Portal 2 Incompatible With SELinux

← Back to Stories (view on slashdot.org)

Portal 2 Incompatible With SELinux

Posted by timothy on Saturday March 8, 2014 @03:15AM from the are-you-telling-us-the-whole-truth? dept.

jones_supa writes "Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted. A crash is caused by the game's interaction with SELinux, the Linux kernel subsystem that deals with access control security policies. Portal 2 uses the third-party Miles Sound System MP3 decoder which, in turn, uses execheap, a feature that is normally disabled by SELinux. Like its name suggests, execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that particular memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code. In the end, Valve developer David W. took responsibility of the problem: 'I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it.' This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction."

19 of 212 comments (clear)

Min score:

Reason:

Sort:

why does a decoder need execheap? by mrvan · 2014-03-08 03:23 · Score: 5, Interesting

Why does a decoder need execheap? Is there some sort of optimization that causes the processing and data to be not separated? It sounds like an invitation for all kind of exploits (which is presumably why it is banned by execheap).
Also, is there a reason to use a specific MP3 decoder? Is it because of licensing, or are there technical reasons?
1. Re:why does a decoder need execheap? by Barny · 2014-03-08 03:38 · Score: 5, Informative
  
  The Miles Sound System is a game sound API that does more than just play a single MP3. It plays lots and lots at once, with spacial geometry, allowing accurate 2D and 3D sound to be produced. Many, many games use RAD Tools' stuff, this likely wont be a Valve-only issue but one facing a lot of game companies should they port to linux.
  
  --
  ...
  /me sighs
2. Re:why does a decoder need execheap? by Barny · 2014-03-08 03:40 · Score: 5, Informative
  
  Oh, and for a full list of details on this stuff, see the site here http://www.radgametools.com/mi...
  
  --
  ...
  /me sighs
3. Re:why does a decoder need execheap? by Antique+Geekmeister · 2014-03-08 04:16 · Score: 4, Interesting
  
  What you're describing is a sometimes hidden form of the "Not Invented Here" problem, where some deficit in a working software stack is discarded for theoretical, not production reasons. In this case, it can be guaranteed to be unstable because it would replace whatever production grade audio tool is already working with one written in house, requiring maintenance, and _likely vulnerable to the same SELinux problems_.
4. Re:why does a decoder need execheap? by wiredlogic · 2014-03-08 05:15 · Score: 4, Insightful
  
  None of which explains why it needs executable code and data mapped into the same memory space.
  
  --
  I am becoming gerund, destroyer of verbs.
Re:If a computer is important enough to need SELin by Yoda222 · 2014-03-08 03:27 · Score: 4, Insightful

I think that most Windows gamers run anti-virus. Do you also have good advises for them ?
I don't think it was a malicious mistake. by Johnny+Loves+Linux · 2014-03-08 03:39 · Score: 5, Informative

I think it's a culture clash of developers who've only worked in a Windows environment and consequently are used to turning off operating system security so they can run a program, usually a game, vs. the Linux community who inherited the Unix culture where you can play games on the operating system, but you can't play games with the operating system.
1. Re:I don't think it was a malicious mistake. by WuphonsReach · 2014-03-08 06:50 · Score: 3, Insightful
  
  Besides, SELinux is serious black magic and consequently there aren't many people who know how to correctly configure it.
  
  There's only a handful of commands needed these days on CentOS/RHEL boxes. And the "sealert" command will guide you about 90% of the way.
  
  I estimate that 80-90% of issues are mislabeled files (or ports) on the file system. Either because you have put files for a service that is protected with SELinux in a non-standard spot, or because the SELinux policy is out of date. Once you put your files in the proper location or use "semanage fcontext" to define the file context that should be applied to a particular path/file and relabel, those problems go away. The hardest part of this is defining the regex string to apply the right label to your file system.
  
