public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed
* [glibc/azanella/tunables] elf: Make all malloc tunables SXID_ERASE
@ 2023-10-06 14:28 Adhemerval Zanella
0 siblings, 0 replies; 2+ messages in thread
From: Adhemerval Zanella @ 2023-10-06 14:28 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=38a66626230b78963bf21496ea72a682d8ee8d47
commit 38a66626230b78963bf21496ea72a682d8ee8d47
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Thu Oct 5 10:03:15 2023 -0300
elf: Make all malloc tunables SXID_ERASE
The malloc tunables were made SXID_IGNORE to mimic the environment
variables they aliased, in order to maintain compatibility. This
allowed alteration of allocator behaviour across setuid boundaries,
where a setuid program may ignore the tunable but its non-setuid child
can read it and adjust allocator behaviour accordingly.
It's not clear how useful this misfeature is; most library behaviour
tuning is limited to the current process and does not bleed in scope
like this. If behaviour change across privilege boundaries is
desirable, it should be done with a wrapper program around the
non-setuid child that sets these envvars, instead of using the setuid
process as the messenger. In future, maybe systemwide tunables could
allow setting tunable values across privilege boundaries.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diff:
---
elf/dl-tunables.list | 12 +++---------
elf/tst-env-setuid-tunables.c | 25 ++-----------------------
elf/tst-env-setuid.c | 4 ++--
sysdeps/generic/unsecvars.h | 7 +++++++
4 files changed, 14 insertions(+), 34 deletions(-)
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index 695ba7192e..42d8ffd06d 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -22,7 +22,9 @@
# maxval: Optional maximum acceptable value
# env_alias: An alias environment variable
# security_level: Specify security level of the tunable for AT_SECURE binaries.
-# Valid values are:
+# Valid values are as follows. There must be a strong, well
+# documented reason for a tunable to be marked SXID_IGNORE or
+# SXID_NONE:
#
# SXID_ERASE: (default) Do not read and do not pass on to
# child processes.
@@ -41,7 +43,6 @@ glibc {
top_pad {
type: SIZE_T
env_alias: MALLOC_TOP_PAD_
- security_level: SXID_IGNORE
default: 131072
}
perturb {
@@ -49,35 +50,29 @@ glibc {
minval: 0
maxval: 0xff
env_alias: MALLOC_PERTURB_
- security_level: SXID_IGNORE
}
mmap_threshold {
type: SIZE_T
env_alias: MALLOC_MMAP_THRESHOLD_
- security_level: SXID_IGNORE
}
trim_threshold {
type: SIZE_T
env_alias: MALLOC_TRIM_THRESHOLD_
- security_level: SXID_IGNORE
}
mmap_max {
type: INT_32
env_alias: MALLOC_MMAP_MAX_
- security_level: SXID_IGNORE
minval: 0
}
arena_max {
type: SIZE_T
env_alias: MALLOC_ARENA_MAX
minval: 1
- security_level: SXID_IGNORE
}
arena_test {
type: SIZE_T
env_alias: MALLOC_ARENA_TEST
minval: 1
- security_level: SXID_IGNORE
}
tcache_max {
type: SIZE_T
@@ -91,7 +86,6 @@ glibc {
mxfast {
type: SIZE_T
minval: 0
- security_level: SXID_IGNORE
}
hugetlb {
type: SIZE_T
diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
index f0b92c97e7..79795cdce7 100644
--- a/elf/tst-env-setuid-tunables.c
+++ b/elf/tst-env-setuid-tunables.c
@@ -60,26 +60,6 @@ const char *teststrings[] =
"glibc.not_valid.check=2",
};
-const char *resultstrings[] =
-{
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.perturb=0x800",
- "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-};
-
static int
test_child (int off)
{
@@ -87,12 +67,11 @@ test_child (int off)
printf (" [%d] GLIBC_TUNABLES is %s\n", off, val);
fflush (stdout);
- if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+ if (val != NULL && val[0] == '\0')
return 0;
if (val != NULL)
- printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
- off, val, resultstrings[off]);
+ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
else
printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off);
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index 032ab44be2..100e2c6871 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -46,9 +46,9 @@ test_child (void)
return 1;
}
- if (getenv ("MALLOC_MMAP_THRESHOLD_") == NULL)
+ if (getenv ("MALLOC_MMAP_THRESHOLD_") != NULL)
{
- printf ("MALLOC_MMAP_THRESHOLD_ lost\n");
+ printf ("MALLOC_MMAP_THRESHOLD_ is still set\n");
return 1;
}
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index 8278c50a84..ca70e2e989 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -17,7 +17,14 @@
"LD_SHOW_AUXV\0" \
"LOCALDOMAIN\0" \
"LOCPATH\0" \
+ "MALLOC_ARENA_MAX\0" \
+ "MALLOC_ARENA_TEST\0" \
+ "MALLOC_MMAP_MAX_\0" \
+ "MALLOC_MMAP_THRESHOLD_\0" \
+ "MALLOC_PERTURB_\0" \
+ "MALLOC_TOP_PAD_\0" \
"MALLOC_TRACE\0" \
+ "MALLOC_TRIM_THRESHOLD_\0" \
"NIS_PATH\0" \
"NLSPATH\0" \
"RESOLV_HOST_CONF\0" \
^ permalink raw reply [flat|nested] 2+ messages in thread
* [glibc/azanella/tunables] elf: Make all malloc tunables SXID_ERASE
@ 2023-10-05 13:13 Adhemerval Zanella
0 siblings, 0 replies; 2+ messages in thread
From: Adhemerval Zanella @ 2023-10-05 13:13 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=38a66626230b78963bf21496ea72a682d8ee8d47
commit 38a66626230b78963bf21496ea72a682d8ee8d47
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Thu Oct 5 10:03:15 2023 -0300
elf: Make all malloc tunables SXID_ERASE
The malloc tunables were made SXID_IGNORE to mimic the environment
variables they aliased, in order to maintain compatibility. This
allowed alteration of allocator behaviour across setuid boundaries,
where a setuid program may ignore the tunable but its non-setuid child
can read it and adjust allocator behaviour accordingly.
