classification
Title: ctypes fails to import with grsecurity's TPE
Type: behavior Stage: patch review
Components: ctypes Versions: Python 3.5
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Glandos
Priority: normal Keywords: patch

Created on 2016-10-13 12:12 by Glandos, last changed 2018-01-11 11:26 by bananu7.

Pull Requests
URL Status Linked Edit
PR 5155 open bananu7, 2018-01-11 11:26
Messages (1)
msg278567 - (view) Author: (Glandos) Date: 2016-10-13 12:12
When using a grsecurity kernel with TPE enabled, the following happens with an untrusted user:

Python 3.5.2+ (default, Sep 22 2016, 12:18:14) 
[GCC 6.2.0 20160914] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import CDLL
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.5/ctypes/__init__.py", line 537, in <module>
    _reset_cache()
  File "/usr/lib/python3.5/ctypes/__init__.py", line 276, in _reset_cache
    CFUNCTYPE(c_int)(lambda: None)
MemoryError

And grsecurity complains:

oct. 13 13:52:27 belette64 kernel: grsec: From XX.XX.XX.XX: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /tmp/#38928416 by /usr/bin/python3.5[python3:19125] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/fish[fish:17716] uid/euid:1000/1000 gid/egid:1000/1000
oct. 13 13:52:27 belette64 kernel: grsec: From XX.XX.XX.XX: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /var/tmp/#15073678 by /usr/bin/python3.5[python3:19125] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/fish[fish:17716] uid/euid:1000/1000 gid/egid:1000/1000
oct. 13 13:52:27 belette64 kernel: grsec: From XX.XX.XX.XX: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /dev/shm/#4422450 by /usr/bin/python3.5[python3:19125] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/fish[fish:17716] uid/euid:1000/1000 gid/egid:1000/1000
oct. 13 13:52:27 belette64 kernel: grsec: From XX.XX.XX.XX: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /dev/shm/#4422452 by /usr/bin/python3.5[python3:19125] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/fish[fish:17716] uid/euid:1000/1000 gid/egid:1000/1000
oct. 13 13:52:29 belette64 kernel: grsec: From XX.XX.XX.XX: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /dev/shm/#4425509 by /usr/bin/python3.5[python3:19125] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/fish[fish:17716] uid/euid:1000/1000 gid/egid:1000/1000

However, even if the solution should be to put the user in the trusted group, it seems that the involved call is just a workaround for Win64 platforms.
The program I used is using ctypes through the xattr package, which never used CFUNCTYPE. Is it possible to wrap this "fake call" into a try block?
History
Date User Action Args
2018-01-11 11:26:57bananu7setkeywords: + patch
stage: patch review
pull_requests: + pull_request5010
2016-10-13 12:12:18Glandoscreate