Slashdot Mirror

← Back to Stories (view on slashdot.org)

Portal 2 Incompatible With SELinux

Posted by timothy on from the are-you-telling-us-the-whole-truth? dept.

jones_supa writes "Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted. A crash is caused by the game's interaction with SELinux, the Linux kernel subsystem that deals with access control security policies. Portal 2 uses the third-party Miles Sound System MP3 decoder which, in turn, uses execheap, a feature that is normally disabled by SELinux. Like its name suggests, execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that particular memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code. In the end, Valve developer David W. took responsibility of the problem: 'I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it.' This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction."

38 of 212 comments (clear)

  1. why does a decoder need execheap? by mrvan · · Score: 5, Interesting

    Why does a decoder need execheap? Is there some sort of optimization that causes the processing and data to be not separated? It sounds like an invitation for all kind of exploits (which is presumably why it is banned by execheap).

    Also, is there a reason to use a specific MP3 decoder? Is it because of licensing, or are there technical reasons?

    1. Re:why does a decoder need execheap? by Barny · · Score: 5, Informative

      The Miles Sound System is a game sound API that does more than just play a single MP3. It plays lots and lots at once, with spacial geometry, allowing accurate 2D and 3D sound to be produced. Many, many games use RAD Tools' stuff, this likely wont be a Valve-only issue but one facing a lot of game companies should they port to linux.

      --
      ...
      /me sighs
    2. Re:why does a decoder need execheap? by Barny · · Score: 5, Informative

      Oh, and for a full list of details on this stuff, see the site here http://www.radgametools.com/mi...

      --
      ...
      /me sighs
    3. Re:why does a decoder need execheap? by zippthorne · · Score: 2

      Is it? Why doesn't the sound hardware have built-in hardware decoders for common audio formats, or a DSP where the software can push out decoder and then just steam the "raw" mp3 or AC3 or whatever format?

      Doing the decoding on the cpu seems like an unnecessary source of audio lag to me.

      --
      Can you be Even More Awesome?!
    4. Re:why does a decoder need execheap? by Antique+Geekmeister · · Score: 4, Interesting

      What you're describing is a sometimes hidden form of the "Not Invented Here" problem, where some deficit in a working software stack is discarded for theoretical, not production reasons. In this case, it can be guaranteed to be unstable because it would replace whatever production grade audio tool is already working with one written in house, requiring maintenance, and _likely vulnerable to the same SELinux problems_.

    5. Re:why does a decoder need execheap? by tepples · · Score: 2, Insightful

      The designer of the sound hardware can't tell what formats (plural) will become popular in the future. And we already have a perfectly good DSP on the CPU.

    6. Re:why does a decoder need execheap? by wiredlogic · · Score: 4, Insightful

      None of which explains why it needs executable code and data mapped into the same memory space.

      --
      I am becoming gerund, destroyer of verbs.
    7. Re:why does a decoder need execheap? by Dr.Dubious+DDQ · · Score: 2

      That makes more sense - never mind "why does it need execheap", I was wondering why a game developer would be using mp3 files in the first place. Looks like "Miles Sound System" handles Ogg Vorbis as well, in addition to the various mixing/filtering/positioning functions in it.

      --
      Hacker Public Radio is our Friend
    8. Re:why does a decoder need execheap? by Anonymous Coward · · Score: 2, Informative

      Let's keep this on topic: no matter what this library accomplishes (and whether that is needed or not), why does it need to map any region of memory as both writable and executable?

      It's called "Just in Time Compilation" or JIT for short, a program generates machine instructions then executes the instructions it generated. JIT is useful for improving performance vs a standard emulation infrastructure like a switch statement inside a loop.

    9. Re:why does a decoder need execheap? by Anonymous Coward · · Score: 2, Informative

      Because Fraunhaufer (the MP3 patent holder) supplied RAD Game Tools with a Windows DLL for x86 platforms, and so they decompress the DLL into heap memory and then call functions on it on Linux. Lol.

    10. Re:why does a decoder need execheap? by mikael · · Score: 2

      Sounds like it is compiling it's own audio filters. Many of these drivers allow individual audio effects like echo, reverberation) to be chained together to form a complex pipeline. To get optimum performance the driver would compile these directly into assembler.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    11. Re:why does a decoder need execheap? by r1348 · · Score: 2

      We all know the answer: sloppy programming.

