From patchwork Thu Oct 9 23:19:03 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joseph Myers X-Patchwork-Id: 3184 Received: (qmail 9423 invoked by alias); 9 Oct 2014 23:19:12 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 9407 invoked by uid 89); 9 Oct 2014 23:19:12 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=AWL, BAYES_00 autolearn=ham version=3.3.2 X-HELO: relay1.mentorg.com Date: Thu, 9 Oct 2014 23:19:03 +0000 From: "Joseph S. Myers" To: Subject: Don't use INTVARDEF/INTUSE with __libc_enable_secure (bug 14132) Message-ID: MIME-Version: 1.0 Continuing the removal of the obsolete INTDEF / INTVARDEF / INTUSE mechanism, this patch replaces its use for __libc_enable_secure with the use of rtld_hidden_data_def and rtld_hidden_proto. Tested for x86_64 that installed stripped shared libraries are unchanged by the patch. 2014-10-09 Joseph Myers [BZ #14132] * elf/dl-sysdep.c (__libc_enable_secure): Use rtld_hidden_data_def instead of INTVARDEF. (_dl_sysdep_start): Do not use INTUSE with __libc_enable_secure. * sysdeps/mach/hurd/dl-sysdep.c (__libc_enable_secure): Use rtld_hidden_data_def instead of INTVARDEF. (_dl_sysdep_start): Do not use INTUSE with __libc_enable_secure. * elf/dl-deps.c (expand_dst): Likewise. * elf/dl-load.c (_dl_dst_count): Likewise. (_dl_dst_substitute): Likewise. (decompose_rpath): Likewise. (_dl_init_paths): Likewise. (open_path): Likewise. (_dl_map_object): Likewise. * elf/rtld.c (dl_main): Likewise. (process_dl_audit): Likewise. (process_envvars): Likewise. * include/unistd.h [IS_IN_rtld] (__libc_enable_secure_internal): Remove declaration. (__libc_enable_secure): Use rtld_hidden_proto. diff --git a/elf/dl-deps.c b/elf/dl-deps.c index f66b266..b34039c 100644 --- a/elf/dl-deps.c +++ b/elf/dl-deps.c @@ -108,7 +108,7 @@ struct list char *__newp; \ \ /* DST must not appear in SUID/SGID programs. */ \ - if (INTUSE(__libc_enable_secure)) \ + if (__libc_enable_secure) \ _dl_signal_error (0, __str, NULL, N_("\ DST not allowed in SUID/SGID programs")); \ \ diff --git a/elf/dl-load.c b/elf/dl-load.c index fde7137..9dd40e3 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -262,7 +262,7 @@ _dl_dst_count (const char *name, int is_path) is $ORIGIN alone) and it must always appear first in path. */ ++name; if ((len = is_dst (start, name, "ORIGIN", is_path, - INTUSE(__libc_enable_secure))) != 0 + __libc_enable_secure)) != 0 || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0 || (len = is_dst (start, name, "LIB", is_path, 0)) != 0) ++cnt; @@ -298,10 +298,10 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, ++name; if ((len = is_dst (start, name, "ORIGIN", is_path, - INTUSE(__libc_enable_secure))) != 0) + __libc_enable_secure)) != 0) { repl = l->l_origin; - check_for_trusted = (INTUSE(__libc_enable_secure) + check_for_trusted = (__libc_enable_secure && l->l_type == lt_executable); } else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0) @@ -563,7 +563,7 @@ decompose_rpath (struct r_search_path_struct *sps, /* First see whether we must forget the RUNPATH and RPATH from this object. */ if (__glibc_unlikely (GLRO(dl_inhibit_rpath) != NULL) - && !INTUSE(__libc_enable_secure)) + && !