public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "stsp at users dot sourceforge.net" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/30134] DT_AUDIT is ignored for dlopen()ed solib Date: Mon, 20 Feb 2023 11:50:51 +0000 [thread overview] Message-ID: <bug-30134-131-qhOriIUpv5@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-30134-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=30134 --- Comment #5 from Stas Sergeev <stsp at users dot sourceforge.net> --- (In reply to Florian Weimer from comment #4) > Maybe in theory, but it's not how the current implementation is structured. > It depends on an auditing flag in RELRO memory for hardening, so that the > auditing (function) pointers cannot be overwritten if the process did not > start with auditing enabled. Yes, I already "noticed" that. That's why my dlload_audit_module() patch is still not posted. :( But it will be posted sooner or later. Yes, I realize it may be rejected because it moves the audit list to rw space, but what should I do if I need that patch... Do you have any suggestion in that area while I am still polishing it? > We would also have to figure out all the small corner cases and work out > what to do for them. For example, auditing is currently a process-global > operation, and the auditing modules are never unloaded after being created. > Adding dlopen support might change that: auditing could perhaps be > restricted to the local search scope, and dlclose might unload the auditor > as well. Or not, it's hard to tell without some exploration. Yes, closing the module that had DT_AUDIT looks like a good place to unload the audit module as well, unless some other solib also had the same DT_AUDIT. So perhaps that would need a refcount. > We also have hard limits on the number of auditors. The explicit one > (namespace count) is perhaps somewhat easy to overcome, but there is also > the static TLS space consumption by new auditing namespaces. I am yet to understand why every audit module needs a new NS. Wouldn't it be possible to use one separate NS for all audit modules? -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2023-02-20 11:50 UTC|newest] Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-02-17 16:50 [Bug dynamic-link/30134] New: " stsp at users dot sourceforge.net 2023-02-17 19:48 ` [Bug dynamic-link/30134] " fweimer at redhat dot com 2023-02-18 1:17 ` stsp at users dot sourceforge.net 2023-02-18 1:44 ` stsp at users dot sourceforge.net 2023-02-20 11:00 ` fweimer at redhat dot com 2023-02-20 11:50 ` stsp at users dot sourceforge.net [this message] 2023-02-20 12:15 ` fweimer at redhat dot com 2023-02-20 12:56 ` stsp at users dot sourceforge.net 2023-02-23 15:58 ` janderson at rice dot edu 2023-02-23 16:02 ` stsp at users dot sourceforge.net 2023-02-26 16:00 ` janderson at rice dot edu 2023-02-26 16:12 ` stsp at users dot sourceforge.net 2023-02-26 16:55 ` janderson at rice dot edu 2023-02-26 17:09 ` stsp at users dot sourceforge.net 2023-02-26 21:45 ` janderson at rice dot edu 2023-02-27 6:03 ` stsp at users dot sourceforge.net 2023-02-27 6:57 ` janderson at rice dot edu 2023-02-27 7:28 ` stsp at users dot sourceforge.net 2023-02-27 8:16 ` stsp at users dot sourceforge.net 2023-02-27 8:27 ` stsp at users dot sourceforge.net
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-30134-131-qhOriIUpv5@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).