  2. Re:If a computer is important enough to need SELin by Yoda222 · · Score: 4, Insightful

    I think that most Windows gamers run anti-virus. Do you also have good advises for them ?

  3. Bad Practice by ThisIsNotAName · · Score: 2

    Last time I checked, it's a very bad practice to allow executable code to be writable. Sort of like freely using eval, goto or passing in unvalidated inputs for sql queries.

    1. Re:Bad Practice by tepples · · Score: 5, Interesting

      Without allowing code to be switched between writable and executable, how can dynamic recompilation work at all? Otherwise, your OS becomes iOS, whose strict W^X policy forbids third-party JIT engines.

    2. Re:Bad Practice by MoonlessNights · · Score: 3, Informative

      There are 2 ways of doing this:

      1) Map the memory as writable to populate it and then remap it as executable to run it. This way, it can only be one thing at a time which means that the malicious code can't enable itself.

      2) Map the memory at 2 virtual addresses, with different permissions. One virtual address is for writing and the other is for execution. This means that knowing the program counter or stack pointer isn't enough to write malicious code.

  4. I don't think it was a malicious mistake. by Johnny+Loves+Linux · · Score: 5, Informative

    I think it's a culture clash of developers who've only worked in a Windows environment and consequently are used to turning off operating system security so they can run a program, usually a game, vs. the Linux community who inherited the Unix culture where you can play games on the operating system, but you can't play games with the operating system.

    1. Re:I don't think it was a malicious mistake. by WuphonsReach · · Score: 3, Insightful

      Besides, SELinux is serious black magic and consequently there aren't many people who know how to correctly configure it.

      There's only a handful of commands needed these days on CentOS/RHEL boxes. And the "sealert" command will guide you about 90% of the way.

      I estimate that 80-90% of issues are mislabeled files (or ports) on the file system. Either because you have put files for a service that is protected with SELinux in a non-standard spot, or because the SELinux policy is out of date. Once you put your files in the proper location or use "semanage fcontext" to define the file context that should be applied to a particular path/file and relabel, those problems go away. The hardest part of this is defining the regex string to apply the right label to your file system.

      Other issues are handled by setting one of the SELinux boolean flags which enable optional parts of the security policy for the service (such as httpd). These loosen up the SELinux restrictions for cases that don't apply to everyone. The "getsebool" and "setsebool" flags handle this functionality. For example "httpd_enable_cgi" allows CGI scripts to execute. The nice part about the booleans is that you can turn them on/off at will to see if it fixes your issue before making the change permanent.

      And sometimes you have to use the brute-force "audit2allow" tool to write a customized policy that lets you do what you want to do. Just like any other tool, if you don't pay attention to what it is doing, you can shoot yourself in the foot.

      --
      Wolde you bothe eate your cake, and have your cake?
    2. Re:I don't think it was a malicious mistake. by _Shad0w_ · · Score: 2

      I believe part of the point of SELinux is that it approaches the problem from a direction of explicit permission rather than implicit. You explicitly have to say a program can do something, rather than the program just doing it because that's what it defaults to.

      Also the people are responsible for installing/configuring the system and the people responsible for installing/configuring the software that runs on the system aren't always the same.

      --

      Yeah, I had a sig once; I got bored of it.

  5. oh my god!! by Anonymous Coward · · Score: 2, Insightful

    Oh my god!?!? So what about the thousand enterprise software and services (from IBM to Oracle) which specifically say to absolutely disabile SELinux?!?
    Let's be honest, SELinux is one of the most useless piece of software ever created by men...

    1. Re:oh my god!! by tranquilidad · · Score: 2

      The first search from Google on Oracle SELinux is "3.7 Configuring and Using SELinux" and it discusses the difference between discretionary and mandatory access control.

      There's a difference between a vendor saying they don't support something or it doesn't work and scads of administrators who say, "This security crap is too hard, just turn it off."

    2. Re: oh my god!! by Allasard · · Score: 2

      OMG. This has always been sheer laziness by people who don't want to understand SELinux. Almost all of these problems could be solved by creating a new context rule to allow access that is needed. It's just that it takes a certain level of expertise to understand the concepts. Many RHCEs can to do this. Then they could add that command-line to their install instructions or scripts. There is no reason to disable SELinux.

