* [RFC 0/5] Add support for memory sealing
@ 2024-06-11 15:27 Adhemerval Zanella
2024-06-11 15:27 ` [RFC 1/5] linux: Remove __stack_prot Adhemerval Zanella
` (4 more replies)
0 siblings, 5 replies; 26+ messages in thread
From: Adhemerval Zanella @ 2024-06-11 15:27 UTC (permalink / raw)
To: libc-alpha; +Cc: Stephen Roettger, jeffxu, Carlos O'Donell, Florian Weimer
The Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370) added the
mseal syscall that allows blocking some memory operations on VMA range:
* Unmapping, moving to another location, extending or shrinking the
size, munmap, and mremap.
* Moving or expanding a different VMA into the current location, via
mremap.
* Modifying the memory range with mmap along with flag MAP_FIXED.
* Expanding the size with mremap.
* Change the protection flags with mprotect or pkey_mprotect.
* Destructive behaviors on anonymous memory, such as madvice with
MADV_DONTNEED.
Memory sealing might be useful as a hardening mechanism to avoid either
remapping the memory segments or changing the memory protection segments
layout by the dynamic loader (for instance the RELRO hardening).
A similar hardening is done by OpenBSD with the mimmutable syscall [1].
The first patch removes an unrequired knob for modules without
GNU_PT_STACK that prevents the RELRO memory sealing of libc.
The second patch adds the mseal support for Linux. Most of the programs
will not use it directly, however, some specific ones like Chrome do have
the plan to use it.
The third patch adds memory sealing in multiple places where the memory
is supposed to be immutable over program execution:
* All shared library dependencies from the binary, including the
read-only segments after PT_GNU_RELRO setup.
* The binary itself, including dynamic and static links. In both
It is up either to binary or the loader to set up the sealing.
* The vDSO vma provided by the kernel (if existent).
* Any preload libraries.
* Any library loaded with dlopen with RTLD_NODELETE flag.
For binary dependencies, the RTLD_NODELETE signals the link_map should be
sealed. It also makes dlopen objects with the flag sealed as well.
The sealing is also controlled by a new tunable, glibc.rtld.seal, with three
different states:
0. Disabled where no sealing is done.
1. Enabled, where the loader will issue the mseal syscall on the
memory mappings but any failure will be ignored. This is the default.
2. Enforce, similar to Enabled but any failure from the mseal
will terminate the process.
The fourth patch adds support for the libgcc_s.so loaded during process
execution. The fifth is for adding support audit modules.
This patchset does not delay RELRO activation until after their ELF
constructors have been executed, as suggested on the previous RFC for mseal
support. It is not strictly required, and it requires extensive changes on
_dl_start_user to either make _dl_init call RELRO/sealing setup after
ctor/initarray is done, or call it after _dl_init. There is also the
question of whether to apply RELRO/sealing per module after ctor/initarray
or in bulk after _dt_init. I am still investigate this.
One drawback of the Linux approach is I do not see an easy way to memory
seal the stack without kernel support. The stack is not fully mapped by
the kernel at program start, so even trying to add some hack on loader
initialization might not be sufficient.
I have tested on both x86_64-linux-gnu and aarch64-linux-gnu with Linux
6.10-rc2, along with some testing on a powerpc64le-linux-gnu VM. I also
enabled glibc.rtld.seal=2 to check for possible mseal failures.
[1] https://man.openbsd.org/mimmutable.2
[2] https://docs.google.com/document/d/1O2jwK4dxI3nRcOJuPYkonhTkNQfbmwdvxQMyXgeaRHo/edit#heading=h.bvaojj9fu6hc
Adhemerval Zanella (5):
linux: Remove __stack_prot
linux: Add mseal syscall support
elf: Add support to memory sealing
elf: Enable RTLD_NODELETE on __libc_unwind_link_get
elf: Add support to memory sealing for audit modules
NEWS | 4 +
elf/dl-load.c | 48 +--
elf/dl-mseal-mode.h | 29 ++
elf/dl-open.c | 4 +
elf/dl-reloc.c | 49 +++
elf/dl-support.c | 7 +
elf/dl-tunables.list | 6 +
elf/rtld.c | 14 +-
elf/setup-vdso.h | 3 +
elf/tst-rtld-list-tunables.exp | 1 +
include/dlfcn.h | 2 +
include/link.h | 6 +
manual/memory.texi | 66 ++++
manual/tunables.texi | 42 +++
misc/unwind-link.c | 5 +-
string/strerrorname_np.c | 1 +
sysdeps/generic/dl-mseal.h | 25 ++
sysdeps/generic/ldsodefs.h | 6 +
sysdeps/unix/sysv/linux/Makefile | 48 +++
sysdeps/unix/sysv/linux/Versions | 3 +
.../unix/sysv/linux/aarch64/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/aarch64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/alpha/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/alpha/libc.abilist | 1 +
sysdeps/unix/sysv/linux/arc/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/arc/libc.abilist | 1 +
sysdeps/unix/sysv/linux/arm/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/arm/be/libc.abilist | 1 +
sysdeps/unix/sysv/linux/arm/le/libc.abilist | 1 +
sysdeps/unix/sysv/linux/bits/mman-shared.h | 8 +
sysdeps/unix/sysv/linux/csky/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/csky/libc.abilist | 1 +
sysdeps/unix/sysv/linux/dl-execstack.c | 25 +-
sysdeps/unix/sysv/linux/dl-mseal.c | 51 ++++
sysdeps/unix/sysv/linux/dl-mseal.h | 29 ++
sysdeps/unix/sysv/linux/hppa/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/hppa/libc.abilist | 1 +
sysdeps/unix/sysv/linux/i386/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/i386/libc.abilist | 1 +
sysdeps/unix/sysv/linux/kernel-features.h | 8 +
sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c | 19 ++
sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-dlopen-1.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-dlopen-2.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-preload.c | 19 ++
.../unix/sysv/linux/loongarch/arch-syscall.h | 1 +
.../sysv/linux/loongarch/lp64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/m68k/arch-syscall.h | 1 +
.../sysv/linux/m68k/coldfire/libc.abilist | 1 +
.../unix/sysv/linux/m68k/m680x0/libc.abilist | 1 +
.../unix/sysv/linux/microblaze/arch-syscall.h | 1 +
.../sysv/linux/microblaze/be/libc.abilist | 1 +
.../sysv/linux/microblaze/le/libc.abilist | 1 +
.../sysv/linux/mips/mips32/arch-syscall.h | 1 +
.../sysv/linux/mips/mips32/fpu/libc.abilist | 1 +
.../sysv/linux/mips/mips64/n32/arch-syscall.h | 1 +
.../sysv/linux/mips/mips64/n32/libc.abilist | 1 +
.../sysv/linux/mips/mips64/n64/arch-syscall.h | 1 +
.../sysv/linux/mips/mips64/n64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/nios2/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/nios2/libc.abilist | 1 +
sysdeps/unix/sysv/linux/or1k/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/or1k/libc.abilist | 1 +
.../linux/powerpc/powerpc32/arch-syscall.h | 1 +
.../linux/powerpc/powerpc32/fpu/libc.abilist | 1 +
.../powerpc/powerpc32/nofpu/libc.abilist | 1 +
.../linux/powerpc/powerpc64/arch-syscall.h | 1 +
.../linux/powerpc/powerpc64/be/libc.abilist | 1 +
