From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gnu-gabi-return-218-listarch-gnu-gabi=sourceware.org@sourceware.org>
Received: (qmail 39948 invoked by alias); 19 Mar 2018 08:21:27 -0000
Mailing-List: contact gnu-gabi-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gnu-gabi.sourceware.org>
List-Post: <mailto:gnu-gabi@sourceware.org>
List-Help: <mailto:gnu-gabi-help@sourceware.org>
List-Subscribe: <mailto:gnu-gabi-subscribe@sourceware.org>
Sender: gnu-gabi-owner@sourceware.org
Received: (qmail 39512 invoked by uid 89); 19 Mar 2018 08:21:26 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=
X-Spam-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level:
X-HELO: mx1.redhat.com
Received: from mx3-rdu2.redhat.com (HELO mx1.redhat.com) (66.187.233.73) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 19 Mar 2018 08:21:25 +0000
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id 17E6B402291E;	Mon, 19 Mar 2018 08:21:24 +0000 (UTC)
Received: from oldenburg.str.redhat.com (ovpn-117-21.ams2.redhat.com [10.36.117.21])	by smtp.corp.redhat.com (Postfix) with ESMTP id B33CF1102E2E;	Mon, 19 Mar 2018 08:21:22 +0000 (UTC)
Subject: Re: RFC: Audit external function called indirectly via GOT
To: generic-abi@googlegroups.com, "H.J. Lu" <hjl.tools@gmail.com>
Cc: gnu-gabi@sourceware.org
References: <20180317133115.GA4681@gmail.com>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <ba9013ec-7c77-9a3d-d474-3f5f4670d093@redhat.com>
Date: Mon, 01 Jan 2018 00:00:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180317133115.GA4681@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 19 Mar 2018 08:21:24 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 19 Mar 2018 08:21:24 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'fweimer@redhat.com' RCPT:''
X-IsSubscribed: yes
X-SW-Source: 2018-q1/txt/msg00002.txt.bz2

On 03/17/2018 02:31 PM, H.J. Lu wrote:
> Auditing of external function calls and their return values relies on
> lazy binding with PLT.  When external functions are called indirectly
> via GOT without using PLT, auditing stops working.
> 
> Here is a proposal to support auditing of external function called
> indirectly via GOT:
> 
> 1. Add optional dynamic tags:
> 
>   #define DT_GNU_PLT     0x6ffffef4  /* Address of PLT section  */
>   #define DT_GNU_PLTSZ   0x6ffffdf1  /* Size of PLT section  */
>   #define DT_GNU_PLTENT  0x6ffffdf2  /* Size of one PLT entry  */
>   #define DT_GNU_PLT0SZ  0x6ffffdf3  /* Size of the first PLT entry  */
>   #define DT_GNU_PLTGOTSZ 0x6ffffdf4 /* Size of PLTGOT section  */
> 
> and update DT_FLAGS_1 with:
> 
>   #define DF_1_JMPRELIGN 0x10000000  /* DT_JMPREL can be ignored  */
> 2. Linker creates PLT entries for auditing external function calls via
> GOT and sets DT_GNU_PLT, DT_GNU_PLTSZ, DT_GNU_PLTENT, DT_GNU_PLT0SZ and
> DT_GNU_PLTGOTSZ.  If PLT isn't required for lazy binding, set the
> DF_1_JMPRELIGN bit in DT_FLAGS_1.

Could we ship a template for the PLT entries in ld.so instead?  And if 
needed, map it from the file together with an address array, like this?

   Data page with pointer
   PLT template from ld.so (loading pointers from the previous page)

This process can get be repeated, to obtain as many PLT stubs as needed. 
  It's not a real JIT, so SELinux will still be happy.

The data page would probably contain two pointers per PLT entry, not 
just one, so that the reserved PLT entries aren't necessary.

> 3. When auditing is enabled at run-time, dynamic linker resolves GLOB_DAT
> relocation to its corresponding PLT entry by finding JUMP_SLOT relocation
> against the same function and use its PLT slot as the function address.

This step would stay the same.

I wonder if this would make it possible to restore audit support for 
existing binaries which lack PLT entries today.

Thanks,
Florian