It's not clear how useful this misfeature is; most library behaviour
tuning is limited to the current process and does not bleed in scope
like this. If behaviour change across privilege boundaries is
desirable, it should be done with a wrapper program around the
non-setuid child that sets these envvars, instead of using the setuid
process as the messenger. In future, maybe systemwide tunables could
allow setting tunable values across privilege boundaries.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diff:
---
elf/dl-tunables.list | 12 +++---------
elf/tst-env-setuid-tunables.c | 25 ++-----------------------
elf/tst-env-setuid.c | 4 ++--
sysdeps/generic/unsecvars.h | 7 +++++++
4 files changed, 14 insertions(+), 34 deletions(-)
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index 695ba7192e..42d8ffd06d 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -22,7 +22,9 @@
# maxval: Optional maximum acceptable value
# env_alias: An alias environment variable
# security_level: Specify security level of the tunable for AT_SECURE binaries.
-# Valid values are:
+# Valid values are as follows. There must be a strong, well
+# documented reason for a tunable to be marked SXID_IGNORE or
+# SXID_NONE:
#
# SXID_ERASE: (default) Do not read and do not pass on to
# child processes.
@@ -41,7 +43,6 @@ glibc {
top_pad {
type: SIZE_T
env_alias: MALLOC_TOP_PAD_
- security_level: SXID_IGNORE
default: 131072
}
perturb {
@@ -49,35 +50,29 @@ glibc {
minval: 0
maxval: 0xff
env_alias: MALLOC_PERTURB_
- security_level: SXID_IGNORE
}
mmap_threshold {
type: SIZE_T
env_alias: MALLOC_MMAP_THRESHOLD_
- security_level: SXID_IGNORE
}
trim_threshold {
type: SIZE_T
env_alias: MALLOC_TRIM_THRESHOLD_
- security_level: SXID_IGNORE
}
mmap_max {
type: INT_32
env_alias: MALLOC_MMAP_MAX_
- security_level: SXID_IGNORE
minval: 0
}
arena_max {
type: SIZE_T
env_alias: MALLOC_ARENA_MAX
minval: 1
- security_level: SXID_IGNORE
}
arena_test {
type: SIZE_T
env_alias: MALLOC_ARENA_TEST
minval: 1
- security_level: SXID_IGNORE
}
tcache_max {
type: SIZE_T
@@ -91,7 +86,6 @@ glibc {
mxfast {
type: SIZE_T
minval: 0
- security_level: SXID_IGNORE
}
hugetlb {
type: SIZE_T
diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
index f0b92c97e7..79795cdce7 100644
--- a/elf/tst-env-setuid-tunables.c
+++ b/elf/tst-env-setuid-tunables.c
@@ -60,26 +60,6 @@ const char *teststrings[] =
"glibc.not_valid.check=2",
};
-const char *resultstrings[] =
-{
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.perturb=0x800",
- "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=4096",
- "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-};
-
static int
test_child (int off)
{
@@ -87,12 +67,11 @@ test_child (int off)
printf (" [%d] GLIBC_TUNABLES is %s\n", off, val);
fflush (stdout);
- if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+ if (val != NULL && val[0] == '\0')
return 0;
if (val != NULL)
- printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
- off, val, resultstrings[off]);
+ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
else
printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off);
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index 032ab44be2..100e2c6871 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -46,9 +46,9 @@ test_child (void)
return 1;
}
- if (getenv ("MALLOC_MMAP_THRESHOLD_") == NULL)
+ if (getenv ("MALLOC_MMAP_THRESHOLD_") != NULL)
{
- printf ("MALLOC_MMAP_THRESHOLD_ lost\n");
+ printf ("MALLOC_MMAP_THRESHOLD_ is still set\n");
return 1;
}
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index 8278c50a84..ca70e2e989 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -17,7 +17,14 @@
"LD_SHOW_AUXV\0" \
"LOCALDOMAIN\0" \
"LOCPATH\0" \
+ "MALLOC_ARENA_MAX\0" \
+ "MALLOC_ARENA_TEST\0" \
+ "MALLOC_MMAP_MAX_\0" \
+ "MALLOC_MMAP_THRESHOLD_\0" \
+ "MALLOC_PERTURB_\0" \
+ "MALLOC_TOP_PAD_\0" \
"MALLOC_TRACE\0" \
+ "MALLOC_TRIM_THRESHOLD_\0" \
"NIS_PATH\0" \
"NLSPATH\0" \
"RESOLV_HOST_CONF\0" \
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-10-06 14:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-06 14:28 [glibc/azanella/tunables] elf: Make all malloc tunables SXID_ERASE Adhemerval Zanella
-- strict thread matches above, loose matches on Subject: below --
2023-10-05 13:13 Adhemerval Zanella
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).