From patchwork Tue Oct 3 20:11:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 77054 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 3733A385772B for ; Tue, 3 Oct 2023 20:12:48 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3733A385772B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1696363968; bh=m+LKYrhIoZFiK4pKqqNObLttyWWx5IwwMT6zpeNOhI0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=T8+O67KA2YGB/abteoXUjcajCyX+CgML5tC3oXeeyUP4hBsPif4VeKB4L9Bmuo9T9 8V857dgg7kBEhIiDPogYhO5E0V1+YMzxtsv3jKECwsRufl9jsjAYMqohHWHrzfx7I0 BUNoJrqZAxTEi2lAG+onvfZPjgYz5/nh7VhDeViM= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from cross.elm.relay.mailchannels.net (cross.elm.relay.mailchannels.net [23.83.212.46]) by sourceware.org (Postfix) with ESMTPS id 617073858C74 for ; Tue, 3 Oct 2023 20:12:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 617073858C74 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id A27A84C1911; Tue, 3 Oct 2023 20:12:12 +0000 (UTC) Received: from pdx1-sub0-mail-a264.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 2496A4C18AF; Tue, 3 Oct 2023 20:12:12 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696363932; a=rsa-sha256; cv=none; b=O38dQ72iYy54bcNQ58JpgBLmbm031GgHIidVWQ01LUdPYKmABqHmKuCcAyZi17yT20Yhzg lh8/l3QArrP+9AdDGS7ISO5qdSRjXAw/vm1qgAps6r9rkvFXIlw8qTACN1E2x/dT8B/axu Yjx2GhX6MaRkjvlZn4aayts3udjLeHNN8OHaQZBlQ7XEgQZ6/unfylBtTxyM+DNtmq6FYC L4ynyeS7WI6JEICvSx5xvjYEmDrTgOBah/lJTHMA9N1cQews3oMNWkd6I+TT8E0TXSekrt QJTakEz6Y6qvikSr1shhEZDPpHKaABfgFawuKg1DrzM3H/LNqEtv8H5c2TUBng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1696363932; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=m+LKYrhIoZFiK4pKqqNObLttyWWx5IwwMT6zpeNOhI0=; b=eta6qmFUO3fBH3X8Z+Y8/B1knuNrwrJ8D/a2APpG/vvIG5uPuAoKhpW9TDuW2Cy0wzFCXm JhL5gmAr5/fEJDOrG5ERMSTTJz9Qor0aP5NzJYyw/4VTkt2wX+Vlpx0cuPjFKsuuiOG4pJ O9K9rwt2D+BRWrnyZ83wPOtRv90D+fDkOtk/bzLqMe/XCHEYP11bzfCt2As03TMP9busuf jfDFYmBFwQ1aBZfK1o1/PfntjdpzHr+8PxyUv4u8qBv+DKZVizZR22E/ISjPxIhA0Ov6Xg t6yRqk2B7oT/wDACY4ukNRIb8JtebCXL0HgLAioA4baj5G3lj+tiQ9qF24v/gg== ARC-Authentication-Results: i=1; rspamd-7c449d4847-l9fdc; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Tangy-Hysterical: 4abf4e263548ed68_1696363932529_3682726909 X-MC-Loop-Signature: 1696363932529:2448981413 X-MC-Ingress-Time: 1696363932528 Received: from pdx1-sub0-mail-a264.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.99.159.76 (trex/6.9.1); Tue, 03 Oct 2023 20:12:12 +0000 Received: from fedora.redhat.com (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a264.dreamhost.com (Postfix) with ESMTPSA id 4S0TWH4ZpbzCX; Tue, 3 Oct 2023 13:12:11 -0700 (PDT) From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: adhemerval.zanella@linaro.org, fweimer@redhat.com, carlos@redhat.com Subject: [PATCH 1/2] Make all malloc tunables SXID_ERASE Date: Tue, 3 Oct 2023 16:11:50 -0400 Message-ID: <20231003201151.1406279-2-siddhesh@sourceware.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231003201151.1406279-1-siddhesh@sourceware.org> References: <20231003201151.1406279-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1172.5 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org The malloc tunables were made SXID_IGNORE to mimic the environment variables they aliased, in order to maintain compatibility. This allowed alteration of allocator behaviour across setuid boundaries, where a setuid program may ignore the tunable but its non-setuid child can read it and adjust allocator behaviour accordingly. It's not clear how useful this misfeature is; most library behaviour tuning is limited to the current process and does not bleed in scope like this. If behaviour change across privilege boundaries is desirable, it should be done with