Bug 459490

Summary: SELinux is preventing /app/bin/krita from execmod access on the file /memfd:JITCode:/app/lib/libQt5Qml.so.5
Product: [Applications] krita Reporter: Timothée Ravier <tim>
Component: GeneralAssignee: amyspark <amy>
Status: RESOLVED FIXED    
Severity: crash CC: amy, halla, hi
Priority: NOR    
Version: 5.1.1   
Target Milestone: ---   
Platform: Flatpak   
OS: Linux   
Latest Commit: https://invent.kde.org/graphics/krita/commit/0ae8ecb44487a3aaa27a7dea30eb67fe65e076af Version Fixed In:
Sentry Crash Report:

Description Timothée Ravier 2022-09-21 13:25:52 UTC 
SUMMARY

```
$ flatpak run org.kde.krita
Qt: Session management error: None of the authentication protocols specified are supported
Qt: Session management error: None of the authentication protocols specified are supported
Qt: Session management error: None of the authentication protocols specified are supported
Gtk-Message: 10:38:18.107: Failed to load module "canberra-gtk-module"
Gtk-Message: 10:38:18.107: Failed to load module "pk-gtk-module"
Gtk-Message: 10:38:18.107: Failed to load module "canberra-gtk-module"
Gtk-Message: 10:38:18.107: Failed to load module "pk-gtk-module"
Qt: Session management error: None of the authentication protocols specified are supported
QObject::startTimer: Timers cannot have negative intervals
/app/lib/krita-python-libs/krita added to PYTHONPATH
mprotect failed in ExecutableAllocator::makeExecutable: Permission denied
*** stack smashing detected ***: terminated
```

The execmod permissions is:
```
execmod	Make executable a file mapping that has been modified by copy-on-write. (Text relocation)
```

SELinux info:
```
SELinux is preventing /app/bin/krita from execmod access on the file /memfd:JITCode:/app/lib/libQt5Qml.so.5 (deleted).

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow selinuxuser to execmod
Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.

Do
setsebool -P selinuxuser_execmod 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that krita should be allowed execmod access on the libQt5Qml.so.5 (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'krita' --raw | audit2allow -M my-krita
# semodule -X 300 -i my-krita.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /memfd:JITCode:/app/lib/libQt5Qml.so.5 (deleted) [
                              file ]
Source                        krita
Source Path                   /app/bin/krita
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 5.14.0-165.el9.x86_64
                              #1 SMP PREEMPT_DYNAMIC Sat Sep 17 14:08:33 UTC
                              2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-09-21 10:35:57 UTC
Last Seen                     2022-09-21 10:35:57 UTC
Local ID                      b05c62de-18d6-4526-99b3-dc83fc8c1748

Raw Audit Messages
type=AVC msg=audit(1663756557.214:170): avc:  denied  { execmod } for  pid=4216 comm="krita" path=2F6D656D66643A4A4954436F64653A2F6170702F6C69622F6C6962517435516D6C2E736F2E35202864656C6574656429 dev="tmpfs" ino=14421 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1663756557.214:170): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7f5f6c1dd000 a1=ae a2=5 a3=2 items=0 ppid=4215 pid=4216 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=krita exe=/app/bin/krita subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: krita,unconfined_t,user_tmp_t,file,execmod
```

I will try to provide a stack-trace later.

STEPS TO REPRODUCE
1. Install Krita from Flathub on CentOS Stream 9 (can be reproduced in a VM)
2. Start Krita

OBSERVED RESULT

Crash

EXPECTED RESULT

No crash

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: CentOS Stream 9
KDE Plasma Version: N/A, happens in GNOME too
KDE Frameworks Version: From Flatpak
Qt Version: From Flatpak

ADDITIONAL INFORMATION

See original report in https://github.com/flathub/org.kde.krita/issues/66
Comment 1 Timothée Ravier 2022-09-21 13:30:15 UTC 
Might be related to https://bugzilla.redhat.com/show_bug.cgi?id=1686675.
Might be related to the fact that Krita in Flathub uses an old Qt version.
Comment 2 Halla Rempt 2022-09-21 16:04:44 UTC 
Honestly, I have no idea what all of this means... The flathub reports says this should be reported to us, but what are we supposed to do?
Comment 3 amyspark 2022-09-21 16:44:47 UTC 
As shown in the official Qt bug report (https://bugreports.qt.io/browse/QTBUG-58508), this should have been fixed in the Qt side in 5.11. We're definitely not doing anything except use Qt QML ourselves.