__libc_enable_secure) { const char *inhp = GLRO(dl_inhibit_rpath); @@ -828,7 +828,7 @@ _dl_init_paths (const char *llp) } (void) fillin_rpath (llp_tmp, env_path_list.dirs, ":;", - INTUSE(__libc_enable_secure), "LD_LIBRARY_PATH", + __libc_enable_secure, "LD_LIBRARY_PATH", NULL, l); if (env_path_list.dirs[0] == NULL) @@ -1842,7 +1842,7 @@ open_path (const char *name, size_t namelen, int mode, here_any |= this_dir->status[cnt] != nonexisting; if (fd != -1 && __glibc_unlikely (mode & __RTLD_SECURE) - && INTUSE(__libc_enable_secure)) + && __libc_enable_secure) { /* This is an extra security effort to make sure nobody can preload broken shared objects which are in the trusted @@ -2054,7 +2054,7 @@ _dl_map_object (struct link_map *loader, const char *name, #ifdef USE_LDCONFIG if (fd == -1 && (__glibc_likely ((mode & __RTLD_SECURE) == 0) - || ! INTUSE(__libc_enable_secure)) + || ! __libc_enable_secure) && __glibc_likely (GLRO(dl_inhibit_cache) == 0)) { /* Check the list of libraries in the file /etc/ld.so.cache, diff --git a/elf/dl-sysdep.c b/elf/dl-sysdep.c index d8cdb7e..d1a2bd2 100644 --- a/elf/dl-sysdep.c +++ b/elf/dl-sysdep.c @@ -54,7 +54,7 @@ extern void __libc_check_standard_fds (void); ElfW(Addr) _dl_base_addr; #endif int __libc_enable_secure attribute_relro = 0; -INTVARDEF(__libc_enable_secure) +rtld_hidden_data_def (__libc_enable_secure) int __libc_multiple_libcs = 0; /* Defining this here avoids the inclusion of init-first. */ /* This variable contains the lowest stack address ever used. */ @@ -148,7 +148,7 @@ _dl_sysdep_start (void **start_argptr, #ifndef HAVE_AUX_SECURE seen = -1; #endif - INTUSE(__libc_enable_secure) = av->a_un.a_val; + __libc_enable_secure = av->a_un.a_val; break; case AT_PLATFORM: GLRO(dl_platform) = (void *) av->a_un.a_val; @@ -199,7 +199,7 @@ _dl_sysdep_start (void **start_argptr, /* If one of the two pairs of IDs does not match this is a setuid or setgid run. */ - INTUSE(__libc_enable_secure) = uid | gid; + __libc_enable_secure = uid | gid; } #endif @@ -243,7 +243,7 @@ _dl_sysdep_start (void **start_argptr, /* If this is a SUID program we make sure that FDs 0, 1, and 2 are allocated. If necessary we are doing it ourself. If it is not possible we stop the program. */ - if (__builtin_expect (INTUSE(__libc_enable_secure), 0)) + if (__builtin_expect (__libc_enable_secure, 0)) __libc_check_standard_fds (); (*dl_main) (phdr, phnum, &user_entry, GLRO(dl_auxv)); diff --git a/elf/rtld.c b/elf/rtld.c index d5cace8..d5e007f 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -1498,7 +1498,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", /* Prevent optimizing strsep. Speed is not important here. */ while ((p = (strsep) (&list, " :")) != NULL) if (p[0] != '\0' - && (__builtin_expect (! INTUSE(__libc_enable_secure), 1) + && (__builtin_expect (! __libc_enable_secure, 1) || strchr (p, '/') == NULL)) npreloads += do_preload (p, main_map, "LD_PRELOAD"); @@ -2318,7 +2318,7 @@ process_dl_audit (char *str) while ((p = (strsep) (&str, ":")) != NULL) if (p[0] != '\0' - && (__builtin_expect (! INTUSE(__libc_enable_secure), 1) + && (__builtin_expect (! __libc_enable_secure, 1) || strchr (p, '/') == NULL)) { /* This is using the local malloc, not the system malloc. The @@ -2352,7 +2352,7 @@ process_envvars (enum mode *modep) /* This is the default place for profiling data file. */ GLRO(dl_profile_output) - = &"/var/tmp\0/var/profile"[INTUSE(__libc_enable_secure) ? 