[v3,18/19] elf: Ignore LD_BIND_NOW and LD_BIND_NOT for setuid binaries

Message ID 20231106202552.3404059-19-adhemerval.zanella@linaro.org
State Superseded
Delegated to: Siddhesh Poyarekar
Headers
Series Improve loader environment variable handling |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Testing passed
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Testing passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm success Testing passed
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Testing passed

Commit Message

Adhemerval Zanella Nov. 6, 2023, 8:25 p.m. UTC
  To avoid any environment variable to change setuid binaries
semantics.

Checked on x86_64-linux-gnu.
---
 elf/rtld.c                  | 8 ++++++--
 elf/tst-env-setuid.c        | 4 ++--
 sysdeps/generic/unsecvars.h | 2 ++
 3 files changed, 10 insertions(+), 4 deletions(-)
  

Comments

Siddhesh Poyarekar Nov. 20, 2023, 11:02 p.m. UTC | #1
On 2023-11-06 15:25, Adhemerval Zanella wrote:
> To avoid any environment variable to change setuid binaries
> semantics.
> 
> Checked on x86_64-linux-gnu.
> ---

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

>   elf/rtld.c                  | 8 ++++++--
>   elf/tst-env-setuid.c        | 4 ++--
>   sysdeps/generic/unsecvars.h | 2 ++
>   3 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/elf/rtld.c b/elf/rtld.c
> index d1017ba9e9..cfba30eba0 100644
> --- a/elf/rtld.c
> +++ b/elf/rtld.c
> @@ -2598,12 +2598,14 @@ process_envvars (struct dl_main_state *state)
>   
>   	case 8:
>   	  /* Do we bind early?  */
> -	  if (memcmp (envline, "BIND_NOW", 8) == 0)
> +	  if (!__libc_enable_secure
> +	      && memcmp (envline, "BIND_NOW", 8) == 0)
>   	    {
>   	      GLRO(dl_lazy) = envline[9] == '\0';
>   	      break;
>   	    }
> -	  if (memcmp (envline, "BIND_NOT", 8) == 0)
> +	  if (! __libc_enable_secure
> +	      && memcmp (envline, "BIND_NOT", 8) == 0)
>   	    GLRO(dl_bind_not) = envline[9] != '\0';
>   	  break;
>   
> @@ -2680,6 +2682,8 @@ process_envvars (struct dl_main_state *state)
>   
>         if (GLRO(dl_debug_mask) != 0
>   	  || GLRO(dl_verbose) != 0
> +	  || GLRO(dl_lazy) != 1
> +	  || GLRO(dl_bind_not) != 0
>   	  || state->mode != rtld_mode_normal
>   	  || state->version_info)
>   	_exit (5);
> diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
> index dcf213a4cd..eb9613d717 100644
> --- a/elf/tst-env-setuid.c
> +++ b/elf/tst-env-setuid.c
> @@ -61,12 +61,12 @@ static const struct envvar_t filtered_envvars[] =
>     { "RES_OPTIONS",             FILTERED_VALUE },
>     { "LD_DEBUG",                "all" },
>     { "LD_DEBUG_OUTPUT",         "/tmp/some-file" },
> +  { "LD_BIND_NOW",             "0" },
> +  { "LD_BIND_NOT",             "1" },
>   };
>   
>   static const struct envvar_t unfiltered_envvars[] =
>   {
> -  { "LD_BIND_NOW",             "0" },
> -  { "LD_BIND_NOT",             "1" },
>     /* Non longer supported option.  */
>     { "LD_ASSUME_KERNEL",        UNFILTERED_VALUE },
>   };
> diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
> index f7ebed60e5..c71b70ed95 100644
> --- a/sysdeps/generic/unsecvars.h
> +++ b/sysdeps/generic/unsecvars.h
> @@ -7,6 +7,8 @@
>     "GLIBC_TUNABLES\0"							      \
>     "HOSTALIASES\0"							      \
>     "LD_AUDIT\0"								      \
> +  "LD_BIND_NOT\0"							      \
> +  "LD_BIND_NOW\0"							      \
>     "LD_DEBUG\0"								      \
>     "LD_DEBUG_OUTPUT\0"							      \
>     "LD_DYNAMIC_WEAK\0"							      \
  

Patch

diff --git a/elf/rtld.c b/elf/rtld.c
index d1017ba9e9..cfba30eba0 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2598,12 +2598,14 @@  process_envvars (struct dl_main_state *state)
 
 	case 8:
 	  /* Do we bind early?  */
-	  if (memcmp (envline, "BIND_NOW", 8) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "BIND_NOW", 8) == 0)
 	    {
 	      GLRO(dl_lazy) = envline[9] == '\0';
 	      break;
 	    }
-	  if (memcmp (envline, "BIND_NOT", 8) == 0)
+	  if (! __libc_enable_secure
+	      && memcmp (envline, "BIND_NOT", 8) == 0)
 	    GLRO(dl_bind_not) = envline[9] != '\0';
 	  break;
 
@@ -2680,6 +2682,8 @@  process_envvars (struct dl_main_state *state)
 
       if (GLRO(dl_debug_mask) != 0
 	  || GLRO(dl_verbose) != 0
+	  || GLRO(dl_lazy) != 1
+	  || GLRO(dl_bind_not) != 0
 	  || state->mode != rtld_mode_normal
 	  || state->version_info)
 	_exit (5);
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index dcf213a4cd..eb9613d717 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -61,12 +61,12 @@  static const struct envvar_t filtered_envvars[] =
   { "RES_OPTIONS",             FILTERED_VALUE },
   { "LD_DEBUG",                "all" },
   { "LD_DEBUG_OUTPUT",         "/tmp/some-file" },
+  { "LD_BIND_NOW",             "0" },
+  { "LD_BIND_NOT",             "1" },
 };
 
 static const struct envvar_t unfiltered_envvars[] =
 {
-  { "LD_BIND_NOW",             "0" },
-  { "LD_BIND_NOT",             "1" },
   /* Non longer supported option.  */
   { "LD_ASSUME_KERNEL",        UNFILTERED_VALUE },
 };
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index f7ebed60e5..c71b70ed95 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -7,6 +7,8 @@ 
   "GLIBC_TUNABLES\0"							      \
   "HOSTALIASES\0"							      \
   "LD_AUDIT\0"								      \
+  "LD_BIND_NOT\0"							      \
+  "LD_BIND_NOW\0"							      \
   "LD_DEBUG\0"								      \
   "LD_DEBUG_OUTPUT\0"							      \
   "LD_DYNAMIC_WEAK\0"							      \