Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ros-jazzy-desktop* contain libamdhip64.so.5 with executable stack #15

Open
Guillaumebeuzeboc opened this issue Jul 11, 2024 · 6 comments
Open

ros-jazzy-desktop* contain libamdhip64.so.5 with executable stack #15

Guillaumebeuzeboc opened this issue Jul 11, 2024 · 6 comments

Comments

@Guillaumebeuzeboc
Copy link
Collaborator

From the automatic Snap Store review:

 “Found files with executable stack. This adds PROT_EXEC to mmap(2) during mediation which may cause security denials. Either adjust your program to not require an executable stack, strip it with 'execstack --clear-execstack ...' or remove the affected file from your snap. Affected files: usr/lib/x86_64-linux-gnu/libamdhip64.so.5.7.31921 functional-snap-v2_execstack

Notes from the manual reviewer:

Approving for now, but please update your snap so it will pass automated review. For an example of how to fix this see https://github.com/alexmurray/amberol-snap/commit/20bc35f29a90c12f177c55de740cfc7fd77a6629”

The library libamdhip64.so.5 from the package libamdhip64-5 contains an executable stack that doesn't pass the Snap Store automatic review.
The package libamdhip64-5 is a dependency from the libpcl-dev used in packages like ros-jazzy-cartographer-ros or even ros-jazzy-velodyne-pointcloud

The dependency tree is libamdhip64-5 -> libucx0 ->libopenmpi3t64 ->libopenmpi-dev ->mpi-default-dev -> libvtk9-dev ->libvtk9-qt-dev -> libpcl-dev

The library libamdhip64.so.5 is not supposed to have the exec stack. It was enabled by default by mistake.
The issue got fixed in the next major version (6)

As a temporary solution we can manually remove the exec stack from the library.
@Guillaumebeuzeboc Guillaumebeuzeboc mentioned this issue Jul 11, 2024
Merged
@Guillaumebeuzeboc
Copy link
Collaborator Author

A MR got merged on review-tools so this library gets ignored: https://code.launchpad.net/~gbeuzeboc/review-tools/+git/review-tools/+merge/469447

@Guillaumebeuzeboc
Copy link
Collaborator Author

The change of review-tool is now available on latest/stable. Should we revert back the change we made here? @artivis

@MirkoFerrati
Copy link
Contributor

The change of review-tool is now available on latest/stable. Should we revert back the change we made here? @artivis

Fine for me!

@artivis
Copy link
Contributor

artivis commented Nov 18, 2024

This workaround was also implemented in a few other snaps, let's make sure to revert it everywhere 👍

@Guillaumebeuzeboc Guillaumebeuzeboc mentioned this issue Nov 18, 2024
Merged
@Guillaumebeuzeboc
Copy link
Collaborator Author

I could find it in the additional following codes:
https://github.com/canonical/ros2-nav2-snap/blob/fa116f27dae9a5e573b4d94b151a7d83b08e26eb/snap/snapcraft.yaml#L157
and
https://github.com/husarion/husarion-depthai-snap/blob/c7082854cf876598099b63b2cc55a39991334900/snap/snapcraft.yaml#L178

@Guillaumebeuzeboc
Copy link
Collaborator Author

Guillaumebeuzeboc commented Nov 18, 2024
edited
Loading

canonical/ros2-nav2-snap#20
husarion/husarion-depthai-snap#4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MirkoFerrati @artivis @Guillaumebeuzeboc