Build with noexecstack (SELinux)

[ghost]

• Operating system and version: Debian GNU/Linux 9.9 (stretch)

• nvm debug output:

nvm --version: v0.34.0
$SHELL: /bin/zsh
$SHLVL: 2
$HOME: /home/nyuszika7h
$NVM_DIR: '$HOME/.nvm'
$PATH: $HOME/.pyenv/plugins/pyenv-virtualenv/shims:$HOME/.pyenv/shims:$HOME/.pyenv/bin:$HOME/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:$HOME/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:/usr/local/bin:/usr/bin:/bin:/usr/games
$PREFIX: ''
$NPM_CONFIG_PREFIX: ''
$NVM_NODEJS_ORG_MIRROR: ''
$NVM_IOJS_ORG_MIRROR: ''
shell version: 'zsh 5.3.1 (x86_64-debian-linux-gnu)'
uname -a: 'Linux 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 GNU/Linux'
OS version: Debian GNU/Linux 9
curl: /usr/bin/curl, curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2r zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3
wget: /usr/bin/wget, GNU Wget 1.18 built on linux-gnu.
git: /usr/bin/git, git version 2.11.0
grep: grep: aliased to grep --color (grep --color), grep (GNU grep) 2.27
awk: /usr/bin/awk, GNU Awk 4.1.4, API: 1.1 (GNU MPFR 3.1.5, GNU MP 6.1.2)
sed: /bin/sed, sed (GNU sed) 4.4
cut: /usr/bin/cut, cut (GNU coreutils) 8.26
basename: /usr/bin/basename, basename (GNU coreutils) 8.26
rm: /bin/rm, rm (GNU coreutils) 8.26
mkdir: /bin/mkdir, mkdir (GNU coreutils) 8.26
xargs: /usr/bin/xargs, xargs (GNU findutils) 4.7.0-git
nvm current: none
which node: node not found
which iojs: iojs not found
which npm: npm not found
npm config get prefix: nvm:169: command not found: npm
npm root -g: nvm:169: command not found: npm

