[Bug dynamic-link/30127] [rfe]: enable ld audit at run-time

["janderson at rice dot edu" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=30127

--- Comment #21 from Jonathon Anderson <janderson at rice dot edu> ---
(In reply to Stas Sergeev from comment #19)
> (In reply to Jonathon Anderson from comment #18)
> > void la_preinit(uintptr_t* cookie) {
> >   void* h = dlmopen(LM_ID_BASE, NULL, RTLD_LAZY | RTLD_NOLOAD);
> >   void (*hook)() = dlsym(h, "_auditor_hook");
> >   hook(...);
> > }
> 
> Well, yes, auditor_hook is a viable
> solution perhaps in some cases. Though
> in my case the auditor is brought in with
> a solib plugin, not with the main application.
> And currently DT_AUDIT is not supported for
> solibs, see #30134.
> And even if #30134 is fixed, will you be
> able to resolve the auditor hook with
> LM_ID_BASE if it is in an RTLD_LOCAL solib
> rather than in a main executable?
> I think not, so the scope of your solution
> is quite limited.

Assuming you can get an auditor into the process (LD_AUDIT env var), if you can
identify the solib from it's loaded path, you can (recursively) load the solib
during the la_objopen callback and access the auditor hook that way:

unsigned int la_objopen(struct link_map* m, Lmid_t lmid, uintptr_t* cookie) {
  if(m->l_name /* ... is the target solib */) {
    void* h = dlmopen(lmid, m->l_name, RTLD_LAZY | RTLD_NOLOAD);
    void (*hook)() = dlsym(h, "_auditor_hook");
    hook();
  }
  return 0;
}

Like most of LD_AUDIT, this isn't a well-tested code path, so be careful and
expect some bugs. For example, don't try this during the later
la_activity(LA_ACT_CONSISTENT) callback, you'll get a glorious crash. :)

> 
> > I'm a bit confused how the proposed interface would provide a better (or
> > alternate) solution to the problem.
> 
> By doing
> void *auditor_handle = dlload_audit_module("my_module", 0);
> void (*auditor_cb)(void) = dlsym(auditor_handle,
> "auditor_control_interface");
> Just as simple as that. :)
> 
> > Echoing a few of Florian's concerns, if
> > you load an auditor after the application has been running for a time, you
> > run a large risk of being passed an unrecognizable cookie (since the
> > la_objopen callbacks are fired before the auditor is loaded).
> 
> Good point, so I'll adjust the patch to
> not call the auditor for the lib for which
> he missed the initial cookie... which doesn't
> look simple. :)
> Oh, will think...
> Thanks!

This still doesn't solve the issue. Expanding a bit: say you load
dlload_audit_module("my_auditor"), then dlopen("libmylib.so") and libmylib.so
binds malloc from libc.so. my_auditor gets an la_objopen call for libmylib.so
but not libc.so. What do you do about the la_symbind callback?:
  - If you send an la_symbind to my_auditor, the defcook will be an
unrecognized cookie.
  - If you skip the call, my_auditor won't be able to intercept malloc (and all
other libc functions). 
  - If you NULL the defcook, my_auditor won't be able to wrap malloc etc. since
it can't (reliably) get the "original" function it would bind to. And it's an
API break, so you need to bump LAV_CURRENT.

There are use cases that don't need la_symbind, e.g. an auditor that records
used libraries or denies access to libraries outside of a "whitelist." But I
also think most (if not all) of those use cases would operate far better as a
global auditor (LD_AUDIT) rather than one dynamically loaded late in the
application. Especially for any security-related purpose.

What is your proposed auditor supposed to do?

-- 
You are receiving this mail because:
You are on the CC list for the bug.