Junix socket 2.7.2 crashes on unix hosts with /tmp mounted as non-exec

[rhtcodebase]

Describe the bug We have an application that uses junix-socket 2.7.2 and we are seeing that on SE Linux enabled system with /tmp mounted with non-exec permission, we see the junix socket is crashing. I am attacheding the self test results. We don't see that problem if /tmp is mounted with exec permission. I have done the self test for both 2.7.2 and 2.8.0 and both seem to fail.

To Reproduce Steps to reproduce the behavior:

1. Have an SE Linux enabled RHEL host and /tmp mounted as nonexec
2. Run the junix socket app
3. Observe that it crashes

Expected behavior It shouldn't crash

Output/Screenshots Suppressed: java.lang.UnsatisfiedLinkError: /tmp/libtmp3251380450989097213libjunixsocket-native-2.7.2.so: /tmp/libtmp3251380450989097213libjunixsocket-native-2.7.2.so: failed to map segment from shared object at java.base/java.lang.ClassLoader$NativeLibrary.load0(Native Method) at java.base/java.lang.ClassLoader$NativeLibrary.load(ClassLoader.java:2450) at java.base/java.lang.ClassLoader$NativeLibrary.loadLibrary(ClassLoader.java:2506) at java.base/java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2705) at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2635) at java.base/java.lang.Runtime.load0(Runtime.java:768) at java.base/java.lang.System.load(System.java:1850) at org.newsclub.net.unix.NativeLibraryLoader$ClasspathLibraryCandidate.load(NativeLibraryLoader.java:195)

Please make sure to test the problem still occurs on the latest version of junixsocket Please add the output of the selftest from the latest version available, for example:

java -jar junixsocket-selftest-2.7.0-jar-with-dependencies.jar

The selftest is available from the Release section on GitHub.

All minor version updates (e.g., 2.4.x -> 2.5.x) are supposed to be backwards compatible. If you find that this isn't the case, please mention it in your report. Thank you!

Notes Add any other context about the problem here. Please link/attach any source code that is useful to diagnose the issue. selftest_result_2.8.0_failed.txt self_test_result_2.7.2_failed.txt

[rhtcodebase]

Here's the details of my setup:

[root@scs000172834 prohit_outbox]# cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="9.2 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.2" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.2 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

[root@scs000172834 prohit_outbox]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33

[rhtcodebase]

From the self test result, I find this:

=============== IMPORTANT: Auto-skipping junixsocket-rmi tests due to missing CAPABILITY_LARGE_PORTS IMPORTANT: The native library failed to load. IMPORTANT: Your temporary directory is probably mounted with "noexec", which prevents the native library from loading. IMPORTANT: see: https://github.com/kohlschutter/junixsocket/issues/99 IMPORTANT: Temp dir: /tmp IMPORTANT: You can specify a different directory using -Dorg.newsclub.net.unix.library.tmpdir= IMPORTANT: Environment does not support UNIX sockets, which is an important part of junixsocket. IMPORTANT: "With issues": Please carefully check the output above; the software may not be able to do what you want.

Supported capabilities: [] Unsupported capabilities: [CAPABILITY_PEER_CREDENTIALS, CAPABILITY_ANCILLARY_MESSAGES, CAPABILITY_FILE_DESCRIPTORS, CAPABILITY_ABSTRACT_NAMESPACE, CAPABILITY_UNIX_DATAGRAMS, CAPABILITY_NATIVE_SOCKETPAIR, CAPABILITY_FD_AS_REDIRECT, CAPABILITY_TIPC, CAPABILITY_UNIX_DOMAIN, CAPABILITY_VSOCK, CAPABILITY_VSOCK_DGRAM, CAPABILITY_ZERO_LENGTH_SEND, CAPABILITY_UNSAFE, CAPABILITY_LARGE_PORTS, CAPABILITY_DARWIN]

Selftest FAILED

I read through the issue https://github.com/kohlschutter/junixsocket/issues/99 and overcame the tmp directory limitation. However the socket file isn't getting created. It also tells the environment doesn't support UNIX socket. However, when I remove the exec permission on /tmp, everything seem to work normally. Is there any workaround for this?

[kohlschuetter]

Please try with the following jar (please rename the suffix from zip to jar — Github wouldn't allow the jar suffix here...) junixsocket-selftest-2.8.1-SNAPSHOT-jar-with-dependencies.zip

[kohlschuetter]

I've just verified with Rocky Linux 9.2 (which should be close enough to your setting):

With the 2.8.1-SNAPSHOT jar, execution works as long as user.home (user home directory) or user.dir (current working directory) is not mounted as "noexec".

For example, if your user account has write access to some /opt or /srv folder, these mount points are not mounted with noexec even with the ANSSI-high profile.

If you use a secured environment where all three places (temp directory, user home, current directory) are mounted with noexec, then this works "as designed".

[rhtcodebase]

Thanks Dr. Kohlschuetter. 2.8.1-SNAPSHOT jar is passing the self test. Here's the log: self_test_2.8.1_pass.txt

It would be of great help if you could let me know when you are planning to release v 2.8.1? My project is dependent on this library and we are currently blocked due to this.

Appreciate and acknowledge your quick help on this.

-Rohit

[kohlschuetter]

Should be released in about 2 hours (mostly waiting on artifacts appearing on Maven Central.

I thought this was fixed, you proved me wrong :) Thanks for reporting, Rohit!!

[kohlschuetter]

2.8.1 released. Again, thanks for reporting @rhtcodebase !

[rhtcodebase]

Thanks so much. I got my app working now!