diff mbox series

[1/2] Make all malloc tunables SXID_ERASE

Message ID 20231003201151.1406279-2-siddhesh@sourceware.org
State Dropped
Headers
Series make all tunables SXID_ERASE |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Testing passed
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Testing passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm fail Testing failed
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Testing passed

Commit Message

Siddhesh Poyarekar Oct. 3, 2023, 8:11 p.m. UTC 
  The malloc tunables were made SXID_IGNORE to mimic the environment
variables they aliased, in order to maintain compatibility.  This
allowed alteration of allocator behaviour across setuid boundaries,
where a setuid program may ignore the tunable but its non-setuid child
can read it and adjust allocator behaviour accordingly.

It's not clear how useful this misfeature is; most library behaviour
tuning is limited to the current process and does not bleed in scope
like this.  If behaviour change across privilege boundaries is
desirable, it should be done with a wrapper program around the
non-setuid child that sets these envvars, instead of using the setuid
process as the messenger.  In future, maybe systemwide tunables could
allow setting tunable values across privilege boundaries.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
 elf/dl-tunables.list          | 12 +++---------
 elf/tst-env-setuid-tunables.c | 25 ++-----------------------
 elf/tst-env-setuid.c          |  4 ++--
 sysdeps/generic/unsecvars.h   |  7 +++++++
 4 files changed, 14 insertions(+), 34 deletions(-)
diff mbox series

Patch

diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index 695ba7192e..42d8ffd06d 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -22,7 +22,9 @@ 
 # maxval: Optional maximum acceptable value
 # env_alias: An alias environment variable
 # security_level: Specify security level of the tunable for AT_SECURE binaries.
-# 		  Valid values are:
+# 		  Valid values are as follows. There must be a strong, well
+# 		  documented reason for a tunable to be marked SXID_IGNORE or
+# 		  SXID_NONE:
 #
 # 	     SXID_ERASE: (default) Do not read and do not pass on to
 # 	     child processes.
@@ -41,7 +43,6 @@  glibc {
     top_pad {
       type: SIZE_T
       env_alias: MALLOC_TOP_PAD_
-      security_level: SXID_IGNORE
       default: 131072
     }
     perturb {
@@ -49,35 +50,29 @@  glibc {
       minval: 0
       maxval: 0xff
       env_alias: MALLOC_PERTURB_
-      security_level: SXID_IGNORE
     }
     mmap_threshold {
       type: SIZE_T
       env_alias: MALLOC_MMAP_THRESHOLD_
-      security_level: SXID_IGNORE
     }
     trim_threshold {
       type: SIZE_T
       env_alias: MALLOC_TRIM_THRESHOLD_
-      security_level: SXID_IGNORE
     }
     mmap_max {
       type: INT_32
       env_alias: MALLOC_MMAP_MAX_
-      security_level: SXID_IGNORE
       minval: 0
     }
     arena_max {
       type: SIZE_T
       env_alias: MALLOC_ARENA_MAX
       minval: 1
-      security_level: SXID_IGNORE
     }
     arena_test {
       type: SIZE_T
       env_alias: MALLOC_ARENA_TEST
       minval: 1
-      security_level: SXID_IGNORE
     }
     tcache_max {
       type: SIZE_T
@@ -91,7 +86,6 @@  glibc {
     mxfast {
       type: SIZE_T
       minval: 0
-      security_level: SXID_IGNORE
     }
     hugetlb {
       type: SIZE_T
diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
index f0b92c97e7..79795cdce7 100644
--- a/elf/tst-env-setuid-tunables.c
+++ b/elf/tst-env-setuid-tunables.c
@@ -60,26 +60,6 @@  const char *teststrings[] =
   "glibc.not_valid.check=2",
 };
 
-const char *resultstrings[] =
-{
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.perturb=0x800",
-  "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
-  "",
-  "",
-  "",
-  "",
-  "",
-  "",
-  "",
-};
-
 static int
 test_child (int off)
 {
@@ -87,12 +67,11 @@  test_child (int off)
 
   printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
   fflush (stdout);
-  if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+  if (val != NULL && val[0] == '\0')
     return 0;
 
   if (val != NULL)
-    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
-	    off, val, resultstrings[off]);
+    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
   else
     printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
 
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index 032ab44be2..100e2c6871 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -46,9 +46,9 @@  test_child (void)
       return 1;
     }
 
-  if (getenv ("MALLOC_MMAP_THRESHOLD_") == NULL)
+  if (getenv ("MALLOC_MMAP_THRESHOLD_") != NULL)
     {
-      printf ("MALLOC_MMAP_THRESHOLD_ lost\n");
+      printf ("MALLOC_MMAP_THRESHOLD_ is still set\n");
       return 1;
     }
 
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index 8278c50a84..ca70e2e989 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -17,7 +17,14 @@ 
   "LD_SHOW_AUXV\0"							      \
   "LOCALDOMAIN\0"							      \
   "LOCPATH\0"								      \
+  "MALLOC_ARENA_MAX\0"							      \
+  "MALLOC_ARENA_TEST\0"							      \
+  "MALLOC_MMAP_MAX_\0"							      \
+  "MALLOC_MMAP_THRESHOLD_\0"						      \
+  "MALLOC_PERTURB_\0"							      \
+  "MALLOC_TOP_PAD_\0"							      \
   "MALLOC_TRACE\0"							      \
+  "MALLOC_TRIM_THRESHOLD_\0"						      \
   "NIS_PATH\0"								      \
   "NLSPATH\0"								      \
   "RESOLV_HOST_CONF\0"							      \