From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1791) id A63A43857020; Fri, 6 Oct 2023 14:28:13 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A63A43857020 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1696602493; bh=5gnXUAXypIbUQGGSqFlSeDPq2DkcoXyVU5iyB7qAaIo=; h=From:To:Subject:Date:From; b=PJeouJy+MkbkObfmPuWn5zjaj1rAAt7Yi1PUAyH3udnCVMyCbCX3QeWeEJGbir/v/ H5jPKkgWesM95watBaHLuHMFNTzeggA0SNAb2xHy0YQan2TPxqFPsp5mjKUBeA+L/L vv6pAZT2EkOYOwZGY0Pw6Ky86rbIiJHzZEcon2h8= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Adhemerval Zanella To: glibc-cvs@sourceware.org Subject: [glibc/azanella/tunables] elf: Make all malloc tunables SXID_ERASE X-Act-Checkin: glibc X-Git-Author: Siddhesh Poyarekar X-Git-Refname: refs/heads/azanella/tunables X-Git-Oldrev: a54091b35b5f625bb45c2eb5038670c736ab3f09 X-Git-Newrev: 38a66626230b78963bf21496ea72a682d8ee8d47 Message-Id: <20231006142813.A63A43857020@sourceware.org> Date: Fri, 6 Oct 2023 14:28:13 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=38a66626230b78963bf21496ea72a682d8ee8d47 commit 38a66626230b78963bf21496ea72a682d8ee8d47 Author: Siddhesh Poyarekar Date: Thu Oct 5 10:03:15 2023 -0300 elf: Make all malloc tunables SXID_ERASE The malloc tunables were made SXID_IGNORE to mimic the environment variables they aliased, in order to maintain compatibility. This allowed alteration of allocator behaviour across setuid boundaries, where a setuid program may ignore the tunable but its non-setuid child can read it and adjust allocator behaviour accordingly. It's not clear how useful this misfeature is; most library behaviour tuning is limited to the current process and does not bleed in scope like this. If behaviour change across privilege boundaries is desirable, it should be done with a wrapper program around the non-setuid child that sets these envvars, instead of using the setuid process as the messenger. In future, maybe systemwide tunables could allow setting tunable values across privilege boundaries. Signed-off-by: Siddhesh Poyarekar Diff: --- elf/dl-tunables.list | 12 +++--------- elf/tst-env-setuid-tunables.c | 25 ++----------------------- elf/tst-env-setuid.c | 4 ++-- sysdeps/generic/unsecvars.h | 7 +++++++ 4 files changed, 14 insertions(+), 34 deletions(-) diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index 695ba7192e..42d8ffd06d 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -22,7 +22,9 @@ # maxval: Optional maximum acceptable value # env_alias: An alias environment variable # security_level: Specify security level of the tunable for AT_SECURE binaries. -# Valid values are: +# Valid values are as follows. There must be a strong, well +# documented reason for a tunable to be marked SXID_IGNORE or +# SXID_NONE: # # SXID_ERASE: (default) Do not read and do not pass on to # child processes. @@ -41,7 +43,6 @@ glibc { top_pad { type: SIZE_T env_alias: MALLOC_TOP_PAD_ - security_level: SXID_IGNORE default: 131072 } perturb { @@ -49,35 +50,29 @@ glibc { minval: 0 maxval: 0xff env_alias: MALLOC_PERTURB_ - security_level: SXID_IGNORE } mmap_threshold { type: SIZE_T env_alias: MALLOC_MMAP_THRESHOLD_ - security_level: SXID_IGNORE } trim_threshold { type: SIZE_T env_alias: MALLOC_TRIM_THRESHOLD_ - security_level: SXID_IGNORE } mmap_max { type: INT_32 env_alias: MALLOC_MMAP_MAX_ - security_level: SXID_IGNORE minval: 0 } arena_max { type: SIZE_T env_alias: MALLOC_ARENA_MAX minval: 1 - security_level: SXID_IGNORE } arena_test { type: SIZE_T env_alias: MALLOC_ARENA_TEST minval: 1 - security_level: SXID_IGNORE } tcache_max { type: SIZE_T @@ -91,7 +86,6 @@ glibc { mxfast { type: SIZE_T minval: 0 - security_level: SXID_IGNORE } hugetlb { type: SIZE_T diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c index f0b92c97e7..79795cdce7 100644 --- a/elf/tst-env-setuid-tunables.c +++ b/elf/tst-env-setuid-tunables.c @@ -60,26 +60,6 @@ const char *teststrings[] = "glibc.not_valid.check=2", }; -const char *resultstrings[] = -{ - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.perturb=0x800", - "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", - "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", - "", - "", - "", - "", - "", - "", - "", -}; - static int test_child (int off) { @@ -87,12 +67,11 @@ test_child (int off) printf (" [%d] GLIBC_TUNABLES is %s\n", off, val); fflush (stdout); - if (val != NULL && strcmp (val, resultstrings[off]) == 0) + if (val != NULL && val[0] == '\0') return 0; if (val != NULL) - printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", - off, val, resultstrings[off]); + printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); else printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off); diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c index 032ab44be2..100e2c6871 100644 --- a/elf/tst-env-setuid.c +++ b/elf/tst-env-setuid.c @@ -46,9 +46,9 @@ test_child (void) return 1; } - if (getenv ("MALLOC_MMAP_THRESHOLD_") == NULL) + if (getenv ("MALLOC_MMAP_THRESHOLD_") != NULL) { - printf ("MALLOC_MMAP_THRESHOLD_ lost\n"); + printf ("MALLOC_MMAP_THRESHOLD_ is still set\n"); return 1; } diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h index 8278c50a84..ca70e2e989 100644 --- a/sysdeps/generic/unsecvars.h +++ b/sysdeps/generic/unsecvars.h @@ -17,7 +17,14 @@ "LD_SHOW_AUXV\0" \ "LOCALDOMAIN\0" \ "LOCPATH\0" \ + "MALLOC_ARENA_MAX\0" \ + "MALLOC_ARENA_TEST\0" \ + "MALLOC_MMAP_MAX_\0" \ + "MALLOC_MMAP_THRESHOLD_\0" \ + "MALLOC_PERTURB_\0" \ + "MALLOC_TOP_PAD_\0" \ "MALLOC_TRACE\0" \ + "MALLOC_TRIM_THRESHOLD_\0" \ "NIS_PATH\0" \ "NLSPATH\0" \ "RESOLV_HOST_CONF\0" \