Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PROT_EXEC to mmap(2) during mediation which may cause security denials #3752

Closed
marcoancona opened this issue May 24, 2021 · 3 comments · Fixed by #3775
Closed

PROT_EXEC to mmap(2) during mediation which may cause security denials #3752

marcoancona opened this issue May 24, 2021 · 3 comments · Fixed by #3775
Assignees
@kneth
Labels
O-Community

Comments

@marcoancona
Copy link

marcoancona commented May 24, 2021
edited by sync-by-unito bot
Loading

Goals

We are trying to ship an Electron app that uses Realm in the Snapcraft store for Linux

Expected Results

No execstack is required by Realm binaries

Actual Results

An issue is raised:

Found files with executable stack. This adds PROT_EXEC to mmap(2) during mediation which may cause security denials. Either adjust your program to not require an executable stack, strip it with 'execstack --clear-execstack ...' or remove the affected file from your snap. Affected files: resources/app.asar.unpacked/node_modules/realm/build/Release/realm.node (Refer to https://forum.snapcraft.io/t/snap-and-executable-stacks/1812)

This issue is to suggest to remove execstack from the node binaries if not needed.

Version of Realm and Tooling

  • Realm JS SDK Version: 10.4.1
  • Node or React Native: Node (Electron)
  • Client OS & Version: Linux
@kraenhansen
Copy link
Member

@marcoancona thanks for reporting this.
There should be no reason this should be set from our libraries point of view.
Do you know how / where to configure this?

@kneth
Copy link
Contributor

kneth commented Jun 2, 2021

@RedBeard0531 mentioned that https://github.com/mongodb/mongo/blob/master/SConstruct#L3737-L3742 might be a solution.

@marcoancona
Copy link
Author

marcoancona commented Jun 2, 2021
edited
Loading

@kraenhansen
I am not an expert here, but according to https://forum.snapcraft.io/t/snap-and-executable-stacks/1812 you can also strip the flag after building:

execstack --clear-execstack ./realm.node

Of course a solution during the building phase might be preferable.

@kneth kneth mentioned this issue Jun 2, 2021
Merged
1 task
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kneth kneth

Labels
O-Community
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disable executable stack on Linux realm/realm-js
3 participants
@kneth @kraenhansen @marcoancona