[RFC,5/5] elf: Add support to memory sealing for audit modules

Message ID 20240611153220.165430-6-adhemerval.zanella@linaro.org (mailing list archive)
State Superseded
Headers
Series Add support for memory sealing |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
redhat-pt-bot/TryBot-32bit success Build for i686
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Test passed
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Test passed
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Test passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm fail Test failed

Commit Message

Adhemerval Zanella June 11, 2024, 3:27 p.m. UTC
  The memory sealing is done after library loading and sanity check
since an inexistent or wrong la_version might unload the library.

Checked on x86_64-linux-gnu and aarch64-linux-gnu.
---
 elf/rtld.c                                    |  4 ++++
 manual/tunables.texi                          |  3 +++
 sysdeps/unix/sysv/linux/Makefile              |  2 ++
 .../unix/sysv/linux/tst-dl_mseal-auditmod.c   | 23 +++++++++++++++++++
 sysdeps/unix/sysv/linux/tst-dl_mseal.c        |  7 ++++--
 5 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
  

Patch

diff --git a/elf/rtld.c b/elf/rtld.c
index 174389e205..62ad1272a4 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -1044,6 +1044,10 @@  ERROR: audit interface '%s' requires version %d (maximum supported version %d);
 
   /* Mark the DSO as being used for auditing.  */
   dlmargs.map->l_auditing = 1;
+
+  /* Seal the audit modules and their dependencies.  */
+  dlmargs.map->l_seal = lt_seal_toseal;
+  _dl_mseal_map (dlmargs.map, true);
 }
 
 /* Load all audit modules.  */
diff --git a/manual/tunables.texi b/manual/tunables.texi
index be36d52cf9..63445d74c2 100644
--- a/manual/tunables.texi
+++ b/manual/tunables.texi
@@ -385,6 +385,9 @@  Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag.
 @item
 Any runtime library used for process unwind (such as required by @code{backtrace}
 or @code{pthread_exit}).
+
+@item
+All audit modules and their dependencies.
 @end itemize
 
 The tunable accepts three diferent values: @samp{0} where sealing is disabled,
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index 922511b4a1..f11aff84f5 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -656,9 +656,11 @@  modules-names += \
   lib-tst-dl_mseal-dlopen-2 \
   lib-tst-dl_mseal-dlopen-2-1 \
   lib-tst-dl_mseal-preload \
+  tst-dl_mseal-auditmod \
   # modules-names
 
 $(objpfx)tst-dl_mseal.out: \
+  $(objpfx)tst-dl_mseal-auditmod.so \
   $(objpfx)lib-tst-dl_mseal-preload.so \
   $(objpfx)lib-tst-dl_mseal-1.so \
   $(objpfx)lib-tst-dl_mseal-2.so \
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
new file mode 100644
index 0000000000..d909a1561c
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
@@ -0,0 +1,23 @@ 
+/* Audit module for tst-dl_mseal test.
+   Copyright (C) 2024 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+unsigned int
+la_version (unsigned int v)
+{
+  return v;
+}
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
index da1a3ebe5a..ac60d7342a 100644
--- a/sysdeps/unix/sysv/linux/tst-dl_mseal.c
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
@@ -35,6 +35,7 @@ 
 #include <support/xthread.h>
 
 #define LIB_PRELOAD              "lib-tst-dl_mseal-preload.so"
+#define LIB_AUDIT                "tst-dl_mseal-auditmod.so"
 
 #define LIB_NEEDED_1             "lib-tst-dl_mseal-1.so"
 #define LIB_NEEDED_2             "lib-tst-dl_mseal-2.so"
@@ -68,6 +69,7 @@  static const char *expected_sealed_libs[] =
   "ld.so",
   "tst-dl_mseal",
   LIB_PRELOAD,
+  LIB_AUDIT,
   LIB_NEEDED_1,
   LIB_NEEDED_2,
   LIB_DLOPEN_NODELETE,
@@ -247,11 +249,12 @@  do_test (int argc, char *argv[])
   spargv[i++] = (char *) "--restart";
   spargv[i] = NULL;
 
-  char *envvarss[3];
+  char *envvarss[4];
   envvarss[0] = (char *) "GLIBC_TUNABLES=glibc.rtld.seal=2";
 #ifndef TEST_STATIC
   envvarss[1] = (char *) "LD_PRELOAD=" LIB_PRELOAD;
-  envvarss[2] = NULL;
+  envvarss[2] = (char *) "LD_AUDIT=" LIB_AUDIT,
+  envvarss[3] = NULL;
 #else
   envvarss[1] = NULL;
 #endif