.../linux/powerpc/powerpc64/le/libc.abilist | 1 +
.../unix/sysv/linux/riscv/rv32/arch-syscall.h | 1 +
.../unix/sysv/linux/riscv/rv32/libc.abilist | 1 +
.../unix/sysv/linux/riscv/rv64/arch-syscall.h | 1 +
.../unix/sysv/linux/riscv/rv64/libc.abilist | 1 +
.../sysv/linux/s390/s390-32/arch-syscall.h | 1 +
.../unix/sysv/linux/s390/s390-32/libc.abilist | 1 +
.../sysv/linux/s390/s390-64/arch-syscall.h | 1 +
.../unix/sysv/linux/s390/s390-64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/sh/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/sh/be/libc.abilist | 1 +
sysdeps/unix/sysv/linux/sh/le/libc.abilist | 1 +
.../sysv/linux/sparc/sparc32/arch-syscall.h | 1 +
.../sysv/linux/sparc/sparc32/libc.abilist | 1 +
.../sysv/linux/sparc/sparc64/arch-syscall.h | 1 +
.../sysv/linux/sparc/sparc64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/syscall-names.list | 1 +
sysdeps/unix/sysv/linux/syscalls.list | 1 +
.../unix/sysv/linux/tst-dl_mseal-auditmod.c | 23 ++
sysdeps/unix/sysv/linux/tst-dl_mseal-static.c | 2 +
sysdeps/unix/sysv/linux/tst-dl_mseal.c | 283 ++++++++++++++++++
sysdeps/unix/sysv/linux/tst-mseal.c | 67 +++++
.../unix/sysv/linux/x86_64/64/arch-syscall.h | 1 +
.../unix/sysv/linux/x86_64/64/libc.abilist | 1 +
.../unix/sysv/linux/x86_64/x32/arch-syscall.h | 1 +
.../unix/sysv/linux/x86_64/x32/libc.abilist | 1 +
96 files changed, 993 insertions(+), 65 deletions(-)
create mode 100644 elf/dl-mseal-mode.h
create mode 100644 sysdeps/generic/dl-mseal.h
create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.c
create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.h
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c
create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-static.c
create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal.c
create mode 100644 sysdeps/unix/sysv/linux/tst-mseal.c
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
* [RFC 1/5] linux: Remove __stack_prot
2024-06-11 15:27 [RFC 0/5] Add support for memory sealing Adhemerval Zanella
@ 2024-06-11 15:27 ` Adhemerval Zanella
2024-06-11 19:15 ` Florian Weimer
2024-06-11 15:27 ` [RFC 2/5] linux: Add mseal syscall support Adhemerval Zanella
` (3 subsequent siblings)
4 siblings, 1 reply; 26+ messages in thread
From: Adhemerval Zanella @ 2024-06-11 15:27 UTC (permalink / raw)
To: libc-alpha; +Cc: Stephen Roettger, jeffxu, Carlos O'Donell, Florian Weimer
The __stack_prot is used by Linux to make the stack executable if
a modules requires it. It is also marked as RELRO, which requires
to change the segment permission to RW to update it.
Also, there is no need to keep track of the flags: either the stack
will have the default permission of the ABI or should be change to
PROT_READ | PROT_WRITE | PROT_EXEC. The only additional flag,
PROT_GROWSDOWN or PROT_GROWSUP, is Linux only and can be deducted
from _STACK_GROWS_DOWN/_STACK_GROWS_UP.
Also, the check_consistency was alredy removed some time ago.
Checked on x86_64-linux-gnu and i686-linux-gnu.
---
elf/dl-load.c | 46 +-------------------------
sysdeps/unix/sysv/linux/dl-execstack.c | 25 ++++++--------
2 files changed, 11 insertions(+), 60 deletions(-)
diff --git a/elf/dl-load.c b/elf/dl-load.c
index a34cb3559c..8a89b71016 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -88,16 +88,6 @@ struct filebuf
#define STRING(x) __STRING (x)
-int __stack_prot attribute_hidden attribute_relro
-#if _STACK_GROWS_DOWN && defined PROT_GROWSDOWN
- = PROT_GROWSDOWN;
-#elif _STACK_GROWS_UP && defined PROT_GROWSUP
- = PROT_GROWSUP;
-#else
- = 0;
-#endif
-
-
/* This is the decomposed LD_LIBRARY_PATH search path. */
struct r_search_path_struct __rtld_env_path_list attribute_relro;
@@ -1308,41 +1298,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
if (__glibc_unlikely ((stack_flags &~ GL(dl_stack_flags)) & PF_X))
{
/* The stack is presently not executable, but this module
- requires that it be executable. We must change the
- protection of the variable which contains the flags used in
- the mprotect calls. */
-#ifdef SHARED
- if ((mode & (__RTLD_DLOPEN | __RTLD_AUDIT)) == __RTLD_DLOPEN)
- {
- const uintptr_t p = (uintptr_t) &__stack_prot & -GLRO(dl_pagesize);
- const size_t s = (uintptr_t) (&__stack_prot + 1) - p;
-
- struct link_map *const m = &GL(dl_rtld_map);
- const uintptr_t relro_end = ((m->l_addr + m->l_relro_addr
- + m->l_relro_size)
- & -GLRO(dl_pagesize));
- if (__glibc_likely (p + s <= relro_end))
- {
- /* The variable lies in the region protected by RELRO. */
- if (__mprotect ((void *) p, s, PROT_READ|PROT_WRITE) < 0)
- {
- errstring = N_("cannot change memory protections");
- goto lose_errno;
- }
- __stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
- __mprotect ((void *) p, s, PROT_READ);
- }
- else
- __stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
- }
- else
-#endif
- __stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC;
-
-#ifdef check_consistency
- check_consistency ();
-#endif
-
+ requires that it be executable. */
#if PTHREAD_IN_LIBC
errval = _dl_make_stacks_executable (stack_endp);
#else
diff --git a/sysdeps/unix/sysv/linux/dl-execstack.c b/sysdeps/unix/sysv/linux/dl-execstack.c
index 3d8f3938da..b986898598 100644
--- a/sysdeps/unix/sysv/linux/dl-execstack.c
+++ b/sysdeps/unix/sysv/linux/dl-execstack.c
@@ -27,35 +27,30 @@
#include <sysdep.h>
#include <unistd.h>
-extern int __stack_prot attribute_relro attribute_hidden;
-
static int
make_main_stack_executable (void **stack_endp)
{
/* This gives us the highest/lowest page that needs to be changed. */
uintptr_t page = ((uintptr_t) *stack_endp
& -(intptr_t) GLRO(dl_pagesize));
- int result = 0;
- if (__builtin_expect (__mprotect ((void *) page, GLRO(dl_pagesize),
- __stack_prot) == 0, 1))
- goto return_success;
- result = errno;
- goto out;
+ if (__mprotect ((void *) page, GLRO(dl_pagesize),
+ PROT_READ | PROT_WRITE | PROT_EXEC
+#if _STACK_GROWS_DOWN
+ | PROT_GROWSDOWN
+#elif _STACK_GROWS_UP
+ | PROT_GROWSUP
+#endif
+ ) != 0)
+ return errno;
- return_success:
/* Clear the address. */
*stack_endp = NULL;
/* Remember that we changed the permission. */
GL(dl_stack_flags) |= PF_X;
- out:
-#ifdef check_consistency
- check_consistency ();
-#endif
-
- return result;
+ return 0;
}
int
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
* [RFC 2/5] linux: Add mseal syscall support
2024-06-11 15:27 [RFC 0/5] Add support for memory sealing Adhemerval Zanella
2024-06-11 15:27 ` [RFC 1/5] linux: Remove __stack_prot Adhemerval Zanella
@ 2024-06-11 15:27 ` Adhemerval Zanella
2024-06-11 15:27 ` [RFC 3/5] elf: Add support to memory sealing Adhemerval Zanella
` (2 subsequent siblings)
4 siblings, 0 replies; 26+ messages in thread
From: Adhemerval Zanella @ 2024-06-11 15:27 UTC (permalink / raw)
To: libc-alpha; +Cc: Stephen Roettger, jeffxu, Carlos O'Donell, Florian Weimer
It as added on Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370)
as way to block operations as unmaping, moving to another location,
shrinking the size, expanding the size, or modifying to a pre-existent
memory mapping.