    3. Re: oh my god!! by sjames · · Score: 4, Informative

      SELinux may have improved by leaps and bounds since I last touched it, but honestly it IS a wrong headed approach designed for an environment where a single security violation can be a disaster of global proportions.

      That's not to say that MAC is bad (it most certainly isn't) or that it's not a good idea on a desktop machine (it is). More that if you make something too draconian and too painful to relax a bit when needed, it tends to get turned off.

    4. Re: oh my god!! by kscguru · · Score: 2

      So getting a program to work right with SELinux takes a RHCE? And elevated access so you can drop the context rule in the right secure place?

      As one of the other posters noted here, the problem isn't configuring SELinux right on one system. The problem is that configuring it right is done differently on each user's different system - so you either have to write the configuration 3+ times (RPM, DEB, and pick some other common format, then listen to Linux users gripe about how you didn't support THEIR package format), or you have to write some sort of complicated setuid-root shell script that does the right thing. And to install this silly game (which doesn't require root), you have to be root! Remember how Windows got into a lot of trouble about how you had to be Administrator to install anything? But when it's SELinux with the same requirement, we are supposed to call this a good thing?

      SELinux is a wonderful system - IF you can enumerate all permissions needed by all software that will ever be installed on the system. Which is true only for toy OSes or base OS installs or for people who have solved the halting problem. And that's why any non-trivial software immediately suggests turning off SELinux - the defaults are too restrictive for real-world software (JIT is only allowed for Java / Browsers / other things the SELinux rule authors have seen before), and you need to really know the system well to properly alter the configuration while still maintaining security. The point is, installing new pieces of "normal" software is a major piece of functionality for the OS, which means the OS needs to handle this itself and configuring security is not something that should be foisted upon the software being installed. Really fancy software - e.g. database servers and such - may need to carry a security configuration with it. But come on - a game needs security configuration ?!?!

      (And before the Linux people skewer me for saying Windows is better - Linux is perfectly fine. It's SELinux that is ... difficult.)

      --

      A witty [sig] proves nothing. --Voltaire

    5. Re: oh my god!! by VGPowerlord · · Score: 2

      But how would you get such a rule installed? Steam is not using the standard package format of the underlying distribution and I don't even think it run as root*. So it can't just disable a SELinux rule.

      *I may be wrong. But there should be no reason for Steam to run as root.

      Have you tried downloading Steam for Linux? It's shipped as a deb file.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  6. no need to disable SELinux by ssam · · Score: 5, Informative

    you just need to allow the portal2 binary to use execheap. Now obviously its not good that portal2 uses execheap, but SELinux is fine grained enough to allow for it.

    1. Re:no need to disable SELinux by Nimey · · Score: 4, Funny

      Your facts are not welcome here, this room is Hysteria and Abuse.

      --
      Hail Eris, full of mischief...

      E pluribus sanguinem
    2. Re:no need to disable SELinux by mark-t · · Score: 2

      Right.... but allowing for it for portal 2 means that any potential attack vector which might exist in the program may be used to compromise the operating system. Or are you suggesting that it's impossible that there are any bugs at all in portal 2?

      --
      File under 'M' for 'Manic ranting'
    3. Re:no need to disable SELinux by jones_supa · · Score: 4, Insightful

      you just need to allow the portal2 binary to use execheap. Now obviously its not good that portal2 uses execheap, but SELinux is fine grained enough to allow for it.

      So it's either one of these that is the solution...

      a) Go to System Settings -> SELinux -> Exceptions tab -> Tick a checkbox next to "Portal 2".

      b) Read complex technical documentation with no good examples and spend a full day crafting the proper configuration by manually editing various text files.

      I wonder which one...

    4. Re:no need to disable SELinux by Anonymous Coward · · Score: 5, Funny

      The bug is a lie.

  7. Who do you trust? by nurb432 · · Score: 3, Insightful

    That is what it boils down to. Do i trust a game company on a secured system? No.

    --
    ---- Booth was a patriot ----
  8. Re:AV sucks. by Anonymous Coward · · Score: 2, Informative

    Oh, wow; why on earth is this marked as informative, it's an anti-informative comment.

    Any decent anti-virus program is not just going to be checking known signatures, but they will also be checking for malicious activities, execution and memory use patterns that virus makers use that shouldn't be in valid programs.

    This is why sometimes you'll get poorly written software that triggers false alarms, they do things they shouldn't and get caught for it.

