname kernel: iotop[9836]: segfault at 6248c405dda0 ip 00006248c3e489ec sp 00007fffa52e8410 error 7 in ld-2.5.so[6248c3e42000+1c000] ---- /usr/bin/iotop is a Python script and according to that log message grsecurity detected a call to mprotect(). |
|||
| msg134317 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2011-04-24 00:20 | |
> /usr/bin/iotop is a Python script and according to that log message > grsecurity detected a call to mprotect(). Well, does Python itself run ok? That Python script could use third-party extension modules which issue the offending mprotect() call. |
|||
| msg134318 - (view) | Author: Nils Breunese (breun) | Date: 2011-04-24 00:25 | |
I haven't had any problems with other Python applications like this, Python seems fine otherwise. I just noticed that iotop has a dependency on python-ctypes, which sounds like it could be iotop doing the mprotect() calls via ctypes. Does that make sense? |
|||
| msg134320 - (view) | Author: Andreas Stührk (Trundle) * | Date: 2011-04-24 01:10 | |
glibc's `dlopen()` can call `mprotect()`, which is used for loading C extensions. |
|||
| msg134329 - (view) | Author: Charles-François Natali (neologix) * |
Date: 2011-04-24 10:25 | |
PaX doesn't block mprotect in itself, but prevents pages from being both writable and executable. Andreas's right, it's probably due to a dlopen of an object requiring executable stack via ctypes. So you should report this to iotop's developpers. In the meantime, you could use "paxctl -m /usr/bin/python". |
|||
| msg134373 - (view) | Author: Nils Breunese (breun) | Date: 2011-04-25 07:47 | |
I contacted the author of iotop and he told me iotop does not use mprotect (but it does use dlopen). Guess I'll have to do some more digging to find what is exactly doing the call to mprotect. |
|||
| msg134814 - (view) | Author: Terry J. Reedy (terry.reedy) * |
Date: 2011-04-29 21:40 | |
Is there any reason not to close this as a CPython issue? |
|||
| msg134903 - (view) | Author: Charles-François Natali (neologix) * |
Date: 2011-05-01 09:11 | |
> Is there any reason not to close this as a CPython issue? No, it's definitely not a CPython issue. I'm closing as invalid. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:57:16 | admin | set | github: 56121 |
| 2011-05-01 09:11:58 | neologix | set | status: open -> closed resolution: not a bug messages: + msg134903 title: Python shouldn't use the mprotect() system call -> PaX triggers a segfault in dlopen |
| 2011-04-29 21:40:01 | terry.reedy | set | nosy:
+ terry.reedy messages: + msg134814 |
| 2011-04-25 07:47:38 | breun | set | messages: + msg134373 |
| 2011-04-25 02:22:57 | jcea | set | nosy:
+ jcea |
| 2011-04-24 10:25:30 | neologix | set | messages: + msg134329 |
| 2011-04-24 01:10:56 | Trundle | set | nosy:
+ Trundle messages: + msg134320 |
| 2011-04-24 00:25:41 | breun | set | messages: + msg134318 |
| 2011-04-24 00:20:13 | pitrou | set | messages: + msg134317 |
| 2011-04-24 00:00:35 | breun | set | messages: + msg134316 |
| 2011-04-23 23:48:09 | pitrou | set | nosy:
+ neologix, pitrou messages: + msg134315 |
| 2011-04-23 23:39:44 | breun | create | |