Steam for Linux
Kaikki Keskustelut Taideteokset Videot Uutiset Oppaat

Steam for Linux

mikeym 15.11.2012 klo 7.16
SELinux issue with steam
Since I am running Fedora 17 I have SELinux running, I've found that SELinux has a complaint about Steam: Attempted Access of execheap

I don't know much about SELinux or this low level stuff so I can't comment on what's happening here. A quick search online for execheap turns up this piece on SELinux and execheap (among other things)[danwalsh.livejournal.com].

The article quotes Ulrich Drepper - the lead contributor and maintainer on GNU C - as saying about execheap:

"The POSIX specification does not permit it, but the Linux implementation of mprotect allows changing the access protection of memory on the heap (e.g., allocated using malloc). This error indicates that heap memory was supposed to be made executable. Doing this is really a bad idea. If anonymous, executable memory is needed it should be allocated using mmap which is the only portable mechanism."

Anyway I thought I'd post it hear to see if it's of any use to anyone.

(edit)

Well, a bit more information on what the bug means from my investigations for bug reporting.

The 'execheap' SELinux warning is a warning that heap memory (dynamically allocated memory) has been flagged as Writeable and Executable. This is a potential security exploit because malicious code could be injected into this memory and executed as part of the original process. This apparently wouldn't even be allowed in Windows under Data Execution Prevention - DEP (although I've not been able to confirm this).

The exploit appears to be open in source games - HL1 and TF2 (hl2_linux engine) confirmed by me. Also it was raising this issue in Steam Big Picture Mode for me around Christmas, but I haven't been able to reproduce this because other memory violations by Steam are preventing my opening BPM.

The call on my system for HL1 appears to be:

sys_mprotect(0x091C1000, 49152 /* 48 kibibyte */, PROT_READ | PROT_WRITE | PROT_EXEC);

You can decode that from /var/log/audit/audit.log for SELinux:

syscall=125 or sys_mprotect
a0=9779000 or 0x09779000 for another heap position
a1=c000 or 49152
a2=7 or PROT_READ(4) + PROT_WRITE(2) + PROT_EXEC(1)

See mprotect[www.kernel.org]
Viimeisin muokkaaja on mikeym; 4.3.2013 klo 6.20
< >
Näytetään 1-15 / 19 kommentista
makiftasova 15.11.2012 klo 13.55 
https://ask.fedoraproject.org/question/1996/how-to-disable-fedora-17-selinux

this might be helpful. SELinux is useful if you are running a server because it provides very high security, it blocks even samba server when samba tries to retrieve file list from network... so if you doesn't need to protect yourself too much you can disable it...
#1
Dusk of Oolacile 15.11.2012 klo 13.59 
I found it easier and safer not using big picture mode (that's what triggers the above mentioned issue) than disabling selinux. BPM is even less useful under the linux beta than under windows, as we don't even have a lot of games.
#2
mikeym 15.11.2012 klo 14.26 
@Senryo Kyoshiro & @LOLCAT, the complaint from SELinux isn't causing any issues for me as far as I can tell, although I've only tried Big Picture mode once and I don't think it worked. That's not really a problem for me for the reason @LOLCAT gave. The complaint is happening infrequntly but just with the normal window open.

I'm really just flagging it incase either one of the steam coders comes across it and recognises it as an issue or someone from the Linux community who knows more about SELinux than me recognises it as a security issue and can take it further. Either way it's out there now.
#3
Lysius 7.12.2012 klo 3.04 
I'm also seeing this on fedora 17. When I have selinux enabled, I get notified by sealert when I try to enter big picture mode. Shortly afterwards steam just crashes with
Uploading dump (in-process) [proxy ''] /tmp/dumps/crash_20121207113057_1.dmp success = yes response: CrashID=bp-b5a4065c-2614-48fa-8523-39bb62121207 ./steam.sh: line 325: 24309 Segmentation fault (core dumped) $DEBUGGER "$STEAMROOT/$PLATFORM/$STEAMEXE" "$@"
when I disable selinux enforcing, steam does not crash and big picture mode shows up properly.
#4
Equilibri0 7.12.2012 klo 14.34 
Hi, i get the same problem. If i switch to BPM steam just crash.
SELinux Alert a problem... soo i have read the selinux troubleshoting and get this solution :

Open a terminal and login as root and type the follow line:
setsebool -P selinuxuser_execheap 1

BPM starts under fedora 18.... sry for my bad english
#5
kessian 7.12.2012 klo 14.38 
Sorry for offtopic, but selinux on gaming machine? You're not joking? Why?
#6
mikeym 7.12.2012 klo 14.55 
@kessian SELinux by default on Fedora (and I guess others). Why? to provide modern security beyond the outdated File, User, Directory security in Linux, for exactly the same reason Ubuntu uses AppArmour.

