From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from cross.elm.relay.mailchannels.net (cross.elm.relay.mailchannels.net [23.83.212.46])
	by sourceware.org (Postfix) with ESMTPS id 617073858C74
	for <libc-alpha@sourceware.org>; Tue,  3 Oct 2023 20:12:13 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 617073858C74
Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org
Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id A27A84C1911;
	Tue,  3 Oct 2023 20:12:12 +0000 (UTC)
Received: from pdx1-sub0-mail-a264.dreamhost.com (unknown [127.0.0.6])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id 2496A4C18AF;
	Tue,  3 Oct 2023 20:12:12 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696363932; a=rsa-sha256;
	cv=none;
	b=O38dQ72iYy54bcNQ58JpgBLmbm031GgHIidVWQ01LUdPYKmABqHmKuCcAyZi17yT20Yhzg
	lh8/l3QArrP+9AdDGS7ISO5qdSRjXAw/vm1qgAps6r9rkvFXIlw8qTACN1E2x/dT8B/axu
	Yjx2GhX6MaRkjvlZn4aayts3udjLeHNN8OHaQZBlQ7XEgQZ6/unfylBtTxyM+DNtmq6FYC
	L4ynyeS7WI6JEICvSx5xvjYEmDrTgOBah/lJTHMA9N1cQews3oMNWkd6I+TT8E0TXSekrt
	QJTakEz6Y6qvikSr1shhEZDPpHKaABfgFawuKg1DrzM3H/LNqEtv8H5c2TUBng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1696363932;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=m+LKYrhIoZFiK4pKqqNObLttyWWx5IwwMT6zpeNOhI0=;
	b=eta6qmFUO3fBH3X8Z+Y8/B1knuNrwrJ8D/a2APpG/vvIG5uPuAoKhpW9TDuW2Cy0wzFCXm
	JhL5gmAr5/fEJDOrG5ERMSTTJz9Qor0aP5NzJYyw/4VTkt2wX+Vlpx0cuPjFKsuuiOG4pJ
	O9K9rwt2D+BRWrnyZ83wPOtRv90D+fDkOtk/bzLqMe/XCHEYP11bzfCt2As03TMP9busuf
	jfDFYmBFwQ1aBZfK1o1/PfntjdpzHr+8PxyUv4u8qBv+DKZVizZR22E/ISjPxIhA0Ov6Xg
	t6yRqk2B7oT/wDACY4ukNRIb8JtebCXL0HgLAioA4baj5G3lj+tiQ9qF24v/gg==
ARC-Authentication-Results: i=1;
	rspamd-7c449d4847-l9fdc;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MC-Copy: stored-urls
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Tangy-Hysterical: 4abf4e263548ed68_1696363932529_3682726909
X-MC-Loop-Signature: 1696363932529:2448981413
X-MC-Ingress-Time: 1696363932528
Received: from pdx1-sub0-mail-a264.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.99.159.76 (trex/6.9.1);
	Tue, 03 Oct 2023 20:12:12 +0000
Received: from fedora.redhat.com (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: siddhesh@gotplt.org)
	by pdx1-sub0-mail-a264.dreamhost.com (Postfix) with ESMTPSA id 4S0TWH4ZpbzCX;
	Tue,  3 Oct 2023 13:12:11 -0700 (PDT)
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-alpha@sourceware.org
Cc: adhemerval.zanella@linaro.org,
	fweimer@redhat.com,
	carlos@redhat.com
Subject: [PATCH 1/2] Make all malloc tunables SXID_ERASE
Date: Tue,  3 Oct 2023 16:11:50 -0400
Message-ID: <20231003201151.1406279-2-siddhesh@sourceware.org>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <20231003201151.1406279-1-siddhesh@sourceware.org>
References: <20231003201151.1406279-1-siddhesh@sourceware.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1172.5 required=5.0 tests=BAYES_00,GIT_PATCH_0,KAM_DMARC_NONE,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

The malloc tunables were made SXID_IGNORE to mimic the environment
variables they aliased, in order to maintain compatibility.  This
allowed alteration of allocator behaviour across setuid boundaries,
where a setuid program may ignore the tunable but its non-setuid child
can read it and adjust allocator behaviour accordingly.

