From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=pzpL=IW=redhat.com=josimmon@sourceware.org>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by sourceware.org (Postfix) with ESMTPS id C92213858296
	for <libc-alpha@sourceware.org>; Fri, 12 Jan 2024 18:25:37 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C92213858296
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C92213858296
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1705083939; cv=none;
	b=WeASPKpwakExLEp0230bbe+zs9u2sUirS8jyGUFhRTTt1Eox/yG6+7Y7xpaKrWL3LVrNPefKChoWOM/HhFvch7/ySwLL1NwRO0c5fJwJJ+taBCr2BBfZw6QJq/9UTHKg0se9WmFR7x70te1OK9ZxJ/pNksUWLdMPrNPwrOWKN5U=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1705083939; c=relaxed/simple;
	bh=AumLu7Y4XaAMUWXby2E/SZJT5ZrT7Q/mBu/bqGA9SKI=;
	h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=UNp3G3p+t/8URzwdMMZcM5ElbW2FlVNkwNo4ljX3zWplNbNnRvERSjWrG9pa9Ww4PHhbhR3/gxEmgaGpNgOauYvOX7bijTyF/Pfd5vObDmHb6vSPpfk+cNgaV+AqIA4ejKVZn6IYurVAz3SRy04dkjftfXhTMjX7AtYb91VFquM=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1705083937;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=xoOjOJJlDKtVGH9p46L7IbBTAiJoIXS03ClCQfZhh0Q=;
	b=A5MMAxMuj/vqqEcl+8Nscze2gZhRAB+qSn+ULjRoicz/Ma9TOtFI2GrIfgGubuCosa+Dy9
	KxZZbDV33qkKw1geWEJIOgRCcmReGbPowqKxOi5n7ONgVFC0BnB3j9BXky6qNHBB3fevUg
	YA5E7s7F6oJmiq50A9KbEQ5lo3lxeD0=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-137-U-HvKqVQMEa_GHZk4HLoQA-1; Fri,
 12 Jan 2024 13:25:30 -0500
X-MC-Unique: U-HvKqVQMEa_GHZk4HLoQA-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 862F829ABA3E;
	Fri, 12 Jan 2024 18:25:29 +0000 (UTC)
Received: from oak (unknown [10.22.17.149])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 5A84AC25AC8;
	Fri, 12 Jan 2024 18:25:29 +0000 (UTC)
Date: Fri, 12 Jan 2024 13:25:27 -0500
From: Joe Simmons-Talbott <josimmon@redhat.com>
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH v4] rtld: Add glibc.rtld.enable_secure tunable.
Message-ID: <20240112182527.GF3179278@oak>
References: <20240112134328.568424-1-josimmon@redhat.com>
 <CAMe9rOqKCBVvJJwCt+ZnVSKL5JTKcs9oGfXvROv6eeqdtc1mPg@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAMe9rOqKCBVvJJwCt+ZnVSKL5JTKcs9oGfXvROv6eeqdtc1mPg@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-13.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On Fri, Jan 12, 2024 at 05:53:23AM -0800, H.J. Lu wrote:
> On Fri, Jan 12, 2024 at 5:44 AM Joe Simmons-Talbott <josimmon@redhat.com> wrote:
> >
> > Add a tunable for setting __libc_enable_secure to 1.  Do not set
> > __libc_enable_secure to 0 if the tunable is set to 0.  Ignore all
> > tunables if glib.rtld.enable_secure is set.  One use-case for this
> > addition is to enable testing code paths that depend on
> > __libc_enable_secure being set without the need to use setxid binaries.
> > ---
> > Changes to v3:
> >   * Rebase and fix merge conflict in NEWS.
> >
> > Changes to v2:
> >   * handle the tunable in __tunables_init so that it's done in a single
> >     place.
> >   * ignore all tunables if the tunable is set.
> >   * update the testcase to only check the tunables if the enable_secure
> >     tunable is not set.
> >   * don't add tunables_strcmp as there is now already a version.
> >
> > Changes to v1:
> >   * handle the tunable for the dynamic loader as well.