Although the systecall only work on 64 bit CPU, the entrypoint was
added for all ABIs (since kernel might eventually implement it to
additional ones and/or the abi can execute on a 64 bit kernel).
Checked on x86_64-linux-gnu.
---
NEWS | 4 ++
manual/memory.texi | 66 ++++++++++++++++++
sysdeps/unix/sysv/linux/Makefile | 1 +
sysdeps/unix/sysv/linux/Versions | 3 +
.../unix/sysv/linux/aarch64/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/aarch64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/alpha/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/alpha/libc.abilist | 1 +
sysdeps/unix/sysv/linux/arc/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/arc/libc.abilist | 1 +
sysdeps/unix/sysv/linux/arm/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/arm/be/libc.abilist | 1 +
sysdeps/unix/sysv/linux/arm/le/libc.abilist | 1 +
sysdeps/unix/sysv/linux/bits/mman-shared.h | 8 +++
sysdeps/unix/sysv/linux/csky/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/csky/libc.abilist | 1 +
sysdeps/unix/sysv/linux/hppa/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/hppa/libc.abilist | 1 +
sysdeps/unix/sysv/linux/i386/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/i386/libc.abilist | 1 +
sysdeps/unix/sysv/linux/kernel-features.h | 8 +++
.../sysv/linux/lib-tst-dl_mseal-preload.c | 19 ++++++
.../unix/sysv/linux/loongarch/arch-syscall.h | 1 +
.../sysv/linux/loongarch/lp64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/m68k/arch-syscall.h | 1 +
.../sysv/linux/m68k/coldfire/libc.abilist | 1 +
.../unix/sysv/linux/m68k/m680x0/libc.abilist | 1 +
.../unix/sysv/linux/microblaze/arch-syscall.h | 1 +
.../sysv/linux/microblaze/be/libc.abilist | 1 +
.../sysv/linux/microblaze/le/libc.abilist | 1 +
.../sysv/linux/mips/mips32/arch-syscall.h | 1 +
.../sysv/linux/mips/mips32/fpu/libc.abilist | 1 +
.../sysv/linux/mips/mips64/n32/arch-syscall.h | 1 +
.../sysv/linux/mips/mips64/n32/libc.abilist | 1 +
.../sysv/linux/mips/mips64/n64/arch-syscall.h | 1 +
.../sysv/linux/mips/mips64/n64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/nios2/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/nios2/libc.abilist | 1 +
sysdeps/unix/sysv/linux/or1k/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/or1k/libc.abilist | 1 +
.../linux/powerpc/powerpc32/arch-syscall.h | 1 +
.../linux/powerpc/powerpc32/fpu/libc.abilist | 1 +
.../powerpc/powerpc32/nofpu/libc.abilist | 1 +
.../linux/powerpc/powerpc64/arch-syscall.h | 1 +
.../linux/powerpc/powerpc64/be/libc.abilist | 1 +
.../linux/powerpc/powerpc64/le/libc.abilist | 1 +
.../unix/sysv/linux/riscv/rv32/arch-syscall.h | 1 +
.../unix/sysv/linux/riscv/rv32/libc.abilist | 1 +
.../unix/sysv/linux/riscv/rv64/arch-syscall.h | 1 +
.../unix/sysv/linux/riscv/rv64/libc.abilist | 1 +
.../sysv/linux/s390/s390-32/arch-syscall.h | 1 +
.../unix/sysv/linux/s390/s390-32/libc.abilist | 1 +
.../sysv/linux/s390/s390-64/arch-syscall.h | 1 +
.../unix/sysv/linux/s390/s390-64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/sh/arch-syscall.h | 1 +
sysdeps/unix/sysv/linux/sh/be/libc.abilist | 1 +
sysdeps/unix/sysv/linux/sh/le/libc.abilist | 1 +
.../sysv/linux/sparc/sparc32/arch-syscall.h | 1 +
.../sysv/linux/sparc/sparc32/libc.abilist | 1 +
.../sysv/linux/sparc/sparc64/arch-syscall.h | 1 +
.../sysv/linux/sparc/sparc64/libc.abilist | 1 +
sysdeps/unix/sysv/linux/syscall-names.list | 1 +
sysdeps/unix/sysv/linux/syscalls.list | 1 +
sysdeps/unix/sysv/linux/tst-mseal.c | 67 +++++++++++++++++++
.../unix/sysv/linux/x86_64/64/arch-syscall.h | 1 +
.../unix/sysv/linux/x86_64/64/libc.abilist | 1 +
.../unix/sysv/linux/x86_64/x32/arch-syscall.h | 1 +
.../unix/sysv/linux/x86_64/x32/libc.abilist | 1 +
68 files changed, 236 insertions(+)
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c
create mode 100644 sysdeps/unix/sysv/linux/tst-mseal.c
diff --git a/NEWS b/NEWS
index 20e263f581..c78a3fd2f7 100644
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,10 @@ Major new features:
* On Linux, update epoll header to include epoll ioctl definitions and
related structure added in Linux kernel 6.9.
+* On Linux, the mseal function has been added. It allows to seal memory
+ mappings to avoid further change during process execution such as protection
+ permissions, unmapping, moving to another location, or shrinking the size.
+
Deprecated and removed features, and other changes affecting compatibility:
* Architectures which use a 32-bit seconds-since-epoch field in struct
diff --git a/manual/memory.texi b/manual/memory.texi
index 3710d7ec66..0c1b9fc7c2 100644
--- a/manual/memory.texi
+++ b/manual/memory.texi
@@ -3072,6 +3072,72 @@ process memory, no matter how it was allocated. However, portable use
of the function requires that it is only used with memory regions
returned by @code{mmap} or @code{mmap64}.
