Project

Profile

Help

Bug #6427

open

Problems with SELinux policy violations.

Added by Matt Patterson 6 months ago. Updated 6 months ago.

Status:
In Progress
Priority:
Low
Category:
-
Start date:
2024-05-15
Due date:
% Done:

0%

Estimated time:
Applies to branch:
Fix Committed on Branch:
Fixed in Maintenance Release:
Found in version:
Fixed in version:
SaxonC Languages:
SaxonC Platforms:
SaxonC Architecture:

Description

The .so produced by native-image winds up containing many TEXTRELs, which are a potential security problem and are flagged as policy violations by some SELinux policies.

A bit of background on the issue is here: https://flameeyes.blog/2016/01/16/textrels-text-relocations-and-their-impact-on-hardening-techniques/ .

This has been addressed by GraalVM, but the fix has not been released yet, won't be until September 2024 or later, and would also require updating our JDK version to JDK 21.

There is a possibility that switching to the gold linker ( https://en.wikipedia.org/wiki/Gold_(linker) ) and setting the -H:+ForceNoROSectionRelocation flag at build time could allow current native-image to generate .so files that don't violate, but this isn't certain and gold is an ELF-specific linker, so it would only address problems on Linux.

More research and testing is needed on the gold option.

Actions #1

Updated by Matt Patterson 6 months ago

This issue was raised by a customer having problems because their SaxonC-using app is being prevented from running by their required SELinux policy.

Please register to edit this issue

Also available in: Atom PDF