I don't know if this should be marked as RESOLVED UPSTREAM, since the Flathub package clearly isn't of our own authorship. Halla?
Comment 4 Halla Rempt 2022-09-21 17:43:07 UTC 
Yeah, I'm not sure either... Upstream (if it's an issue in Qt) or downstream (if it's an issue in flatpak, but the flatpak people told Timothée to report here). But I don't see what _we_ can do about this...
Comment 5 Long Vu 2022-09-21 19:54:37 UTC 
One of the commenters mentioned on the issue it also occurred for them using the AppImage on AlmaLinux 9
https://github.com/flathub/org.kde.krita/issues/66#issuecomment-1252893268
Comment 6 amyspark 2022-09-21 21:47:55 UTC 
Does AlmaLinux also have SELinux enabled by default?
Comment 7 amyspark 2022-09-21 21:55:10 UTC 
Hm, a better question is: if you run Krita under SELinux with Qt 5.15, does it show the issue?
Comment 8 Long Vu 2022-09-21 22:31:03 UTC 
(In reply to amyspark from comment #6)
> Does AlmaLinux also have SELinux enabled by default?

Yes, I spun up AlmaLinux 9 on a VM and can repo the issue mentioned there using the AppImage. I can also verify SELinux is enabled out of the box. I'm not sure if the policy shipped by AlmaLinux and CentOS differ from the Fedora ones as Fedora works fine.

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

> Hm, a better question is: if you run Krita under SELinux with Qt 5.15, does it show the issue?

Is there a AppImage of Krita using Qt 5.15 for testing? The distro repos don't seem to include Krita.
Comment 9 amyspark 2022-09-21 23:22:20 UTC 
There's no 5.15 AppImage as it's a Qt version we don't support it officially. But I think I found the reason for this issue, Qt truly fixed their JIT much later: https://codereview.qt-project.org/c/qt/qtdeclarative/+/329522

Unfortunately it's a mix of three different Qt branches, which makes it a royal mess to cherry-pick safely.
Comment 10 amyspark 2022-09-22 01:47:30 UTC 
I've got the branch ready, will try to build it tomorrow. Sending the draft MR just in case.
Comment 11 Bug Janitor Service 2022-09-22 01:52:02 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/graphics/krita/-/merge_requests/1592
Comment 12 Halla Rempt 2022-09-22 07:31:15 UTC 
Okay, so someone needs to build and test this; I don't think any Krita developer that uses Linux uses selinux.
Comment 13 Timothée Ravier 2022-09-22 09:09:38 UTC 
I'm the one that asked for it to be reported here as Krita is not using the same version of Qt as everyone else so we can not just update it without your input.

Thanks for the investigation.
Comment 14 Long Vu 2022-09-22 09:19:01 UTC 
I attempted a build with the patches from the MR, getting this error currently.

jsruntime/qv4function.cpp:49:10: fatal error: private/qv4functiontable_p.h: No such file or directory
   49 | #include <private/qv4functiontable_p.h>
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [Makefile:11117: .obj/qv4function.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory '/run/build/qtdeclarative/src/qml'
make[1]: *** [Makefile:56: sub-qml-make_first-ordered] Error 2
make[1]: Leaving directory '/run/build/qtdeclarative/src'
make: *** [Makefile:50: sub-src-make_first] Error 2
FB: host_command_exited_cb 656805 512
Comment 15 amyspark 2022-09-22 17:56:23 UTC 
(In reply to Long Vu from comment #14)
> I attempted a build with the patches from the MR, getting this error
> currently.
> 
> jsruntime/qv4function.cpp:49:10: fatal error: private/qv4functiontable_p.h:
> No such file or directory
>    49 | #include <private/qv4functiontable_p.h>
>       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> compilation terminated.
> make[2]: *** [Makefile:11117: .obj/qv4function.o] Error 1
> make[2]: *** Waiting for unfinished jobs....
> make[2]: Leaving directory '/run/build/qtdeclarative/src/qml'
> make[1]: *** [Makefile:56: sub-qml-make_first-ordered] Error 2
> make[1]: Leaving directory '/run/build/qtdeclarative/src'
> make: *** [Makefile:50: sub-src-make_first] Error 2
> FB: host_command_exited_cb 656805 512