+@deftypefun int mseal (void *@var{address}, size_t @var{length}, unsigned long @var{flags})
+@standards{Linux, sys/mman.h}
+@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
+
+A successful call to the @code {mseal} function seals the memory range of
+@var{length} bytes, starting at @var{address}. The sealed memory is
+protection against further modifictions such as:
+
+@itemize @bullet
+@item
+Unmapping, moving to another location, extending or shrinking the size,
+via @code{munmap} and @code{mremap}.
+
+@item
+Moving or expanding a different VMA into the current location, via
+@code{mremap}.
+
+@item
+Modifying the memory range with @code{mmap} along with flag @code{MAP_FIXED}.
+
+@item
+Expanding the size with @code{mremap}.
+
+@item
+Change the protection flags with @code{mprotect} or @code{pkey_mprotect}.
+
+@item
+Destructive behaviors on anonymous memory, such as @code{madvice} with
+@code{MADV_DONTNEED}.
+@end itemize
+
+The @var{address} must be an allocated virtual memory done by @code{mmap}
+or @code{mremap}, and it must be page aligned. The end address (@var{address}
+plus @var{length}) must be within an allocated virtual memory range. There
+should be no unallocated memory between the start and end of address range.
+
+The @var{flags} is currently ununsed.
+
+The @code{mseal} function returns @math{0} on sucess and @math{-1} on
+failure.
+
+The following @code{errno} error conditions are defined for this
+function:
+
+@table @code
+@item EPERM
+The system blocked the operation, and the given address is unmodified
+without partion update. This error is also returned when @code{mseal}
+is issued on a 32 bit CPUs (the sealing is currently supported only on
+64-bit CPUs, although 32 bit binaries running on 64 bit kernel is
+supported).
+
+@item ENOMEM
+Either the @var{address} is not allocated, or the end address is not
+allocation, or there is an unallocated memory between start and end address.
+
+@item ENOSYS
+The kernel does not support the @code{mseal} syscall.
+
+@strong{NB:} The memory sealing changes the lifetime of a mapping, where the
+sealing memory could not be unmapped until the process terminates or starts
+another one through @code{execve} function.
+
+@end table
+@end deftypefun
+
@subsection Memory Protection Keys
@cindex memory protection key
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index ae66590e91..82d523e588 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -210,6 +210,7 @@ tests += \
tst-misalign-clone \
tst-mlock2 \
tst-mount \
+ tst-mseal \
tst-ntp_adjtime \
tst-ntp_gettime \
tst-ntp_gettimex \
diff --git a/sysdeps/unix/sysv/linux/Versions b/sysdeps/unix/sysv/linux/Versions
index 268ba1b6ac..630ef354ef 100644
--- a/sysdeps/unix/sysv/linux/Versions
+++ b/sysdeps/unix/sysv/linux/Versions
@@ -328,6 +328,9 @@ libc {
posix_spawnattr_getcgroup_np;
posix_spawnattr_setcgroup_np;
}
+ GLIBC_2.40 {
+ mseal;
+ }
GLIBC_PRIVATE {
# functions used in other libraries
__syscall_rt_sigqueueinfo;
diff --git a/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h b/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h
index 7ee8a2167a..19b6316cb6 100644
--- a/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h
@@ -158,6 +158,7 @@
#define __NR_mq_timedsend 182
#define __NR_mq_unlink 181
#define __NR_mremap 216
+#define __NR_mseal 462
#define __NR_msgctl 187
#define __NR_msgget 186
#define __NR_msgrcv 188
diff --git a/sysdeps/unix/sysv/linux/aarch64/libc.abilist b/sysdeps/unix/sysv/linux/aarch64/libc.abilist
index 68eeca1c08..f6cfbc14cd 100644
--- a/sysdeps/unix/sysv/linux/aarch64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/aarch64/libc.abilist
@@ -2748,3 +2748,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/alpha/arch-syscall.h b/sysdeps/unix/sysv/linux/alpha/arch-syscall.h
index 0f4ea7670b..2e7307f415 100644
--- a/sysdeps/unix/sysv/linux/alpha/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/alpha/arch-syscall.h
@@ -190,6 +190,7 @@
#define __NR_mq_unlink 433
#define __NR_mremap 341
#define __NR_msgctl 200
+#define __NR_mseal 572
#define __NR_msgget 201
#define __NR_msgrcv 202
#define __NR_msgsnd 203
diff --git a/sysdeps/unix/sysv/linux/alpha/libc.abilist b/sysdeps/unix/sysv/linux/alpha/libc.abilist
index 34c187b721..bc0bd9495f 100644
--- a/sysdeps/unix/sysv/linux/alpha/libc.abilist
+++ b/sysdeps/unix/sysv/linux/alpha/libc.abilist
@@ -3095,6 +3095,7 @@ GLIBC_2.4 wcstold F
GLIBC_2.4 wcstold_l F
GLIBC_2.4 wprintf F
GLIBC_2.4 wscanf F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/arc/arch-syscall.h b/sysdeps/unix/sysv/linux/arc/arch-syscall.h
index 90359482a8..ea581b0a6d 100644
--- a/sysdeps/unix/sysv/linux/arc/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/arc/arch-syscall.h
@@ -161,6 +161,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 181
#define __NR_mremap 216
+#define __NR_mseal 462
#define __NR_msgctl 187
#define __NR_msgget 186
#define __NR_msgrcv 188
diff --git a/sysdeps/unix/sysv/linux/arc/libc.abilist b/sysdeps/unix/sysv/linux/arc/libc.abilist
index 916c18ea94..2816895ad5 100644
--- a/sysdeps/unix/sysv/linux/arc/libc.abilist
+++ b/sysdeps/unix/sysv/linux/arc/libc.abilist
@@ -2509,3 +2509,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/arm/arch-syscall.h b/sysdeps/unix/sysv/linux/arm/arch-syscall.h
index 4930167a03..2809f52f94 100644
--- a/sysdeps/unix/sysv/linux/arm/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/arm/arch-syscall.h
@@ -205,6 +205,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 275
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 304
#define __NR_msgget 303
#define __NR_msgrcv 302
diff --git a/sysdeps/unix/sysv/linux/arm/be/libc.abilist b/sysdeps/unix/sysv/linux/arm/be/libc.abilist
index ea95de282a..24e3274c0d 100644
--- a/sysdeps/unix/sysv/linux/arm/be/libc.abilist
+++ b/sysdeps/unix/sysv/linux/arm/be/libc.abilist
@@ -2801,6 +2801,7 @@ GLIBC_2.4 xdrstdio_create F
GLIBC_2.4 xencrypt F
GLIBC_2.4 xprt_register F
GLIBC_2.4 xprt_unregister F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/arm/le/libc.abilist b/sysdeps/unix/sysv/linux/arm/le/libc.abilist
index 1cdbc983e1..350245f608 100644
--- a/sysdeps/unix/sysv/linux/arm/le/libc.abilist
+++ b/sysdeps/unix/sysv/linux/arm/le/libc.abilist
@@ -2798,6 +2798,7 @@ GLIBC_2.4 xdrstdio_create F
GLIBC_2.4 xencrypt F
GLIBC_2.4 xprt_register F
GLIBC_2.4 xprt_unregister F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/bits/mman-shared.h b/sysdeps/unix/sysv/linux/bits/mman-shared.h
index d8ed4436b6..2681218cf9 100644
--- a/sysdeps/unix/sysv/linux/bits/mman-shared.h
+++ b/sysdeps/unix/sysv/linux/bits/mman-shared.h
@@ -80,6 +80,14 @@ int pkey_free (int __key) __THROW;
range. */
int pkey_mprotect (void *__addr, size_t __len, int __prot, int __pkey) __THROW;
+/* Seal the address range to avoid further modifications, such as remmap to
+ shrink or expand the VMA, change protection permission with mprotect,
+ unmap with munmap, destructive semantic such madvise with MADV_DONTNEED.
