[RFC,5/5] elf: Add support to memory sealing for audit modules
Checks
Context |
Check |
Description |
redhat-pt-bot/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
redhat-pt-bot/TryBot-32bit |
success
|
Build for i686
|
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 |
success
|
Test passed
|
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 |
success
|
Test passed
|
linaro-tcwg-bot/tcwg_glibc_build--master-arm |
success
|
Test passed
|
linaro-tcwg-bot/tcwg_glibc_check--master-arm |
fail
|
Test failed
|
Commit Message
The memory sealing is done after library loading and sanity check
since an inexistent or wrong la_version might unload the library.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
---
elf/rtld.c | 4 ++++
manual/tunables.texi | 3 +++
sysdeps/unix/sysv/linux/Makefile | 2 ++
.../unix/sysv/linux/tst-dl_mseal-auditmod.c | 23 +++++++++++++++++++
sysdeps/unix/sysv/linux/tst-dl_mseal.c | 7 ++++--
5 files changed, 37 insertions(+), 2 deletions(-)
create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
@@ -1044,6 +1044,10 @@ ERROR: audit interface '%s' requires version %d (maximum supported version %d);
/* Mark the DSO as being used for auditing. */
dlmargs.map->l_auditing = 1;
+
+ /* Seal the audit modules and their dependencies. */
+ dlmargs.map->l_seal = lt_seal_toseal;
+ _dl_mseal_map (dlmargs.map, true);
}
/* Load all audit modules. */
@@ -385,6 +385,9 @@ Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag.
@item
Any runtime library used for process unwind (such as required by @code{backtrace}
or @code{pthread_exit}).
+
+@item
+All audit modules and their dependencies.
@end itemize
The tunable accepts three diferent values: @samp{0} where sealing is disabled,
@@ -656,9 +656,11 @@ modules-names += \
lib-tst-dl_mseal-dlopen-2 \
lib-tst-dl_mseal-dlopen-2-1 \
lib-tst-dl_mseal-preload \
+ tst-dl_mseal-auditmod \
# modules-names
$(objpfx)tst-dl_mseal.out: \
+ $(objpfx)tst-dl_mseal-auditmod.so \
$(objpfx)lib-tst-dl_mseal-preload.so \
$(objpfx)lib-tst-dl_mseal-1.so \
$(objpfx)lib-tst-dl_mseal-2.so \
new file mode 100644
@@ -0,0 +1,23 @@
+/* Audit module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+unsigned int
+la_version (unsigned int v)
+{
+ return v;
+}
@@ -35,6 +35,7 @@
#include <support/xthread.h>
#define LIB_PRELOAD "lib-tst-dl_mseal-preload.so"
+#define LIB_AUDIT "tst-dl_mseal-auditmod.so"
#define LIB_NEEDED_1 "lib-tst-dl_mseal-1.so"
#define LIB_NEEDED_2 "lib-tst-dl_mseal-2.so"
@@ -68,6 +69,7 @@ static const char *expected_sealed_libs[] =
"ld.so",
"tst-dl_mseal",
LIB_PRELOAD,
+ LIB_AUDIT,
LIB_NEEDED_1,
LIB_NEEDED_2,
LIB_DLOPEN_NODELETE,
@@ -247,11 +249,12 @@ do_test (int argc, char *argv[])
spargv[i++] = (char *) "--restart";
spargv[i] = NULL;
- char *envvarss[3];
+ char *envvarss[4];
envvarss[0] = (char *) "GLIBC_TUNABLES=glibc.rtld.seal=2";
#ifndef TEST_STATIC
envvarss[1] = (char *) "LD_PRELOAD=" LIB_PRELOAD;
- envvarss[2] = NULL;
+ envvarss[2] = (char *) "LD_AUDIT=" LIB_AUDIT,
+ envvarss[3] = NULL;
#else
envvarss[1] = NULL;
#endif