How to exempt PHP from w^x ?

[sean137]

In FreeBSD 13.0-p3, I've enabled w^x by adding to /etc/sysctl.conf:

kern.elf32.allow_wx=0
kern.elf64.allow_wx=0

Now in my apache logs I see:

"PHP Warning: preg_match_all(): Allocation of JIT memory failed, PCRE JIT will be disabled. This is likely caused by security restrictions. Either grant PHP permission to allocate executable memory"

How do I exempt just PHP? I tried:

elfctl -e +wxneeded /usr/local/bin/php

but even after a reboot I still get that logged. Perhaps there is a another executable that needs exempting?

Thanks. Sean.

 

[mark_j]

Unfortunately, this is a function of W^X and JIT compilers being unable to co-exist if it's writing into the buffer while executing, which it seems to do. (This would imply an OS like OpenBSD has not been able to run such a JIT for a long time.)

I suspect the only thing is to:
a) Ignore it.
b) Find a way to turn off the JIT for pcre.

As to why it doesn't work with php exempted, perhaps it's php-cgi running it? (A bad guess?)

Do you know what triggers this? If so, you could trigger it, watch via truss and see if you can pick up what it's doing.

 

[sean137]

I realize this is the function of w^x, indeed I'm looking only to exempt this one case.

Yes I'm able to reproduce this, and good idea with php-cgi, but alas exempting it didn't help.

Never heard of truss, but will give it a try. Thanks.