I updated the patches, didn't know Qt shipped pregenerated headers too. Please try again and let me know how it goes?
Comment 16 amyspark 2022-09-23 13:15:31 UTC 
Git commit 6f95172f6146c696d60a0af94b00d817e4c69117 by L. E. Segovia.
Committed on 23/09/2022 at 13:14.
Pushed by lsegovia into branch 'master'.

3rdparty: don't let Qt enable JIT under hardened SELinux policies

Although the official bug report [1] said it was fixed in 5.11, in
reality it was only fixed in 6.1 (with a 5.15 backport) [2].

[1]: https://bugreports.qt.io/browse/QTBUG-58508

[2]: https://codereview.qt-project.org/c/qt/qtdeclarative/+/329522
(cherry picked from commit fca57a28c902218fb5b950d655bc0c473e0b2bce)

A  +1045 -0    3rdparty/ext_qt/0134-V4-Generate-function-tables-on-64bit-windows.patch
A  +46   -0    3rdparty/ext_qt/0135-Use-lowercase-name-for-window-header.patch
A  +203  -0    3rdparty/ext_qt/0136-JIT-When-making-memory-writable-include-the-exceptio.patch
A  +480  -0    3rdparty/ext_qt/0137-masm-Add-error-handling-for-failed-mprotect.patch
A  +39   -0    3rdparty/ext_qt/0138-Fix-Clang-10-warning-about-converting-ULLONG_MAX-to-.patch
A  +128  -0    3rdparty/ext_qt/0139-Fix-Wdeprecated-copy-warnings.patch
M  +6    -0    3rdparty/ext_qt/CMakeLists.txt

https://invent.kde.org/graphics/krita/commit/6f95172f6146c696d60a0af94b00d817e4c69117
Comment 17 amyspark 2022-09-23 13:16:19 UTC 
Git commit 0ae8ecb44487a3aaa27a7dea30eb67fe65e076af by L. E. Segovia.
Committed on 23/09/2022 at 13:16.
Pushed by lsegovia into branch 'krita/5.1'.

3rdparty: don't let Qt enable JIT under hardened SELinux policies

Although the official bug report [1] said it was fixed in 5.11, in
reality it was only fixed in 6.1 (with a 5.15 backport) [2].

[1]: https://bugreports.qt.io/browse/QTBUG-58508

[2]: https://codereview.qt-project.org/c/qt/qtdeclarative/+/329522
(cherry picked from commit fca57a28c902218fb5b950d655bc0c473e0b2bce)
(cherry picked from commit 6f95172f6146c696d60a0af94b00d817e4c69117)

A  +1045 -0    3rdparty/ext_qt/0134-V4-Generate-function-tables-on-64bit-windows.patch
A  +46   -0    3rdparty/ext_qt/0135-Use-lowercase-name-for-window-header.patch
A  +203  -0    3rdparty/ext_qt/0136-JIT-When-making-memory-writable-include-the-exceptio.patch
A  +480  -0    3rdparty/ext_qt/0137-masm-Add-error-handling-for-failed-mprotect.patch
A  +39   -0    3rdparty/ext_qt/0138-Fix-Clang-10-warning-about-converting-ULLONG_MAX-to-.patch
A  +128  -0    3rdparty/ext_qt/0139-Fix-Wdeprecated-copy-warnings.patch
M  +6    -0    3rdparty/ext_qt/CMakeLists.txt

https://invent.kde.org/graphics/krita/commit/0ae8ecb44487a3aaa27a7dea30eb67fe65e076af