[issue11912] Python shouldn't use the mprotect() system call
New submission from Nils Breunese : When I try to run iotop [0] on CentOS 5.6 on a kernel with grsecurity [1] then iotop won't start because grsecurity is blocking Python because of its use of the mprotect() system call. Please see http://www.atomicorp.com/wiki/index.php/ASL_FAQ#grsec:_denied_RWX_mprotect for more information. The authors of this hardened Linux kernel suggested to file a bug with Python because using mprotect() is apparently a very bad thing to do. [0] http://guichaz.free.fr/iotop/ [1] http://grsecurity.net/ -- messages: 134314 nosy: breun priority: normal severity: normal status: open title: Python shouldn't use the mprotect() system call type: security versions: 3rd party ___ Python tracker <http://bugs.python.org/issue11912> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11912] Python shouldn't use the mprotect() system call
Nils Breunese added the comment: I got this error message in /var/log/messages when trying to start iotop: Apr 13 08:49:37 hostname kernel: grsec: From xxx.xxx.xxx.xxx: denied RWX mprotect of /lib64/ld-2.5.so by /usr/bin/iotop[iotop:9836] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9351] uid/euid:0/0 gid/egid:0/0 Apr 13 08:49:37 hostname kernel: iotop[9836]: segfault at 6248c405dda0 ip 6248c3e489ec sp 7fffa52e8410 error 7 in ld-2.5.so[6248c3e42000+1c000] /usr/bin/iotop is a Python script and according to that log message grsecurity detected a call to mprotect(). -- ___ Python tracker <http://bugs.python.org/issue11912> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11912] Python shouldn't use the mprotect() system call
Nils Breunese added the comment: I haven't had any problems with other Python applications like this, Python seems fine otherwise. I just noticed that iotop has a dependency on python-ctypes, which sounds like it could be iotop doing the mprotect() calls via ctypes. Does that make sense? -- ___ Python tracker <http://bugs.python.org/issue11912> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11912] Python shouldn't use the mprotect() system call
Nils Breunese added the comment: I contacted the author of iotop and he told me iotop does not use mprotect (but it does use dlopen). Guess I'll have to do some more digging to find what is exactly doing the call to mprotect. -- ___ Python tracker <http://bugs.python.org/issue11912> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