+ The address range must be valid VMA, withouth any gap (unallocated memory)
+ between start and end, and ADDR much be page aligned (LEN will be page
+ aligned implicitly). */
+int mseal (void *__addr, size_t __len, unsigned long flags) __THROW;
+
__END_DECLS
#endif /* __USE_GNU */
diff --git a/sysdeps/unix/sysv/linux/csky/arch-syscall.h b/sysdeps/unix/sysv/linux/csky/arch-syscall.h
index 3f16a29f57..a3cf859ca1 100644
--- a/sysdeps/unix/sysv/linux/csky/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/csky/arch-syscall.h
@@ -168,6 +168,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 181
#define __NR_mremap 216
+#define __NR_mseal 462
#define __NR_msgctl 187
#define __NR_msgget 186
#define __NR_msgrcv 188
diff --git a/sysdeps/unix/sysv/linux/csky/libc.abilist b/sysdeps/unix/sysv/linux/csky/libc.abilist
index 96d45961e2..a6dd304b20 100644
--- a/sysdeps/unix/sysv/linux/csky/libc.abilist
+++ b/sysdeps/unix/sysv/linux/csky/libc.abilist
@@ -2785,3 +2785,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/hppa/arch-syscall.h b/sysdeps/unix/sysv/linux/hppa/arch-syscall.h
index a1b2c819d6..08b153f2cc 100644
--- a/sysdeps/unix/sysv/linux/hppa/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/hppa/arch-syscall.h
@@ -197,6 +197,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 230
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 191
#define __NR_msgget 190
#define __NR_msgrcv 189
diff --git a/sysdeps/unix/sysv/linux/hppa/libc.abilist b/sysdeps/unix/sysv/linux/hppa/libc.abilist
index fbcd60c2b3..f7b08ae0b0 100644
--- a/sysdeps/unix/sysv/linux/hppa/libc.abilist
+++ b/sysdeps/unix/sysv/linux/hppa/libc.abilist
@@ -2821,6 +2821,7 @@ GLIBC_2.4 sys_errlist D 0x400
GLIBC_2.4 sys_nerr D 0x4
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/i386/arch-syscall.h b/sysdeps/unix/sysv/linux/i386/arch-syscall.h
index cc775432d6..500ca1ec70 100644
--- a/sysdeps/unix/sysv/linux/i386/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/i386/arch-syscall.h
@@ -222,6 +222,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 278
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/i386/libc.abilist b/sysdeps/unix/sysv/linux/i386/libc.abilist
index c989b433c0..167c737a71 100644
--- a/sysdeps/unix/sysv/linux/i386/libc.abilist
+++ b/sysdeps/unix/sysv/linux/i386/libc.abilist
@@ -3005,6 +3005,7 @@ GLIBC_2.4 sys_errlist D 0x210
GLIBC_2.4 sys_nerr D 0x4
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/kernel-features.h b/sysdeps/unix/sysv/linux/kernel-features.h
index a25cf07e9f..b9038d18bf 100644
--- a/sysdeps/unix/sysv/linux/kernel-features.h
+++ b/sysdeps/unix/sysv/linux/kernel-features.h
@@ -257,4 +257,12 @@
# define __ASSUME_FCHMODAT2 0
#endif
+/* The mseal system call was introduced across all architectures in Linux 6.10
+ (although only supported on 64-bit CPUs). */
+#if __LINUX_KERNEL_VERSION >= 0x060A00
+# define __ASSUME_MSEAL 1
+#else
+# define __ASSUME_MSEAL 0
+#endif
+
#endif /* kernel-features.h */
diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c
new file mode 100644
index 0000000000..7831608dd4
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c
@@ -0,0 +1,19 @@
+/* Additional module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+int foo (void) { return 42; }
diff --git a/sysdeps/unix/sysv/linux/loongarch/arch-syscall.h b/sysdeps/unix/sysv/linux/loongarch/arch-syscall.h
index 56bb08718a..8bb82448a7 100644
--- a/sysdeps/unix/sysv/linux/loongarch/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/loongarch/arch-syscall.h
@@ -155,6 +155,7 @@
#define __NR_mq_timedsend 182
#define __NR_mq_unlink 181
#define __NR_mremap 216
+#define __NR_mseal 462
#define __NR_msgctl 187
#define __NR_msgget 186
#define __NR_msgrcv 188
diff --git a/sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist b/sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist
index 0023ec1fa1..ab318c048d 100644
--- a/sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist
@@ -2269,3 +2269,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/m68k/arch-syscall.h b/sysdeps/unix/sysv/linux/m68k/arch-syscall.h
index 79f277dd5b..4ab34f6228 100644
--- a/sysdeps/unix/sysv/linux/m68k/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/m68k/arch-syscall.h
@@ -213,6 +213,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 272
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist b/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
index d9bd6a9b56..e33bfb73c8 100644
--- a/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
+++ b/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
@@ -2781,6 +2781,7 @@ GLIBC_2.4 xdrstdio_create F
GLIBC_2.4 xencrypt F
GLIBC_2.4 xprt_register F
GLIBC_2.4 xprt_unregister F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist b/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
index 439796d693..8d090c3ff8 100644
--- a/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
+++ b/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
@@ -2948,6 +2948,7 @@ GLIBC_2.4 sys_errlist D 0x210
GLIBC_2.4 sys_nerr D 0x4
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h b/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h
index 779d5d5d70..79e225e50c 100644
--- a/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h
@@ -221,6 +221,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 278
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 331
#define __NR_msgget 332
#define __NR_msgrcv 333
diff --git a/sysdeps/unix/sysv/linux/microblaze/be/libc.abilist b/sysdeps/unix/sysv/linux/microblaze/be/libc.abilist
index 1069d3252c..6545169f82 100644
--- a/sysdeps/unix/sysv/linux/microblaze/be/libc.abilist
+++ b/sysdeps/unix/sysv/linux/microblaze/be/libc.abilist
@@ -2834,3 +2834,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/microblaze/le/libc.abilist b/sysdeps/unix/sysv/linux/microblaze/le/libc.abilist
index 17abe08c8b..6f374884ab 100644
--- a/sysdeps/unix/sysv/linux/microblaze/le/libc.abilist
+++ b/sysdeps/unix/sysv/linux/microblaze/le/libc.abilist
@@ -2831,3 +2831,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
index 86ffd5ce84..dadd7f3130 100644
--- a/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
@@ -211,6 +211,7 @@
#define __NR_mq_timedsend_time64 4418
#define __NR_mq_unlink 4272
#define __NR_mremap 4167
+#define __NR_mseal 4462
#define __NR_msgctl 4402
#define __NR_msgget 4399
#define __NR_msgrcv 4401
diff --git a/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
index 799e508950..259a51bc7d 100644
--- a/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
+++ b/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
@@ -2909,6 +2909,7 @@ GLIBC_2.4 renameat F
GLIBC_2.4 symlinkat F
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
index 5d37a686e5..db6b2d4609 100644
--- a/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
@@ -194,6 +194,7 @@
#define __NR_mq_timedsend_time64 6418
#define __NR_mq_unlink 6235
#define __NR_mremap 6024
+#define __NR_mseal 6462
