LIBFFI 34 static trampolines
Summary
Libffi is currently configured to use dynamic trampolines, which require some source of memory which is both writable and executable. This is an obvious security issue, and selinux and system defaults have made it more and more difficult to safely provide this memory to libffi clients. With this change, libffi will be configured to use static trampolines, which do not require such memory, and will not pose those security and administrative risks.
Owner
- Name: DJ Delorie
- Email: dj@redhat.com
Current status
- Targeted release: Fedora Linux 39
- Last updated: 2023-06-26
Detailed Description
The change itself is simple - libffi will no longer be configured with --disable-exec-static-tramp, which changes how closures are generated. Closures, and libffi, are used in many interpreted languages. There are about 145 packages that depend, directly or indirectly, on libffi. I ran the Mass Prebuilder. Of those 145, 10 already FTBFS, and 1 saw a new failure.
The Mass PreBuilder has indicated that cjs (Javascript Bindings for Cinnamon) will fail to build with static trampolines. We debugged this a bit and noted that cjs's upstream seems to be behind the gjs upstream (the gjs package builds OK) it tracks, and is missing at least two closure-related changes (although simply adding those two changes proved nontrivial).
Feedback
Benefit to Fedora
This change is needed to fully secure Fedora systems against attacks that use self-modifying code.
The cjs build failure affects the Cinnamon spin.
Scope
- Proposal owners:
The change is a single line in the spec file.
- Other developers:
The cjs package will need to be fixed to build with the new libffi.
Other libffi users will need to be aware of this change if they make closure-related changes to their packages, but should not need to take any actions at this time.
- Release engineering: #Releng issue number
This change does not affect release engineering or any other packaging issues. No mass rebuild is required.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Community Initiatives: N/A
Upgrade/compatibility impact
This change does not change ABI but that assumes clients are not abusing the ABI; the static vs dynamic trampoline change is an internal implementation.
How To Test
Testing static trampolines is the same as testing libffi, with the exception that the tests should pass despite having all writable filesystems locked with selinux such that executable maps cannot be requested. A security context that does not allow the memfd_create() syscall would further isolate this change.
User Experience
Users will be able to follow latest security recommendations without concern for whether interpreters will stop working.
Dependencies
As noted above, the cjs package requires work before this change can go through. They have noted that they'll be rebasing to 5.8.x: https://bugzilla.redhat.com/show_bug.cgi?id=2193287
Note that cjs has rebased to 5.6.1 in the interim, just to fix this bug. I've tested it and it works with static trampolines.
Contingency Plan
Reverting the one line spec file change will revert this change, with no changes needed elsewhere. Not completing this change in time does not negatively impact other package, or Fedora's ability to ship on time.
- Contingency mechanism: We can revert the change at any time, without needing to rebuild any other packages.
- Contingency deadline: Any time before shipping.
- Blocks release? No.
Documentation
This is an internal change that should not need nor affect any documentation.
Release Notes
This change should not require any release notes.