Mark stack as non-executable #43481
Mark stack as non-executable #43481
Conversation
nalimilan
added
building
| for f in intersect(dllist(), | ||
| [readdir(joinpath(Sys.BINDIR, Base.LIBDIR), join=true); | ||
| readdir(joinpath(Sys.BINDIR, Base.LIBDIR, "julia"), join=true)]) |
There was a problem hiding this comment.
I guess this check is too cautious as it shouldn't have passed on 64-bit Linux until the blastrampoline PR is merged. Maybe the paths are different so the intersection ends up being empty?
We could just use dllist(), the risk that a system library we link to would have executable stack enabled is quite low. The other approach would be to just keep the readdir part, but I figured it could be annoying as unused outdated libjulia.so.1.X can be in these directories (I had some), which would make tests fail and require manual removal (which is hard to find out).
|
By default, many dependencies are built by directly downloading the compiled binaries of BinaryBuilder.jl.
For example: All dependencies in the Should we update the BinaryBuilder build settings for julia-related dependencies? Is this link parameter necessary as a default setting for the global build of BinaryBuilder? |
|
No it shouldn't be needed in general, it's only for some libraries (here libjulia.so and libblastrampoline.so) for which the linker wasn't able to detect that they don't need an executable stack. |
|
The LBT PR referred to is merged and pulled in here. Just wondering if the next step is to revive this. |
|
Julia is still using an old libblastrampoline AFAICT, while we need at least version 4. @staticfloat Is there any reason not to update it? |
|
We are on version 5 of LBT. blastrampoline.version was behind and that was just fixed in #44258 |
nalimilan
force-pushed
the
nl/execstack
branch
from
cd86d8b to
602082a
Compare
|
OK, should be good to merge now. |
|
I don't have much experience with this linker flag, but it seems that tests are passing everywhere. Maybe good to see if @staticfloat and/or @giordano can take a look. |
The linker is unable to detect that executable stack is not required and so marks libjulia.so as requiring it Pass `-Wl,-z,noexecstack` to ensure that the stack is marked as not executable. This improves security and allows Julia to run on systems where SELinux has been configured to disallow executable stacks. AFAIK no change is needed on OSes other than Linux as they do not allow executable stacks by default.
ViralBShah
force-pushed
the
nl/execstack
branch
from
707bb57 to
fd77956
Compare
The linker is unable to detect that executable stack is not required and so marks libjulia.so as requiring it Pass `-Wl,-z,noexecstack` to ensure that the stack is marked as not executable. This improves security and allows Julia to run on systems where SELinux has been configured to disallow executable stacks. AFAIK no change is needed on OSes other than Linux as they do not allow executable stacks by default.
The linker is unable to detect that executable stack is not required and so marks libjulia.so as requiring it Pass `-Wl,-z,noexecstack` to ensure that the stack is marked as not executable. This improves security and allows Julia to run on systems where SELinux has been configured to disallow executable stacks. AFAIK no change is needed on OSes other than Linux as they do not allow executable stacks by default.
The linker is unable to detect that executable stack is not required and so marks libjulia.so as requiring it
Pass
-Wl,-z,noexecstackto ensure that the stack is marked as not executable.This improves security and allows Julia to run on systems where SELinux has been configured to disallow executable stacks.
AFAIK no change is needed on OSes other than Linux as they do not allow executable stacks by default.
Tests will fail until JuliaLinearAlgebra/libblastrampoline#51 is merged and libblatrampoline is updated, as libblastrampoline.so is also affected by the same problem.