This is really a bug with Steam that they need to fix. Having execheap is apparently bad and avoidable so hopefully with some pressure Valve should sort it out.

setsebool -P selinuxuser_execheap 1

Is a workaround in the meantime. Although you need to remember to set it back later when it's sorted.
#7
Kahn 9.12.2012 klo 3.46 
mikeym lähetti viestin:
*snip*
setsebool -P selinuxuser_execheap 1

Mikey's solution is the best bet here for now if this is the only AVC your coming across (If not I am keen to get the full output in your /var/log/audit/audit.log). I

am in the process of installing on my Fedora 17 x64 install at the moment with the express intention of defining a steam SELinux policy that we can commit to the reference policy (or better yet have Valve distribute it).

SELinux is really no different to your windows firewall and you don't see worth while software asking you to open up all ports on your firewall do you?

Cheers,

Kahn
Viimeisin muokkaaja on Kahn; 9.12.2012 klo 3.46
#8
mikeym 9.12.2012 klo 3.59 
Kahn lähetti viestin:
I am in the process of installing on my Fedora 17 x64 install at the moment with the express intention of defining a steam SELinux policy that we can commit to the reference policy (or better yet have Valve distribute it).

Awesome, please let us know when you've got it working. Another option for Fedora may be to get spot to package it up along with steam.
#9
gert 15.2.2013 klo 16.19 
After the recent Steam auto update Steam will *very frewuently* crash while doing nothing but being launched.

Uploading dump (in-process) [proxy '']
/tmp/dumps/crash_20130216011711_1.dmp
success = yes
response: CrashID=bp-e6b031c6-4f74-462e-805b-274f62130215
/home/gert/.local/share/Steam/steam.sh: line 561: 7331 Segmentation fault (core dumped) $STEAM_DEBUGGER "$STEAMROOT/$PLATFORM/$STEAMEXE" "$@"

So for anyone seeing that dumpreport, the issue is Steam is not calling mmap like it should. Will see if there is a bug on github for this.,
#10
looking4u 18.2.2013 klo 19.21 
I've also had this thing with SELinux:

SELinux is preventing /home/monolith/.local/share/Steam/ubuntu12_32/steam from using the execheap access on a process. ***** Plugin allow_execheap (53.1 confidence) suggests ********************* If you do not think /home/monolith/.local/share/Steam/ubuntu12_32/steam should need to map heap memory that is both writable and executable. Then you need to report a bug. This is a potentially dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to allow_execheap Then you must tell SELinux about this by enabling the 'allow_execheap' boolean.You can read 'unconfined_selinux' man page for more details. Do setsebool -P allow_execheap 1

Just for the record,
setsebool -P selinuxuser_execheap 1
does not work. I thought that <selinuxuser> should be replaced, so I also tested the command:
setsebool -P <user>_execheap 1
. Both commands gives this error:

libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean selinuxuser_execheap Could not change policy booleans

The only command that returns OK is the command suggested in the SETroubleshooter:

setsebool -P allow_execheap 1

#11
mikeym 26.2.2013 klo 6.46 
OK, finally reported this on GitHub.

https://github.com/ValveSoftware/steam-for-linux/issues/2028
#12
mikeym 4.3.2013 klo 5.43 
And again:

https://github.com/ValveSoftware/steam-for-linux/issues/2073

And to the Ubuntu security team since Valve are apparently uninterested:

https://bugs.launchpad.net/ubuntu/+source/steam/+bug/1144246
#13
looking4u 4.3.2013 klo 17.04 
Last link is broken. Thanks for the github report.
#14
Kamikaze 5.3.2013 klo 0.50 
@mikeym - just so you know, that wasn't Valve closing those issues. I'm certain I saw 'Mr Schism' around when the beta was announced and he was hoping to get access to it just like everyone else. Perhaps he was so active in the community they gave him privileges to close issues on github? Or maybe anyone can close issues ??

Anyway, it would be good to see an official response from valve on the issue. Anyone concerned about this should make some noise on those issues to get them re-opened.

EDIT: Jumped the gun on this, ignore the above. I read a bit more on the other issues filed in GitHub, specifically:
https://github.com/ValveSoftware/steam-for-linux/issues/88
Valve have already commented on what this is for:
"At what point when running Steam does this happen? Steam hosts web pages which use JavaScript and WebKit will JIT that code, so execheap is necessary."

Apparently a bug has been filed with WebKit devs upstream which is what Steam use for their page rendering.

DOUBLE EDIT: Today's not my day. Just realised you also mentioned that execheap is needed for HL1 and TF2 aswell, not just in steam. Again, would be good to see a valve response on why it's needed in HL1 and TF2.
Viimeisin muokkaaja on Kamikaze; 5.3.2013 klo 1.18
#15
< >
Näytetään 1-15 / 19 kommentista
Sivua kohden: 1530 50

Steam for Linux > Yleiset keskustelut > Aiheen tiedot
Lähetetty: 15.11.2012 klo 7.16
Viestejä: 19

Keskusteluiden säännöt ja ohjeistukset