From: Joe Simmons-Talbott <josimmon@redhat.com>
To: libc-alpha@sourceware.org
Cc: Joe Simmons-Talbott <josimmon@redhat.com>
Subject: [PATCH v4] rtld: Add glibc.rtld.enable_secure tunable.
Date: Fri, 12 Jan 2024 08:43:20 -0500 [thread overview]
Message-ID: <20240112134328.568424-1-josimmon@redhat.com> (raw)
Add a tunable for setting __libc_enable_secure to 1. Do not set
__libc_enable_secure to 0 if the tunable is set to 0. Ignore all
tunables if glib.rtld.enable_secure is set. One use-case for this
addition is to enable testing code paths that depend on
__libc_enable_secure being set without the need to use setxid binaries.
---
Changes to v3:
* Rebase and fix merge conflict in NEWS.
Changes to v2:
* handle the tunable in __tunables_init so that it's done in a single
place.
* ignore all tunables if the tunable is set.
* update the testcase to only check the tunables if the enable_secure
tunable is not set.
* don't add tunables_strcmp as there is now already a version.
Changes to v1:
* handle the tunable for the dynamic loader as well.
NEWS | 5 ++
elf/Makefile | 2 +
elf/dl-tunables.c | 11 +++
elf/dl-tunables.list | 6 ++
elf/tst-rtld-list-tunables.exp | 1 +
elf/tst-tunables-enable_secure.c | 126 +++++++++++++++++++++++++++++++
6 files changed, 151 insertions(+)
create mode 100644 elf/tst-tunables-enable_secure.c
diff --git a/NEWS b/NEWS
index 83ae627f47..aff44f6d7f 100644
--- a/NEWS
+++ b/NEWS
@@ -55,6 +55,11 @@ Major new features:
unsigned char, unsigned short, unsigned int, unsigned long int and
unsigned long long int, and a type-generic macro.
+* A new tunable, glibc.rtld.enable_secure, used to run a program
+ as if it were a setuid process, enabling a number of security features. This
+ is currently a testing tool to allow more extensive verification tests for
+ AT_SECURE programs and not meant to be a security feature.
+
Deprecated and removed features, and other changes affecting compatibility:
* The ldconfig program now skips file names containing ';' or ending in
diff --git a/elf/Makefile b/elf/Makefile
index 5d78b659ce..45a6aa7a8d 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -285,6 +285,7 @@ tests-static-internal := \
tst-tls1-static \
tst-tls1-static-non-pie \
tst-tunables \
+ tst-tunables-enable_secure \
# tests-static-internal
CRT-tst-tls1-static-non-pie := $(csu-objpfx)crt1.o
@@ -2676,6 +2677,7 @@ $(objpfx)tst-glibc-hwcaps-mask.out: \
$(objpfx)tst-glibc-hwcaps-cache.out: $(objpfx)tst-glibc-hwcaps
tst-tunables-ARGS = -- $(host-test-program-cmd)
+tst-tunables-enable_secure-ARGS = -- $(host-test-program-cmd)
$(objpfx)list-tunables.out: tst-rtld-list-tunables.sh $(objpfx)ld.so
$(SHELL) $< $(objpfx)ld.so '$(test-wrapper-env)' \
diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
index 03e1a68675..d3ccd2ecd4 100644
--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
@@ -223,6 +223,17 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables)
{
tunables[ntunables++] =
(struct tunable_toset_t) { cur, value, p - value };
+
+ /* Ignore tunables if enable_secure is set */
+ if (tunable_is_name ("glibc.rtld.enable_secure", name))
+ {
+ tunable_num_t val = (tunable_num_t) _dl_strtoul (value, NULL);
+ if (val == 1)
+ {
+ __libc_enable_secure = 1;
+ return 0;
+ }
+ }
break;
}
}
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index 1b40407814..1186272c81 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -136,6 +136,12 @@ glibc {
minval: 0
default: 512
}
+ enable_secure {
+ type: INT_32
+ minval: 0
+ maxval: 1
+ default: 0
+ }
}
mem {
diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp
index 2233ea9c7c..db0e1c86e9 100644
--- a/elf/tst-rtld-list-tunables.exp
+++ b/elf/tst-rtld-list-tunables.exp
@@ -12,5 +12,6 @@ glibc.malloc.tcache_unsorted_limit: 0x0 (min: 0x0, max: 0x[f]+)
glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+)
glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+)
glibc.rtld.dynamic_sort: 2 (min: 1, max: 2)
+glibc.rtld.enable_secure: 0 (min: 0, max: 1)
glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
diff --git a/elf/tst-tunables-enable_secure.c b/elf/tst-tunables-enable_secure.c
new file mode 100644
index 0000000000..790d14237e
--- /dev/null
+++ b/elf/tst-tunables-enable_secure.c
@@ -0,0 +1,126 @@
+/* Check GLIBC_TUNABLES parsing for enable_secure.