9 : 0]; + = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0]; while ((envline = _dl_next_ld_env_entry (&runp)) != NULL) { @@ -2420,7 +2420,7 @@ process_envvars (enum mode *modep) case 9: /* Test whether we want to see the content of the auxiliary array passed up from the kernel. */ - if (!INTUSE(__libc_enable_secure) + if (!__libc_enable_secure && memcmp (envline, "SHOW_AUXV", 9) == 0) _dl_show_auxv (); break; @@ -2434,7 +2434,7 @@ process_envvars (enum mode *modep) case 11: /* Path where the binary is found. */ - if (!INTUSE(__libc_enable_secure) + if (!__libc_enable_secure && memcmp (envline, "ORIGIN_PATH", 11) == 0) GLRO(dl_origin_path) = &envline[12]; break; @@ -2454,7 +2454,7 @@ process_envvars (enum mode *modep) break; } - if (!INTUSE(__libc_enable_secure) + if (!__libc_enable_secure && memcmp (envline, "DYNAMIC_WEAK", 12) == 0) GLRO(dl_dynamic_weak) = 1; break; @@ -2465,7 +2465,7 @@ process_envvars (enum mode *modep) #ifdef EXTRA_LD_ENVVARS_13 EXTRA_LD_ENVVARS_13 #endif - if (!INTUSE(__libc_enable_secure) + if (!__libc_enable_secure && memcmp (envline, "USE_LOAD_BIAS", 13) == 0) { GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0; @@ -2478,7 +2478,7 @@ process_envvars (enum mode *modep) case 14: /* Where to place the profiling data file. */ - if (!INTUSE(__libc_enable_secure) + if (!__libc_enable_secure && memcmp (envline, "PROFILE_OUTPUT", 14) == 0 && envline[15] != '\0') GLRO(dl_profile_output) = &envline[15]; @@ -2516,7 +2516,7 @@ process_envvars (enum mode *modep) /* Extra security for SUID binaries. Remove all dangerous environment variables. */ - if (__builtin_expect (INTUSE(__libc_enable_secure), 0)) + if (__builtin_expect (__libc_enable_secure, 0)) { static const char unsecure_envvars[] = #ifdef EXTRA_UNSECURE_ENVVARS diff --git a/include/unistd.h b/include/unistd.h index 5a016b1..762acc0 100644 --- a/include/unistd.h +++ b/include/unistd.h @@ -151,10 +151,7 @@ libc_hidden_proto (__sbrk) environment variables that normally affect them. */ extern int __libc_enable_secure attribute_relro; extern int __libc_enable_secure_decided; -#ifdef IS_IN_rtld -/* XXX The #ifdef should go. */ -extern int __libc_enable_secure_internal attribute_relro attribute_hidden; -#endif +rtld_hidden_proto (__libc_enable_secure) /* Various internal function. */ diff --git a/sysdeps/mach/hurd/dl-sysdep.c b/sysdeps/mach/hurd/dl-sysdep.c index 7f79d1a..5de3857 100644 --- a/sysdeps/mach/hurd/dl-sysdep.c +++ b/sysdeps/mach/hurd/dl-sysdep.c @@ -51,7 +51,7 @@ extern char **_dl_argv; extern char **_environ; int __libc_enable_secure = 0; -INTVARDEF(__libc_enable_secure) +rtld_hidden_data_def (__libc_enable_secure) int __libc_multiple_libcs = 0; /* Defining this here avoids the inclusion of init-first. */ /* This variable contains the lowest stack address ever used. */ @@ -140,7 +140,7 @@ _dl_sysdep_start (void **start_argptr, else _dl_hurd_data = (void *) p; - INTUSE(__libc_enable_secure) = _dl_hurd_data->flags & EXEC_SECURE; + __libc_enable_secure = _dl_hurd_data->flags & EXEC_SECURE; if (_dl_hurd_data->flags & EXEC_STACK_ARGS && _dl_hurd_data->user_entry == 0) @@ -220,7 +220,7 @@ unfmh(); /* XXX */ environment list. We use memmove, since the locations might overlap. */ - if (INTUSE(__libc_enable_secure) || _dl_skip_args) + if (__libc_enable_secure || _dl_skip_args) { char **newp;