  Other issues are handled by setting one of the SELinux boolean flags which enable optional parts of the security policy for the service (such as httpd). These loosen up the SELinux restrictions for cases that don't apply to everyone. The "getsebool" and "setsebool" flags handle this functionality. For example "httpd_enable_cgi" allows CGI scripts to execute. The nice part about the booleans is that you can turn them on/off at will to see if it fixes your issue before making the change permanent.
  
  And sometimes you have to use the brute-force "audit2allow" tool to write a customized policy that lets you do what you want to do. Just like any other tool, if you don't pay attention to what it is doing, you can shoot yourself in the foot.
  
  --
  Wolde you bothe eate your cake, and have your cake?
Re:Bad Practice by tepples · 2014-03-08 03:48 · Score: 5, Interesting

Without allowing code to be switched between writable and executable, how can dynamic recompilation work at all? Otherwise, your OS becomes iOS, whose strict W^X policy forbids third-party JIT engines.
no need to disable SELinux by ssam · 2014-03-08 03:51 · Score: 5, Informative

you just need to allow the portal2 binary to use execheap. Now obviously its not good that portal2 uses execheap, but SELinux is fine grained enough to allow for it.
1. Re:no need to disable SELinux by Nimey · 2014-03-08 04:09 · Score: 4, Funny
  
  Your facts are not welcome here, this room is Hysteria and Abuse.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
2. Re:no need to disable SELinux by jones_supa · 2014-03-08 04:40 · Score: 4, Insightful
  
  you just need to allow the portal2 binary to use execheap. Now obviously its not good that portal2 uses execheap, but SELinux is fine grained enough to allow for it.
  So it's either one of these that is the solution...
  a) Go to System Settings -> SELinux -> Exceptions tab -> Tick a checkbox next to "Portal 2".
  b) Read complex technical documentation with no good examples and spend a full day crafting the proper configuration by manually editing various text files.
  I wonder which one...
3. Re:no need to disable SELinux by Anonymous Coward · 2014-03-08 04:42 · Score: 5, Funny
  
  The bug is a lie.
Who do you trust? by nurb432 · 2014-03-08 04:00 · Score: 3, Insightful

That is what it boils down to. Do i trust a game company on a secured system? No.

--
---- Booth was a patriot ----
Re: oh my god!! by sjames · 2014-03-08 04:40 · Score: 4, Informative

SELinux may have improved by leaps and bounds since I last touched it, but honestly it IS a wrong headed approach designed for an environment where a single security violation can be a disaster of global proportions.
That's not to say that MAC is bad (it most certainly isn't) or that it's not a good idea on a desktop machine (it is). More that if you make something too draconian and too painful to relax a bit when needed, it tends to get turned off.
Re:Learning experience by Opportunist · 2014-03-08 04:40 · Score: 5, Insightful

While not false, the cost associated with NOT relying on third party tools also means that smaller studios could not possibly develop anything halfway competitive. Larger studios in turn would have to dedicate far more resources to developing the underlying basic engines rather than content.
Yes, reliance on third party tools, APIs, engines and libraries makes you dependent on them. But it also frees a lot of resources that you can invest in the game rather than developing its foundation.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Feigned outrage by Mr.+Freeman · 2014-03-08 05:01 · Score: 4, Insightful

The same people complaining about Valve instructing people do disable SELinux are the very first people to recommend doing exactly the same thing when someone online asks "How do I do [basic thing] in Linux? It doesn't seem to be working." There isn't a single message board dedicated to Linux that isn't filled with "disable SELinux" posts.

--
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Re:Bad Practice by MoonlessNights · 2014-03-08 05:21 · Score: 3, Informative

There are 2 ways of doing this:
1) Map the memory as writable to populate it and then remap it as executable to run it. This way, it can only be one thing at a time which means that the malicious code can't enable itself.
2) Map the memory at 2 virtual addresses, with different permissions. One virtual address is for writing and the other is for execution. This means that knowing the program counter or stack pointer isn't enough to write malicious code.
Re:AV sucks. by Anonymous Coward · 2014-03-08 05:24 · Score: 4, Informative

They do.
0% detection rate by all major AVs is pretty much a must-have if you want to sell a dropper.