+ Copyright (C) 2023 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <array_length.h>
+#include <dl-tunables.h>
+#include <getopt.h>
+#include <intprops.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <support/capture_subprocess.h>
+#include <support/check.h>
+#include <sys/auxv.h>
+#include <unistd.h>
+
+static int restart;
+#define CMDLINE_OPTIONS \
+ { "restart", no_argument, &restart, 1 },
+
+static const struct test_t
+{
+ const char *env;
+ int32_t expected_malloc_check;
+ int32_t expected_enable_secure;
+} tests[] =
+{
+ /* Expected tunable format. */
+ /* Tunables should be ignored if enable_secure is set. */
+ {
+ "glibc.malloc.check=2:glibc.rtld.enable_secure=1",
+ 0,
+ 1,
+ },
+ /* Tunables should be ignored if enable_secure is set. */
+ {
+ "glibc.rtld.enable_secure=1:glibc.malloc.check=2",
+ 0,
+ 1,
+ },
+ /* Tunables should be set if enable_secure is unset. */
+ {
+ "glibc.rtld.enable_secure=0:glibc.malloc.check=2",
+ 2,
+ 0,
+ },
+};
+
+static int
+handle_restart (int i)
+{
+ if (tests[i].expected_enable_secure == 1)
+ {
+ TEST_COMPARE (1, __libc_enable_secure);
+ }
+ else
+ {
+ TEST_COMPARE (tests[i].expected_malloc_check,
+ TUNABLE_GET_FULL (glibc, malloc, check, int32_t, NULL));
+ TEST_COMPARE (tests[i].expected_enable_secure,
+ TUNABLE_GET_FULL (glibc, rtld, enable_secure, int32_t,
+ NULL));
+ }
+ return 0;
+}
+
+static int
+do_test (int argc, char *argv[])
+{
+ /* We must have either:
+ - One or four parameters left if called initially:
+ + path to ld.so optional
+ + "--library-path" optional
+ + the library path optional
+ + the application name
+ + the test to check */
+
+ TEST_VERIFY_EXIT (argc == 2 || argc == 5);
+
+ if (restart)
+ return handle_restart (atoi (argv[1]));
+
+ char nteststr[INT_BUFSIZE_BOUND (int)];
+
+ char *spargv[10];
+ {
+ int i = 0;
+ for (; i < argc - 1; i++)
+ spargv[i] = argv[i + 1];
+ spargv[i++] = (char *) "--direct";
+ spargv[i++] = (char *) "--restart";
+ spargv[i++] = nteststr;
+ spargv[i] = NULL;
+ }
+
+ for (int i = 0; i < array_length (tests); i++)
+ {
+ snprintf (nteststr, sizeof nteststr, "%d", i);
+
+ printf ("[%d] Spawned test for %s\n", i, tests[i].env);
+ setenv ("GLIBC_TUNABLES", tests[i].env, 1);
+ struct support_capture_subprocess result
+ = support_capture_subprogram (spargv[0], spargv);
+ support_capture_subprocess_check (&result, "tst-tunables-enable_secure",
+ 0, sc_allow_stderr);
+ support_capture_subprocess_free (&result);
+ }
+
+ return 0;
+}
+
+#define TEST_FUNCTION_ARGV do_test
+#include <support/test-driver.c>
--
2.41.0
next reply other threads:[~2024-01-12 13:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-12 13:43 Joe Simmons-Talbott [this message]
2024-01-12 13:53 ` H.J. Lu
2024-01-12 18:25 ` Joe Simmons-Talbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240112134328.568424-1-josimmon@redhat.com \
--to=josimmon@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).