It's not clear how useful this misfeature is; most library behaviour
tuning is limited to the current process and does not bleed in scope
like this.  If behaviour change across privilege boundaries is
desirable, it should be done with a wrapper program around the
non-setuid child that sets these envvars, instead of using the setuid
process as the messenger.  In future, maybe systemwide tunables could
allow setting tunable values across privilege boundaries.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
 elf/dl-tunables.list          | 12 +++---------
 elf/tst-env-setuid-tunables.c | 25 ++-----------------------
 elf/tst-env-setuid.c          |  4 ++--
 sysdeps/generic/unsecvars.h   |  7 +++++++
 4 files changed, 14 insertions(+), 34 deletions(-)

diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index 695ba7192e..42d8ffd06d 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -22,7 +22,9 @@
 # maxval: Optional maximum acceptable value
 # env_alias: An alias environment variable
 # security_level: Specify security level of the tunable for AT_SECURE binaries.
-# 		  Valid values are:
+# 		  Valid values are as follows. There must be a strong, well
+# 		  documented reason for a tunable to be marked SXID_IGNORE or
+# 		  SXID_NONE:
 #
 # 	     SXID_ERASE: (default) Do not read and do not pass on to
 # 	     child processes.
@@ -41,7 +43,6 @@ glibc {
     top_pad {
       type: SIZE_T
       env_alias: MALLOC_TOP_PAD_
-      security_level: SXID_IGNORE
       default: 131072
     }
     perturb {
@@ -49,35 +50,29 @@ glibc {
       minval: 0
       maxval: 0xff
       env_alias: MALLOC_PERTURB_
-      security_level: SXID_IGNORE
     }
     mmap_threshold {
       type: SIZE_T
       env_alias: MALLOC_MMAP_THRESHOLD_
-      security_level: SXID_IGNORE
     }
     trim_threshold {
       type: SIZE_T
       env_alias: MALLOC_TRIM_THRESHOLD_
-      security_level: SXID_IGNORE
     }
     mmap_max {
       type: INT_32
       env_alias: MALLOC_MMAP_MAX_
-      security_level: SXID_IGNORE
       minval: 0
     }
     arena_max {
       type: SIZE_T
       env_alias: MALLOC_ARENA_MAX
       minval: 1
-      security_level: SXID_IGNORE
     }
     arena_test {
       type: SIZE_T
       env_alias: MALLOC_ARENA_TEST
       minval: 1
-      security_level: SXID_IGNORE
     }
     tcache_max {
       type: SIZE_T
@@ -91,7 +86,6 @@ glibc {
     mxfast {
       type: SIZE_T
       minval: 0
-      security_level: SXID_IGNORE
     }
     hugetlb {
       type: SIZE_T
diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
index f0b92c97e7..79795cdce7 100644
--- a/elf/tst-env-setuid-tunables.c
+++ b/elf/tst-env-setuid-tunables.c
@@ -60,26 +60,6 @@ const char *teststrings[] =
   "glibc.not_valid.check=2",
 };
 
-const char *resultstrings[] =
-{
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.perturb=0x800",
-  "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=4096",
-  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
-  "",
-  "",
-  "",
-  "",
-  "",
-  "",
-  "",
-};
-
 static int
 test_child (int off)
 {
@@ -87,12 +67,11 @@ test_child (int off)
 
   printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
   fflush (stdout);
-  if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+  if (val != NULL && val[0] == '\0')
     return 0;
 
   if (val != NULL)
-    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
-	    off, val, resultstrings[off]);
+    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
   else
     printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
 
diff --git a/elf/tst-env-setuid.c b/elf/tst-env-setuid.c
index 032ab44be2..100e2c6871 100644
--- a/elf/tst-env-setuid.c
+++ b/elf/tst-env-setuid.c
@@ -46,9 +46,9 @@ test_child (void)
       return 1;
     }
 
-  if (getenv ("MALLOC_MMAP_THRESHOLD_") == NULL)
+  if (getenv ("MALLOC_MMAP_THRESHOLD_") != NULL)
     {
-      printf ("MALLOC_MMAP_THRESHOLD_ lost\n");
+      printf ("MALLOC_MMAP_THRESHOLD_ is still set\n");
       return 1;
     }
 
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index 8278c50a84..ca70e2e989 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -17,7 +17,14 @@
   "LD_SHOW_AUXV\0"							      \
   "LOCALDOMAIN\0"							      \
   "LOCPATH\0"								      \
+  "MALLOC_ARENA_MAX\0"							      \
+  "MALLOC_ARENA_TEST\0"							      \
+  "MALLOC_MMAP_MAX_\0"							      \
+  "MALLOC_MMAP_THRESHOLD_\0"						      \
+  "MALLOC_PERTURB_\0"							      \
+  "MALLOC_TOP_PAD_\0"							      \
   "MALLOC_TRACE\0"							      \
+  "MALLOC_TRIM_THRESHOLD_\0"						      \
   "NIS_PATH\0"								      \
   "NLSPATH\0"								      \
   "RESOLV_HOST_CONF\0"							      \
-- 
2.41.0