> >
> >  NEWS                             |   5 ++
> >  elf/Makefile                     |   2 +
> >  elf/dl-tunables.c                |  11 +++
> >  elf/dl-tunables.list             |   6 ++
> >  elf/tst-rtld-list-tunables.exp   |   1 +
> >  elf/tst-tunables-enable_secure.c | 126 +++++++++++++++++++++++++++++++
> >  6 files changed, 151 insertions(+)
> >  create mode 100644 elf/tst-tunables-enable_secure.c
> >
> > diff --git a/NEWS b/NEWS
> > index 83ae627f47..aff44f6d7f 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -55,6 +55,11 @@ Major new features:
> >    unsigned char, unsigned short, unsigned int, unsigned long int and
> >    unsigned long long int, and a type-generic macro.
> >
> > +* A new tunable, glibc.rtld.enable_secure, used to run a program
> > +  as if it were a setuid process, enabling a number of security features. This
> > +  is currently a testing tool to allow more extensive verification tests for
> > +  AT_SECURE programs and not meant to be a security feature.
> > +
> >  Deprecated and removed features, and other changes affecting compatibility:
> >
> >  * The ldconfig program now skips file names containing ';' or ending in
> > diff --git a/elf/Makefile b/elf/Makefile
> > index 5d78b659ce..45a6aa7a8d 100644
> > --- a/elf/Makefile
> > +++ b/elf/Makefile
> > @@ -285,6 +285,7 @@ tests-static-internal := \
> >    tst-tls1-static \
> >    tst-tls1-static-non-pie \
> >    tst-tunables \
> > +  tst-tunables-enable_secure \
> >    # tests-static-internal
> >
> >  CRT-tst-tls1-static-non-pie := $(csu-objpfx)crt1.o
> > @@ -2676,6 +2677,7 @@ $(objpfx)tst-glibc-hwcaps-mask.out: \
> >  $(objpfx)tst-glibc-hwcaps-cache.out: $(objpfx)tst-glibc-hwcaps
> >
> >  tst-tunables-ARGS = -- $(host-test-program-cmd)
> > +tst-tunables-enable_secure-ARGS = -- $(host-test-program-cmd)
> >
> >  $(objpfx)list-tunables.out: tst-rtld-list-tunables.sh $(objpfx)ld.so
> >         $(SHELL) $< $(objpfx)ld.so '$(test-wrapper-env)' \
> > diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
> > index 03e1a68675..d3ccd2ecd4 100644
> > --- a/elf/dl-tunables.c
> > +++ b/elf/dl-tunables.c
> > @@ -223,6 +223,17 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables)
> >             {
> >               tunables[ntunables++] =
> >                 (struct tunable_toset_t) { cur, value, p - value };
> > +
> > +             /* Ignore tunables if enable_secure is set */
> > +             if (tunable_is_name ("glibc.rtld.enable_secure", name))
> > +               {
> > +                  tunable_num_t val = (tunable_num_t) _dl_strtoul (value, NULL);
> > +                 if (val == 1)
> > +                   {
> > +                     __libc_enable_secure = 1;
> > +                     return 0;
> > +                   }
> > +               }
> >               break;
> >             }
> >         }
> > diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
> > index 1b40407814..1186272c81 100644
> > --- a/elf/dl-tunables.list
> > +++ b/elf/dl-tunables.list
> > @@ -136,6 +136,12 @@ glibc {
> >        minval: 0
> >        default: 512
> >      }
> > +    enable_secure {
> > +      type: INT_32
> > +      minval: 0
> > +      maxval: 1
> > +      default: 0
> > +    }
> >    }
> >
> >    mem {
> > diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp
> > index 2233ea9c7c..db0e1c86e9 100644
> > --- a/elf/tst-rtld-list-tunables.exp
> > +++ b/elf/tst-rtld-list-tunables.exp
> > @@ -12,5 +12,6 @@ glibc.malloc.tcache_unsorted_limit: 0x0 (min: 0x0, max: 0x[f]+)
> >  glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+)
> >  glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+)
> >  glibc.rtld.dynamic_sort: 2 (min: 1, max: 2)
> > +glibc.rtld.enable_secure: 0 (min: 0, max: 1)
> >  glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
> >  glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
> > diff --git a/elf/tst-tunables-enable_secure.c b/elf/tst-tunables-enable_secure.c
> > new file mode 100644
> > index 0000000000..790d14237e
> > --- /dev/null
> > +++ b/elf/tst-tunables-enable_secure.c
> > @@ -0,0 +1,126 @@
> > +/* Check GLIBC_TUNABLES parsing for enable_secure.
> > +   Copyright (C) 2023 Free Software Foundation, Inc.
> 
> 2024
> 

Thanks for catching that.  Updated in v5.

Thanks,
Joe