#define __NR_msgctl 6069
#define __NR_msgget 6066
#define __NR_msgrcv 6068
diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
index 03d9655f26..499b5c041c 100644
--- a/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
@@ -2915,6 +2915,7 @@ GLIBC_2.4 renameat F
GLIBC_2.4 symlinkat F
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
index 9b1e846e76..b4129a4dbd 100644
--- a/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
@@ -183,6 +183,7 @@
#define __NR_mq_timedsend 5232
#define __NR_mq_unlink 5231
#define __NR_mremap 5024
+#define __NR_mseal 5462
#define __NR_msgctl 5069
#define __NR_msgget 5066
#define __NR_msgrcv 5068
diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
index 05e402ed30..37cf43b991 100644
--- a/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
@@ -2817,6 +2817,7 @@ GLIBC_2.4 renameat F
GLIBC_2.4 symlinkat F
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/nios2/arch-syscall.h b/sysdeps/unix/sysv/linux/nios2/arch-syscall.h
index abbc9ab6b0..f94e212995 100644
--- a/sysdeps/unix/sysv/linux/nios2/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/nios2/arch-syscall.h
@@ -167,6 +167,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 181
#define __NR_mremap 216
+#define __NR_mseal 462
#define __NR_msgctl 187
#define __NR_msgget 186
#define __NR_msgrcv 188
diff --git a/sysdeps/unix/sysv/linux/nios2/libc.abilist b/sysdeps/unix/sysv/linux/nios2/libc.abilist
index 3aa81766aa..3bf42b6380 100644
--- a/sysdeps/unix/sysv/linux/nios2/libc.abilist
+++ b/sysdeps/unix/sysv/linux/nios2/libc.abilist
@@ -2873,3 +2873,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/or1k/arch-syscall.h b/sysdeps/unix/sysv/linux/or1k/arch-syscall.h
index 7223a93673..2d21fa2085 100644
--- a/sysdeps/unix/sysv/linux/or1k/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/or1k/arch-syscall.h
@@ -167,6 +167,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 181
#define __NR_mremap 216
+#define __NR_mseal 462
#define __NR_msgctl 187
#define __NR_msgget 186
#define __NR_msgrcv 188
diff --git a/sysdeps/unix/sysv/linux/or1k/libc.abilist b/sysdeps/unix/sysv/linux/or1k/libc.abilist
index 959e59e7e7..7c99f24f13 100644
--- a/sysdeps/unix/sysv/linux/or1k/libc.abilist
+++ b/sysdeps/unix/sysv/linux/or1k/libc.abilist
@@ -2257,5 +2257,6 @@ GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
GLIBC_2.40 getcontext F
GLIBC_2.40 makecontext F
+GLIBC_2.40 mseal F
GLIBC_2.40 setcontext F
GLIBC_2.40 swapcontext F
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h b/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h
index af0d2b121e..206d9fd656 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h
@@ -211,6 +211,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 263
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
index 9714305608..0661b5f037 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
@@ -3138,6 +3138,7 @@ GLIBC_2.4 wcstold F
GLIBC_2.4 wcstold_l F
GLIBC_2.4 wprintf F
GLIBC_2.4 wscanf F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
index 0beb52c542..f1ad793e64 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
@@ -3183,6 +3183,7 @@ GLIBC_2.4 wcstold F
GLIBC_2.4 wcstold_l F
GLIBC_2.4 wprintf F
GLIBC_2.4 wscanf F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h b/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h
index a4c70aa7fe..19f72a7f69 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h
@@ -195,6 +195,7 @@
#define __NR_mq_timedsend 264
#define __NR_mq_unlink 263
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist
index cfc2ebd3ec..3435f0dde7 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist
@@ -2892,6 +2892,7 @@ GLIBC_2.4 wcstold F
GLIBC_2.4 wcstold_l F
GLIBC_2.4 wprintf F
GLIBC_2.4 wscanf F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist
index 8c9efc5a16..775e5ef8d4 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist
@@ -2968,3 +2968,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h b/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h
index 7315d164d6..eb9e57b028 100644
--- a/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h
@@ -153,6 +153,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 181
#define __NR_mremap 216
+#define __NR_mseal 462
#define __NR_msgctl 187
#define __NR_msgget 186
#define __NR_msgrcv 188
diff --git a/sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist b/sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist
index 6397a9cb91..4ac41308f4 100644
--- a/sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist
@@ -2512,3 +2512,4 @@ GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
GLIBC_2.40 __riscv_hwprobe F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h b/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h
index 31a1130db9..1eac18e582 100644
--- a/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h
@@ -158,6 +158,7 @@
#define __NR_mq_timedsend 182
#define __NR_mq_unlink 181
#define __NR_mremap 216
+#define __NR_mseal 462
#define __NR_msgctl 187
#define __NR_msgget 186
#define __NR_msgrcv 188
diff --git a/sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist b/sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist
index 71bbf94f66..2d49fd07b9 100644
--- a/sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist
@@ -2712,3 +2712,4 @@ GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
GLIBC_2.40 __riscv_hwprobe F
+GLIBC_2.40 mseal F
diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h b/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h
index cf8569304d..464eca58b2 100644
--- a/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h
@@ -214,6 +214,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 272
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
index a7467e2850..552860dd1e 100644
--- a/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
@@ -3136,6 +3136,7 @@ GLIBC_2.4 wcstold F
GLIBC_2.4 wcstold_l F
GLIBC_2.4 wprintf F
GLIBC_2.4 wscanf F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h b/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h
index f3536ed03f..57842702fd 100644
--- a/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h
@@ -185,6 +185,7 @@
#define __NR_mq_timedsend 273
#define __NR_mq_unlink 272
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
index fd1cb2972d..5e50b0d878 100644
--- a/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
@@ -2929,6 +2929,7 @@ GLIBC_2.4 wcstold F
GLIBC_2.4 wcstold_l F
GLIBC_2.4 wprintf F
GLIBC_2.4 wscanf F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/sh/arch-syscall.h b/sysdeps/unix/sysv/linux/sh/arch-syscall.h
index 0c88bf10c7..226fbbe61d 100644
--- a/sysdeps/unix/sysv/linux/sh/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/sh/arch-syscall.h
@@ -206,6 +206,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 278
#define __NR_mremap 163
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/sh/be/libc.abilist b/sysdeps/unix/sysv/linux/sh/be/libc.abilist
index ff6e6b1a13..090358767b 100644
