Hardened systemd service cause polkit fail to start with mozjs-102

[vmihalko]

In GitLab by @xry111 on Jul 29, 2023, 10:16

Current behaviour, description of the problem

Install polkit-123 built with mozjs-102, then

# systemctl daemon-reload
# systemctl restart polkit
Job for polkit.service failed because a fatal signal was delivered causing the control process to dump core.
See "systemctl status polkit.service" and "journalctl -xeu polkit.service" for details.

Desired behaviour

polkit daemon should start fine.

Reproducer

See current behavior.

Detailed description

Bisect pinpoints to 25eef55dddbf0b4d635fbdd508710b496be80d9c as the first bad commit. I'll try to figure out which specific hardening option caused this.

[vmihalko]

In GitLab by @xry111 on Jul 29, 2023, 10:22

Well, it's caused by MemoryDenyWriteExecute=yes. It seems the JIT compiler in mozjs attempts to create WX memory mappings.

I think the reasonable thing to do is disabling JIT.

[vmihalko]

In GitLab by @xry111 on Jul 29, 2023, 10:56

Hmm, even if JIT is disabled this still does not work. I've created https://bugzilla.mozilla.org/show_bug.cgi?id=1846122, but for now the only possible short-term fix is allowing W/X mapping if mozjs used.

[vmihalko]

In GitLab by @jrybar on Jul 31, 2023, 12:36

Hello Xi,
thanks for looking into this.
I'm just writing a release-announcement mail stating that the next version is planned for December.
Knowing this, I can add a note about this flaw with a link to your patch. Is that acceptable solution for now?

[vmihalko]

In GitLab by @xry111 on Jul 31, 2023, 12:53

Ok.