a wrapper program around the non-setuid child that sets these envvars, instead of using the setuid process as the messenger. In future, maybe systemwide tunables could allow setting tunable values across privilege boundaries. Signed-off-by: Siddhesh Poyarekar --- elf/dl-tunables.list | 12 +++--------- elf/tst-env-setuid-tunables.c | 25 ++----------------------- elf/tst-env-setuid.c | 4 ++-- sysdeps/generic/unsecvars.h | 7 +++++++ 4 files changed, 14 insertions(+), 34 deletions(-) diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index 695ba7192e..42d8ffd06d 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -22,7 +22,9 @@ # maxval: Optional maximum acceptable value # env_alias: An alias environment variable # security_level: Specify security level of the tunable for AT_SECURE binaries. -# Valid values are: +# Valid values are as follows. There must be a strong, well +# documented reason for a tunable to be marked SXID_IGNORE or +# SXID_NONE: # # SXID_ERASE: (default) Do not read and do not pass on to # child processes. @@ -41,7 +43,6 @@ glibc { top_pad { type: SIZE_T env_alias: MALLOC_TOP_PAD_ - security_level: SXID_IGNORE default: 131072 } perturb { @@ -49,35 +50,29 @@ glibc { minval: 0 maxval: 0xff env_alias: MALLOC_PERTURB_ - security_level: SXID_IGNORE } mmap_threshold { type: SIZE_T env_alias: MALLOC_MMAP_THRESHOLD_ - security_level: SXID_IGNORE } trim_threshold { type: SIZE_T env_alias: MALLOC_TRIM_THRESHOLD_ - security_level: SXID_IGNORE } mmap_max { type: INT_32 env_alias: MALLOC_MMAP_MAX_ - security_level: SXID_IGNORE minval: 0 } arena_max { type: SIZE_T env_alias: MALLOC_ARENA_MAX minval: 1 - security_level: SXID_IGNORE } arena_test { type: SIZE_T env_alias: MALLOC_ARENA_TEST minval: 1 - security_level: SXID_IGNORE } tcache_max { type: SIZE_T @@ -91,7 +86,6 @@ glibc { mxfast { type: SIZE_T minval: 0 - security_level: SXID_IGNORE } hugetlb { type: SIZE_T diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c index f0b92c97e7..79795cdce7 100644 --- a/elf/tst-env-setuid-tunables.c +++ b/elf/tst-env-setuid-tunables.c @@ -60,26 +60,6 @@ const char *teststrings[] = "glibc.not_valid.check=2", }; -const char *resultstrings[] = -{ - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.perturb=0x800", - "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", - "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", - "", - "", - "", - "", - "", - "", - "", -}; - static int test_child (int off) { @@ -87,12 +67,11 @@ test_child (int off) printf (" [%d] GLIBC_TUNABLES is %s\n", off, val); fflush (stdout); - if (val != NULL && strcmp (val, resultstrings[off]) == 0) + if (val != NULL && val[0] == '\0') return 0; if (val != NULL) - printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", - off, val, resultstrings[off]); + printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); else printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off); diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c index 032ab44be2..100e2c6871 100644 --- a/elf/tst-env-setuid.c +++ b/elf/tst-env-setuid.c @@ -46,9 +46,9 @@ test_child (void) return 1; } - if (getenv ("MALLOC_MMAP_THRESHOLD_") == NULL) + if (getenv ("MALLOC_MMAP_THRESHOLD_") != NULL) { - printf ("MALLOC_MMAP_THRESHOLD_ lost\n"); + printf ("MALLOC_MMAP_THRESHOLD_ is still set\n"); return 1; } diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h index 8278c50a84..ca70e2e989 100644 --- a/sysdeps/generic/unsecvars.h +++ b/sysdeps/generic/unsecvars.h @@ -17,7 +17,14 @@ "LD_SHOW_AUXV\0" \ "LOCALDOMAIN\0" \ "LOCPATH\0" \ + "MALLOC_ARENA_MAX\0" \ + "MALLOC_ARENA_TEST\0" \ + "MALLOC_MMAP_MAX_\0" \ + "MALLOC_MMAP_THRESHOLD_\0" \ + "MALLOC_PERTURB_\0" \ + "MALLOC_TOP_PAD_\0" \ "MALLOC_TRACE\0" \ + "MALLOC_TRIM_THRESHOLD_\0" \ "NIS_PATH\0" \ "NLSPATH\0" \ "RESOLV_HOST_CONF\0" \ From patchwork Tue Oct 3 20:11:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 77053 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id BC875385B537 for ; Tue, 3 Oct 2023 20:12:43 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BC875385B537 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1696363963; bh=UBZljV8AqxabWLuSTgYxLJlqEar7jsJEQbXSv9g3Qpw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=XZrIiufD1Eec4PlI1C5GOXwJ7fUoBhgjhOgGCJEVupMi9Gcw2e/vWXMxYInquLp9A R62es/29rckPaR/AdGVhWuNyZEHQ0yaw1A6yPCyJ+6yUDjiQ7nKkQTpSd+bpsrNPKo x9VssnQ3VsRErEXnOaV8PAH0Of7fa5tnShe8x2qg= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from seahorse.cherry.relay.mailchannels.net (seahorse.cherry.relay.mailchannels.net [23.83.223.161]) by sourceware.org (Postfix) with ESMTPS id 455DD3858D39 for ; Tue, 3 Oct 2023 20:12:14 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 455DD3858D39 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4E5F02C1E4E; Tue, 3 Oct 2023 20:12:13 +0000 (UTC) Received: from pdx1-sub0-mail-a264.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id C5C1D2C21FD; Tue, 3 Oct 2023 20:12:12 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696363932; a=rsa-sha256; cv=none; b=wpYS4wpS47nudOSRWS++7PuC8YJVaBw2KkSSAr0anNlcBCBwrtoxUIfQSnRVVYhlP0PgJs LqYPGbKK5PYq4s9FZ6o08k8h0XBR4yCL4pNR7u6usfiUnoZJBU1UgRN36JnALpUqb2wiVp t5Qiy5MsXILrQyLC18FJ18KkCMFMqu2gFFQ2xIr69uY2YP7YE4y7UrxwM016Y8lQAjVd+z u0eiRArbcA2bSH29RtIq3NsorUkoc4/0Z4fTtwMVxucOYIzC9N4sssVyctxMDFkkM7kMwj cLWoHzn3EeL4UnZK54b/+aLh7XOyzLMsSon1Vgke6gtIbTLseOH9ebCZGKS+jQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1696363932; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UBZljV8AqxabWLuSTgYxLJlqEar7jsJEQbXSv9g3Qpw=; b=CnH2AlRTMw7TvyzKbA0crap/f4FbnNofS2oquo+RhuXqECg75o2G+vGp8CRAoELK2hxtgf wSnkpvPpFEg34ABYQdRMn8VM1cl2gLxe1mD3GL/2s6pH7Cu0JJFqIOHpnJNZMFArbch7Go dw6jovIwbQh+ELZtN7fNs9KfvEpHRGrFsknmsFpspnW/1gIVvRtDaoZJv0RBjjCY//NLiy qsP791/kovEysek1YidOAFZJBoFxQ6Yd2BD6veO4IS31NM3yHp/lSMSYagI+iW4uZgiTfe SqP90ikd3x1UsffrWDElrwt9ccAg0gWQzqmWRKehWa3DlKBAOBeIRjG3TUecfw== ARC-Authentication-Results: i=1; rspamd-7c449d4847-l9fdc; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Left-Bitter: 1915a4754841f911_1696363933175_2882226214 X-MC-Loop-Signature: 1696363933175:4261101134 X-MC-Ingress-Time: 1696363933175 Received: from pdx1-sub0-mail-a264.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.99.159.76 (trex/6.9.1); Tue, 03 Oct 2023 20:12:13 +0000 Received: from fedora.redhat.com (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a264.dreamhost.com (Postfix) with ESMTPSA id 4S0TWJ1Ffsz9C; Tue, 3 Oct 2023 13:12:12 -0700 (PDT) From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: adhemerval.zanella@linaro.org, fweimer@redhat.com, carlos@redhat.com, Szabolcs Nagy Subject: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Date: Tue, 3 Oct 2023 16:11:51 -0400 Message-ID: <20231003201151.1406279-3-siddhesh@sourceware.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231003201151.1406279-1-siddhesh@sourceware.org> References: <20231003201151.1406279-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1172.5 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Limit effect of memory tagging to the same process and don't let it bleed across privilege boundaries into non-setuid children of setuid processes. Signed-off-by: Siddhesh Poyarekar --- elf/dl-tunables.list | 1 - 1 file changed, 1 deletion(-) diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index 42d8ffd06d..44baf10eaa 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -152,7 +152,6 @@ glibc { type: INT_32 minval: 0 maxval: 255 - security_level: SXID_IGNORE } }