--- a/sysdeps/unix/sysv/linux/sh/be/libc.abilist
+++ b/sysdeps/unix/sysv/linux/sh/be/libc.abilist
@@ -2828,6 +2828,7 @@ GLIBC_2.4 sys_errlist D 0x210
GLIBC_2.4 sys_nerr D 0x4
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/sh/le/libc.abilist b/sysdeps/unix/sysv/linux/sh/le/libc.abilist
index 449d92bbc5..ea9117cc82 100644
--- a/sysdeps/unix/sysv/linux/sh/le/libc.abilist
+++ b/sysdeps/unix/sysv/linux/sh/le/libc.abilist
@@ -2825,6 +2825,7 @@ GLIBC_2.4 sys_errlist D 0x210
GLIBC_2.4 sys_nerr D 0x4
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h b/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h
index 19fa614624..3bad6f102f 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h
@@ -211,6 +211,7 @@
#define __NR_mq_timedsend_time64 418
#define __NR_mq_unlink 274
#define __NR_mremap 250
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
index e615be759a..ddd9a9f435 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
@@ -3157,6 +3157,7 @@ GLIBC_2.4 wcstold F
GLIBC_2.4 wcstold_l F
GLIBC_2.4 wprintf F
GLIBC_2.4 wscanf F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h b/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h
index 18516f20cb..98e1437920 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h
@@ -192,6 +192,7 @@
#define __NR_mq_timedsend 275
#define __NR_mq_unlink 274
#define __NR_mremap 250
+#define __NR_mseal 462
#define __NR_msgctl 402
#define __NR_msgget 399
#define __NR_msgrcv 401
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
index bd36431dd7..a687003e75 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
@@ -2793,6 +2793,7 @@ GLIBC_2.4 sys_errlist D 0x430
GLIBC_2.4 sys_nerr D 0x4
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list
index 672d39eaad..7f2e132e80 100644
--- a/sysdeps/unix/sysv/linux/syscall-names.list
+++ b/sysdeps/unix/sysv/linux/syscall-names.list
@@ -287,6 +287,7 @@ mq_timedsend
mq_timedsend_time64
mq_unlink
mremap
+mseal
msgctl
msgget
msgrcv
diff --git a/sysdeps/unix/sysv/linux/syscalls.list b/sysdeps/unix/sysv/linux/syscalls.list
index 9ac42c3436..00ebceb574 100644
--- a/sysdeps/unix/sysv/linux/syscalls.list
+++ b/sysdeps/unix/sysv/linux/syscalls.list
@@ -39,6 +39,7 @@ mlockall - mlockall i:i mlockall
mount EXTRA mount i:sssUp __mount mount
mount_setattr EXTRA mount_setattr i:isUpU mount_setattr
move_mount EXTRA move_mount i:isisU move_mount
+mseal EXTRA mseal i:bUU __mseal mseal
munlock - munlock i:aU munlock
munlockall - munlockall i: munlockall
nfsservctl EXTRA nfsservctl i:ipp __compat_nfsservctl nfsservctl@GLIBC_2.0:GLIBC_2.28
diff --git a/sysdeps/unix/sysv/linux/tst-mseal.c b/sysdeps/unix/sysv/linux/tst-mseal.c
new file mode 100644
index 0000000000..dfed57411e
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-mseal.c
@@ -0,0 +1,67 @@
+/* Basic tests for mseal.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+#include <sys/mman.h>
+#include <support/check.h>
+#include <support/xunistd.h>
+
+static int
+do_test (void)
+{
+ TEST_VERIFY_EXIT (mseal (MAP_FAILED, 0, 0) == -1);
+ if (errno == ENOSYS)
+ FAIL_UNSUPPORTED ("kernel does not support mseal");
+ TEST_COMPARE (errno, EINVAL);
+
+ size_t pagesize = getpagesize ();
+ void *p = xmmap (NULL, 4 * pagesize, PROT_READ,
+ MAP_ANONYMOUS | MAP_PRIVATE, -1);
+ xmunmap (p + 2 * pagesize, pagesize);
+
+ /* Unaligned address. */
+ TEST_VERIFY_EXIT (mseal (p + 1, pagesize, 0) == -1);
+ TEST_COMPARE (errno, EINVAL);
+
+ /* Length too big. */
+ TEST_VERIFY_EXIT (mseal (p, 3 * pagesize, 0) == -1);
+ TEST_COMPARE (errno, ENOMEM);
+
+ TEST_VERIFY_EXIT (mseal (p, pagesize, 0) == 0);
+ /* Apply the same seal should be idempotent. */
+ TEST_VERIFY_EXIT (mseal (p, pagesize, 0) == 0);
+
+ TEST_VERIFY_EXIT (mprotect (p, pagesize, PROT_WRITE) == -1);
+ TEST_COMPARE (errno, EPERM);
+
+ TEST_VERIFY_EXIT (munmap (p, pagesize) == -1);
+ TEST_COMPARE (errno, EPERM);
+
+ TEST_VERIFY_EXIT (mremap (p, pagesize, 2 * pagesize, 0) == MAP_FAILED);
+ TEST_COMPARE (errno, EPERM);
+
+ TEST_VERIFY_EXIT (madvise (p, pagesize, MADV_DONTNEED) == -1);
+ TEST_COMPARE (errno, EPERM);
+
+ xmunmap (p + pagesize, pagesize);
+ xmunmap (p + 3 * pagesize, pagesize);
+
+ return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h b/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h
index b122216013..5d86e75dd5 100644
--- a/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h
@@ -189,6 +189,7 @@
#define __NR_mq_timedsend 242
#define __NR_mq_unlink 241
#define __NR_mremap 25
+#define __NR_mseal 462
#define __NR_msgctl 71
#define __NR_msgget 68
#define __NR_msgrcv 70
diff --git a/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
index aea7848ed6..accdab4bf0 100644
--- a/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
@@ -2744,6 +2744,7 @@ GLIBC_2.4 sys_errlist D 0x420
GLIBC_2.4 sys_nerr D 0x4
GLIBC_2.4 unlinkat F
GLIBC_2.4 unshare F
+GLIBC_2.40 mseal F
GLIBC_2.5 __readlinkat_chk F
GLIBC_2.5 inet6_opt_append F
GLIBC_2.5 inet6_opt_find F
diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h b/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
index 3040a47d72..dce4473fbc 100644
--- a/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
+++ b/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
@@ -182,6 +182,7 @@
#define __NR_mq_timedsend 1073742066
#define __NR_mq_unlink 1073742065
#define __NR_mremap 1073741849
+#define __NR_mseal 1073742286
#define __NR_msgctl 1073741895
#define __NR_msgget 1073741892
#define __NR_msgrcv 1073741894
diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
index 4ab3681914..dfd3eb9416 100644
--- a/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
@@ -2763,3 +2763,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F
GLIBC_2.39 stdc_trailing_zeros_ul F
GLIBC_2.39 stdc_trailing_zeros_ull F
GLIBC_2.39 stdc_trailing_zeros_us F
+GLIBC_2.40 mseal F
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
* [RFC 3/5] elf: Add support to memory sealing
2024-06-11 15:27 [RFC 0/5] Add support for memory sealing Adhemerval Zanella
2024-06-11 15:27 ` [RFC 1/5] linux: Remove __stack_prot Adhemerval Zanella
2024-06-11 15:27 ` [RFC 2/5] linux: Add mseal syscall support Adhemerval Zanella
@ 2024-06-11 15:27 ` Adhemerval Zanella
2024-06-11 20:47 ` Jonathan Corbet
2024-06-21 5:09 ` Mike Hommey
2024-06-11 15:27 ` [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get Adhemerval Zanella
2024-06-11 15:27 ` [RFC 5/5] elf: Add support to memory sealing for audit modules Adhemerval Zanella
4 siblings, 2 replies; 26+ messages in thread
From: Adhemerval Zanella @ 2024-06-11 15:27 UTC (permalink / raw)
To: libc-alpha; +Cc: Stephen Roettger, jeffxu, Carlos O'Donell, Florian Weimer
The new Linux mseal syscall allows seal memory mappings to avoid
further changes such as memory protection or remap. The sealing
is done in multiple places where the memory is supposed to
be immutable over program execution:
* All shared library dependencies from the binary, including the
read-only segments after PT_GNU_RELRO setup.