    Additionally statistically very few people will happen across 0-day viruses, it's mostly existing ones that they will come across.

  9. Re:Learning experience by Opportunist · · Score: 5, Insightful

    While not false, the cost associated with NOT relying on third party tools also means that smaller studios could not possibly develop anything halfway competitive. Larger studios in turn would have to dedicate far more resources to developing the underlying basic engines rather than content.

    Yes, reliance on third party tools, APIs, engines and libraries makes you dependent on them. But it also frees a lot of resources that you can invest in the game rather than developing its foundation.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  10. Feigned outrage by Mr.+Freeman · · Score: 4, Insightful

    The same people complaining about Valve instructing people do disable SELinux are the very first people to recommend doing exactly the same thing when someone online asks "How do I do [basic thing] in Linux? It doesn't seem to be working." There isn't a single message board dedicated to Linux that isn't filled with "disable SELinux" posts.

    --
    -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
  11. Re:AV sucks. by Anonymous Coward · · Score: 4, Informative

    They do.
    0% detection rate by all major AVs is pretty much a must-have if you want to sell a dropper.

  12. Re:Return to libc to circumvent role-changing by MoonlessNights · · Score: 2

    How can it spray itself over the writable area and mark itself executable if it isn't already running?

    You would need the existing (trusted) code of the application to spray the malicious code into a writable buffer and mark it executable before this problem could occur.

  13. BZZZZZT! Try again... by cbhacking · · Score: 2

    Wow, really? Sorry random person on the Internet, but you are *completely* wrong. Did you even read the link on return-oriented programming (ROP)?

    Here's how ROP works.
    First, I (the attacker) get memory corruption on your program. Let's say a big, meaty buffer overflow on stack (yes, I still see these vulns all the time. In 2014. It makes me sad too).
    Second, I spray a bunch of fake stack frames, overwriting all the real return addresses and frame pointers. I also dump some shellcode.
    Third, the function I'm in returns. Instead of returning to the shellcode directly, though (can't, because it's not executable), it returns to an instruction somewhere that does a tiny piece of work (like loading the address of the page with the shellcode into a register) and then returns. This is called a "gadget".
    Fourth, that first gadget "returns" into another gadget, and so on, each one setting up a function call that will convert the page containing shellcode from RW to RX.
    Fifth, after the call is set up, the last gadget (second-to-last sprayed stack frame) "returns" to the entry point of the memory protection call (mprotect on Linux, VirtualProtect on Windows).
    Sixth, the final sprayed stack frame - the one the mem protection function is using - returns to my newly-executable shellcode. You are pwned.

    So yeah, it turns out that bypassing W^X is really not that hard. This is not a new technique, either; it's been around since basically right after DEP (rather, the NX bit that enforces no-execute at the CPU/memory manager level on any modern OS) was invented. There are actual compilers for ROP, where C goes in one end (along with the program you're exploiting) and the ROP chain comes out the other. You don't need very much code to be able to make ROP Turing-complete. This is partially due to the way that x86/x64, with their variable-length instructions, allow mis-aligned operations. You may think there's code in your program that loads the stack pointer into EAX and then immediately RETs, but if you read every single byte of the program (and all its loaded libraries) as a potential instruction start, you will probably find one!

    To defeat ROP, you use ASLR (Address Space Layout Randomization), which in theory prevents successful ROP by randomizing the addresses of all the gadgets (specifically, loading all the executable code at addresses which have been XORed with a random mask). In practice, just like the way somebody will do something stupid that throws away the protection of DEP (like execheap does here...), somebody will write code that relies on being loaded at a fixed address, making an ASLR bypass possible. There are other ways too, like combining the overflow bug with an information leakage bug that tells the attacker what the ASLR mask is (i.e. if they can leak the address Y of something that is "supposed to" be at address X, they can get the ASLR mask M = Y^X) and then XOR their ROP addresses before exploitation.

    Nonetheless, ROP is harder than just smashing the stack (or heap) data structures and pivoting into your shellcode. Marking some memory as RWX is just asking for trouble, and should never be done.

    --
    There's no place I could be, since I've found Serenity...
  14. Re:And it begin by dbIII · · Score: 2

    It's more ready than MS Windows with the stupid popup windows, minimising the game window during play without warning, restarts etc. Let's see some work on that for Win 8.*