</details>

- `nvm ls` output:
<details>
<!-- do not delete the following blank line -->

```sh
      v8.16.0
node -> stable (-> v8.16.0) (default)
stable -> 8.16 (-> v8.16.0) (default)
iojs -> N/A (default)
unstable -> N/A (default)
lts/* -> lts/dubnium (-> N/A)
lts/argon -> v4.9.1 (-> N/A)
lts/boron -> v6.17.1 (-> N/A)
lts/carbon -> v8.16.0
lts/dubnium -> v10.15.3 (-> N/A)

• How did you install nvm? (e.g. install script in readme, Homebrew): Install script

• What steps did you perform? nvm install 8

• What happened?

% nvm install 8
Downloading and installing node v8.16.0...
Downloading https://nodejs.org/dist/v8.16.0/node-v8.16.0-linux-x64.tar.xz...
######################################################################## 100.0%
Computing checksum with sha256sum
Checksums matched!
nvm is not compatible with the npm config "prefix" option: currently set to ""
Run `nvm use --delete-prefix v8.16.0` to unset it.

% sudo audit2why -al
[...]
type=AVC msg=audit(1558277862.320:4023): avc:  denied  { execmem } for  pid=741 comm="node" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:u
nconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")

        Allow access by executing:
        # setsebool -P allow_execmem 1
        Description:
        Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This exe
cutable should be reported in bugzilla")

        Allow access by executing:
        # setsebool -P allow_execstack 1

• What did you expect to happen?
  Node.js should be built using -Wl,-z,noexecstack so that it can work in SELinux enforcing mode.

• Is there anything in any of your profile files (.bashrc, .bash_profile, .zshrc, etc) that modifies the PATH?
  Only adding pyenv and $HOME/.local but this is not relevant to this issue.

[ljharb]

You can nvm install 8 -Wl -z -noexecstack yourself, and those arguments will be passed to node's install process - are you suggesting that nvm should be able to detect the need for these flags automatically?

[ghost]

Ah, I'll try that. Is this documented somewhere? I've tried setting the CFLAGS and LDFLAGS environment variables.

…

On Sun, May 19, 2019, 17:39 Jordan Harband ***@***.***> wrote: You can nvm install 8 -Wl -z -noexecstack yourself, and those arguments will be passed to node's install process - are you suggesting that nvm should be able to detect the need for these flags automatically? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2049?email_source=notifications&email_token=AADVYP2X62WGTOGDHUFO3VTPWFYCBA5CNFSM4HN4WUY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVXEWJI#issuecomment-493767461>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADVYPZE3ER75QFNCIDYU3DPWFYCBANCNFSM4HN4WUYQ> .

[ljharb]

No, it doesn’t seem to be, oddly enough :-)

Let me know if that works for you or not.

[ghost]

It seems like the default build options for Node.js include noexecstack but the binaries come without it for some reason. Trying to compile it with nvm install -s 8 now but I keep running into OOM (I have 32 GB RAM):

<--- Last few GCs --->

[7560:0x55b762844410] 247294033 ms: Mark-sweep 0.1 (3.0) -> 0.1 (3.0) MB, 0.1 / 0.0 ms  allocation failure GC in old space requested
[7560:0x55b762844410] 247294033 ms: Mark-sweep 0.1 (3.0) -> 0.1 (3.0) MB, 0.1 / 0.0 ms  last resort GC in old space requested
[7560:0x55b762844410] 247294034 ms: Mark-sweep 0.1 (3.0) -> 0.1 (3.0) MB, 0.1 / 0.0 ms  last resort GC in old space requested


<--- JS stacktrace --->


#
# Fatal javascript OOM in CALL_AND_RETRY_LAST
#

Received signal 4 ILL_ILLOPN 55b7619e5049

==== C stack trace ===============================

 [0x55b761c98644]
 [0x7f8456f550e0]
 [0x55b7619e5049]
 [0x55b7612211c2]
 [0x55b7612213b7]
 [0x55b7613ac308]
 [0x55b76127d9db]
 [0x55b76127dc79]
 [0x55b7616ba786]
 [0x55b761bfa78a]
 [0x55b761bfc03e]
 [0x55b761478527]
 [0x55b76122158d]
 [0x55b7612540d1]
 [0x55b76121cb3a]
 [0x7f8456bc52e1]
 [0x55b76121cd3a]
[end of stack trace]
Illegal instruction
deps/v8/src/v8_snapshot.target.mk:13: recipe for target '/home/nyuszika7h/.nvm/.cache/src/node-v8.16.0/files/out/Release/obj.target/v8_snapshot/geni/snapshot.cc' failed
make[1]: *** [/home/nyuszika7h/.nvm/.cache/src/node-v8.16.0/files/out/Release/obj.target/v8_snapshot/geni/snapshot.cc] Error 132
rm b5f07619ad30a2c297fdcb899678302769cafc74.intermediate
Makefile:88: recipe for target 'node' failed
make: *** [node] Error 2
nvm: install v8.16.0 failed!

[ljharb]

The implication is that that would be failing even if you'd downloaded node from the website directly, and compiled it yourself (since that's all nvm is doing).

You may want to file an issue with node itself. Have you tried node 4, 6, 10, or 12?

[ghost]

Yeah, it seems like a Node issue actually. I'm getting different errors (caused by SELinux) when building version 12. For now I just set up a SELinux allow rule, I guess I'll close this issue since it's not nvm-specific.

…

On Mon, May 20, 2019, 21:54 Jordan Harband ***@***.***> wrote: The implication is that that would be failing even if you'd downloaded node from the website directly, and compiled it yourself (since that's all nvm is doing). You may want to file an issue with node itself. Have you tried node 4, 6, 10, or 12? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2049?email_source=notifications&email_token=AADVYP5QDXXED3SXAMBBURLPWL6YRA5CNFSM4HN4WUY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVZ4TQQ#issuecomment-494127554>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADVYP2QW2FYOCJEWTKXJG3PWL6YRANCNFSM4HN4WUYQ> .

[ljharb]

If it turns out there's anything nvm can do to automatically handle this issue, I'm more than happy to reopen it and do that.