From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id C92213858296 for ; Fri, 12 Jan 2024 18:25:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C92213858296 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C92213858296 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1705083939; cv=none; b=WeASPKpwakExLEp0230bbe+zs9u2sUirS8jyGUFhRTTt1Eox/yG6+7Y7xpaKrWL3LVrNPefKChoWOM/HhFvch7/ySwLL1NwRO0c5fJwJJ+taBCr2BBfZw6QJq/9UTHKg0se9WmFR7x70te1OK9ZxJ/pNksUWLdMPrNPwrOWKN5U= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1705083939; c=relaxed/simple; bh=AumLu7Y4XaAMUWXby2E/SZJT5ZrT7Q/mBu/bqGA9SKI=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=UNp3G3p+t/8URzwdMMZcM5ElbW2FlVNkwNo4ljX3zWplNbNnRvERSjWrG9pa9Ww4PHhbhR3/gxEmgaGpNgOauYvOX7bijTyF/Pfd5vObDmHb6vSPpfk+cNgaV+AqIA4ejKVZn6IYurVAz3SRy04dkjftfXhTMjX7AtYb91VFquM= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705083937; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xoOjOJJlDKtVGH9p46L7IbBTAiJoIXS03ClCQfZhh0Q=; b=A5MMAxMuj/vqqEcl+8Nscze2gZhRAB+qSn+ULjRoicz/Ma9TOtFI2GrIfgGubuCosa+Dy9 KxZZbDV33qkKw1geWEJIOgRCcmReGbPowqKxOi5n7ONgVFC0BnB3j9BXky6qNHBB3fevUg YA5E7s7F6oJmiq50A9KbEQ5lo3lxeD0= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-137-U-HvKqVQMEa_GHZk4HLoQA-1; Fri, 12 Jan 2024 13:25:30 -0500 X-MC-Unique: U-HvKqVQMEa_GHZk4HLoQA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 862F829ABA3E; Fri, 12 Jan 2024 18:25:29 +0000 (UTC) Received: from oak (unknown [10.22.17.149]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5A84AC25AC8; Fri, 12 Jan 2024 18:25:29 +0000 (UTC) Date: Fri, 12 Jan 2024 13:25:27 -0500 From: Joe Simmons-Talbott To: "H.J. Lu" Cc: libc-alpha@sourceware.org Subject: Re: [PATCH v4] rtld: Add glibc.rtld.enable_secure tunable. Message-ID: <20240112182527.GF3179278@oak> References: <20240112134328.568424-1-josimmon@redhat.com> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-13.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Fri, Jan 12, 2024 at 05:53:23AM -0800, H.J. Lu wrote: > On Fri, Jan 12, 2024 at 5:44 AM Joe Simmons-Talbott wrote: > > > > Add a tunable for setting __libc_enable_secure to 1. Do not set > > __libc_enable_secure to 0 if the tunable is set to 0. Ignore all > > tunables if glib.rtld.enable_secure is set. One use-case for this > > addition is to enable testing code paths that depend on > > __libc_enable_secure being set without the need to use setxid binaries. > > --- > > Changes to v3: > > * Rebase and fix merge conflict in NEWS. > > > > Changes to v2: > > * handle the tunable in __tunables_init so that it's done in a single > > place. > > * ignore all tunables if the tunable is set. > > * update the testcase to only check the tunables if the enable_secure > > tunable is not set. > > * don't add tunables_strcmp as there is now already a version. > > > > Changes to v1: > > * handle the tunable for the dynamic loader as well. > > > > NEWS | 5 ++ > > elf/Makefile | 2 + > > elf/dl-tunables.c | 11 +++ > > elf/dl-tunables.list | 6 ++ > > elf/tst-rtld-list-tunables.exp | 1 + > > elf/tst-tunables-enable_secure.c | 126 +++++++++++++++++++++++++++++++ > > 6 files changed, 151 insertions(+) > > create mode 100644 elf/tst-tunables-enable_secure.c > > > > diff --git a/NEWS b/NEWS > > index 83ae627f47..aff44f6d7f 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -55,6 +55,11 @@ Major new features: > > unsigned char, unsigned short, unsigned int, unsigned long int and > > unsigned long long int, and a type-generic macro. > > > > +* A new tunable, glibc.rtld.enable_secure, used to run a program > > + as if it were a setuid process, enabling a number of security features. This > > + is currently a testing tool to allow more extensive verification tests for > > + AT_SECURE programs and not meant to be a security feature. > > + > > Deprecated and removed features, and other changes affecting compatibility: > > > > * The ldconfig program now skips file names containing ';' or ending in > > diff --git a/elf/Makefile b/elf/Makefile > > index 5d78b659ce..45a6aa7a8d 100644 > > --- a/elf/Makefile > > +++ b/elf/Makefile > > @@ -285,6 +285,7 @@ tests-static-internal := \ > > tst-tls1-static \ > > tst-tls1-static-non-pie \ > > tst-tunables \ > > + tst-tunables-enable_secure \ > > # tests-static-internal > > > > CRT-tst-tls1-static-non-pie := $(csu-objpfx)crt1.o > > @@ -2676,6 +2677,7 @@ $(objpfx)tst-glibc-hwcaps-mask.out: \ > > $(objpfx)tst-glibc-hwcaps-cache.out: $(objpfx)tst-glibc-hwcaps > > > > tst-tunables-ARGS = -- $(host-test-program-cmd) > > +tst-tunables-enable_secure-ARGS = -- $(host-test-program-cmd) > > > > $(objpfx)list-tunables.out: tst-rtld-list-tunables.sh $(objpfx)ld.so > > $(SHELL) $< $(objpfx)ld.so '$(test-wrapper-env)' \ > > diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c > > index 03e1a68675..d3ccd2ecd4 100644 > > --- a/elf/dl-tunables.c > > +++ b/elf/dl-tunables.c > > @@ -223,6 +223,17 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables) > > { > > tunables[ntunables++] = > > (struct tunable_toset_t) { cur, value, p - value }; > > + > > + /* Ignore tunables if enable_secure is set */ > > + if (tunable_is_name ("glibc.rtld.enable_secure", name)) > > + { > > + tunable_num_t val = (tunable_num_t) _dl_strtoul (value, NULL); > > + if (val == 1) > > + { > > + __libc_enable_secure = 1; > > + return 0; > > + } > > + } > > break; > > } > > } > > diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list > > index 1b40407814..1186272c81 100644 > > --- a/elf/dl-tunables.list > > +++ b/elf/dl-tunables.list > > @@ -136,6 +136,12 @@ glibc { > > minval: 0 > > default: 512 > > } > > + enable_secure { > > + type: INT_32 > > + minval: 0 > > + maxval: 1 > > + default: 0 > > + } > > } > > > > mem { > > diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp > > index 2233ea9c7c..db0e1c86e9 100644 > > --- a/elf/tst-rtld-list-tunables.exp > > +++ b/elf/tst-rtld-list-tunables.exp > > @@ -12,5 +12,6 @@ glibc.malloc.tcache_unsorted_limit: 0x0 (min: 0x0, max: 0x[f]+) > > glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+) > > glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+) > > glibc.rtld.dynamic_sort: 2 (min: 1, max: 2) > > +glibc.rtld.enable_secure: 0 (min: 0, max: 1) > > glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10) > > glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+) > > diff --git a/elf/tst-tunables-enable_secure.c b/elf/tst-tunables-enable_secure.c > > new file mode 100644 > > index 0000000000..790d14237e > > --- /dev/null > > +++ b/elf/tst-tunables-enable_secure.c > > @@ -0,0 +1,126 @@ > > +/* Check GLIBC_TUNABLES parsing for enable_secure. > > + Copyright (C) 2023 Free Software Foundation, Inc. > > 2024 > Thanks for catching that. Updated in v5. Thanks, Joe