From: =?utf-8?B?VG9tw6HFoQ==?= Trnka <trnka@scm.com>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>
Subject: System-wide hard RLIMIT_STACK in 4.14.4+ w/ SELinux
Date: Tue, 12 Dec 2017 11:58:00 +0100
Message-ID: <4229475.4Lp8rLWMsd@electra>
MIME-Version: 1.0
Content-Transfer-Encoding: 8BIT
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1275
Lines: 33

Hello,

Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK 
races with prlimit()" that made it into 4.14.4 effectively changes the default 
hard RLIMIT_STACK on machines with SELinux (seen on Fedora 27).

selinux_bprm_set_creds() sets bprm->secureexec for any SELinux domain 
transition that does not have the "noatsecure" permission. The secureexec 
logic thus kicks in for virtually every process launched by PID 1 systemd 
(init_t), including gettys, display managers, etc.

I can see that 8 MiB "should be enough for everyone" using normal software, 
but sadly the HPC stuff around here tends to need a little more (due to a 
deficiency in gfortran).

Minimal example (the actual types are not too important):

# /bin/ulimit -Hs
unlimited
# runcon -r system_r -t sysadm_t runcon -t rpm_script_t /bin/ulimit -Hs
8192

Of course this can be somewhat worked around by adjusting the SELinux policy 
(allowing blanket noatsecure permission for init_t and possibly others) or by 
pam_limits (for components using PAM). Unfortunately, systemd's LimitSTACK= is 
also broken (calls setrlimit before exec). Anyway, I wasn't expecting any of 
that in connection with the 4.14.3->.4 upgrade.

--
Best regards,

Tomáš Trnka
Software for Chemistry & Materials