* The binary itself, including dynamic and static links. In both
It is up either to binary or the loader to set up the sealing.
* The vDSO vma provided by the kernel (if existent).
* Any preload libraries.
* Any library loaded with dlopen with RTLD_NODELETE flag.
For binary dependencies, the RTLD_NODELETE signals the
link_map should be sealed. It also makes dlopen objects with the
flag sealed as well.
The sealing is controlled by a new tunable, glibc.rtld.seal, with
three different states:
0. Disabled where no sealing is done. This is the default.
1. Enabled, where the loader will issue the mseal syscall on the
memory mappings but any failure will be ignored. This is
the default.
2. Enforce, similar to Enabled but any failure from the mseal
will terminate the process.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
---
elf/dl-load.c | 2 +
elf/dl-mseal-mode.h | 29 ++
elf/dl-open.c | 4 +
elf/dl-reloc.c | 49 ++++
elf/dl-support.c | 7 +
elf/dl-tunables.list | 6 +
elf/rtld.c | 10 +-
elf/setup-vdso.h | 3 +
elf/tst-rtld-list-tunables.exp | 1 +
include/link.h | 6 +
manual/tunables.texi | 35 +++
string/strerrorname_np.c | 1 +
sysdeps/generic/dl-mseal.h | 25 ++
sysdeps/generic/ldsodefs.h | 6 +
sysdeps/unix/sysv/linux/Makefile | 45 +++
sysdeps/unix/sysv/linux/dl-mseal.c | 51 ++++
sysdeps/unix/sysv/linux/dl-mseal.h | 29 ++
sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c | 19 ++
sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-dlopen-1.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c | 19 ++
.../sysv/linux/lib-tst-dl_mseal-dlopen-2.c | 19 ++
sysdeps/unix/sysv/linux/tst-dl_mseal-static.c | 2 +
sysdeps/unix/sysv/linux/tst-dl_mseal.c | 267 ++++++++++++++++++
25 files changed, 689 insertions(+), 3 deletions(-)
create mode 100644 elf/dl-mseal-mode.h
create mode 100644 sysdeps/generic/dl-mseal.h
create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.c
create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.h
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c
create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c
create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-static.c
create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal.c
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 8a89b71016..4c2371ec46 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -1431,6 +1431,8 @@ cannot enable executable stack as shared object requires");
/* Assign the next available module ID. */
_dl_assign_tls_modid (l);
+ l->l_seal = mode & RTLD_NODELETE ? lt_seal_toseal : lt_seal_dont;
+
#ifdef DL_AFTER_LOAD
DL_AFTER_LOAD (l);
#endif
diff --git a/elf/dl-mseal-mode.h b/elf/dl-mseal-mode.h
new file mode 100644
index 0000000000..7f9ede4db7
--- /dev/null
+++ b/elf/dl-mseal-mode.h
@@ -0,0 +1,29 @@
+/* Memory sealing. Generic definitions.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#ifndef _DL_SEAL_MODE_H
+#define _DL_SEAL_MODE_H
+
+enum dl_seal_mode
+{
+ DL_SEAL_DISABLE = 0,
+ DL_SEAL_ENABLE = 1,
+ DL_SEAL_ENFORCE = 2,
+};
+
+#endif
diff --git a/elf/dl-open.c b/elf/dl-open.c
index c378da16c0..7bd90ef069 100644
--- a/elf/dl-open.c
+++ b/elf/dl-open.c
@@ -837,6 +837,10 @@ dl_open_worker (void *a)
if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_FILES))
_dl_debug_printf ("opening file=%s [%lu]; direct_opencount=%u\n\n",
new->l_name, new->l_ns, new->l_direct_opencount);
+
+ /* The seal flag is set only for NEW, however its dependencies could not be
+ unloaded and thus can also be sealed. */
+ _dl_mseal_map (new, true);
}
void *
diff --git a/elf/dl-reloc.c b/elf/dl-reloc.c
index 4bf7aec88b..01f88e9003 100644
--- a/elf/dl-reloc.c
+++ b/elf/dl-reloc.c
@@ -28,6 +28,7 @@
#include <_itoa.h>
#include <libc-pointer-arith.h>
#include "dynamic-link.h"
+#include <dl-mseal.h>
/* Statistics function. */
#ifdef SHARED
@@ -347,6 +348,11 @@ _dl_relocate_object (struct link_map *l, struct r_scope_elem *scope[],
done, do it. */
if (l->l_relro_size != 0)
_dl_protect_relro (l);
+
+ /* Seal the memory mapping after RELRO setup, we can use the PT_LOAD
+ segments because even if relro splits the the original RW VMA,
+ mseal works with multiple VMAs with different flags. */
+ _dl_mseal_map (l, false);
}
@@ -369,6 +375,49 @@ cannot apply additional memory protection after relocation");
}
}
+static void
+_dl_mseal_map_1 (struct link_map *l)
+{
+ if (l->l_seal == lt_seal_sealed)
+ return;
+
+ int r = -1;
+ if (l->l_contiguous)
+ r = _dl_mseal ((void *) l->l_map_start, l->l_map_end - l->l_map_start);
+ else
+ {
+ const ElfW(Phdr) *ph;
+ for (ph = l->l_phdr; ph < &l->l_phdr[l->l_phnum]; ++ph)
+ switch (ph->p_type)
+ {
+ case PT_LOAD:
+ {
+ ElfW(Addr) mapstart = l->l_addr
+ + (ph->p_vaddr & ~(GLRO(dl_pagesize) - 1));
+ ElfW(Addr) allocend = l->l_addr + ph->p_vaddr + ph->p_memsz;
+ r = _dl_mseal ((void *) mapstart, allocend - mapstart);
+ }
+ break;
+ }
+ }
+
+ if (r == 0)
+ l->l_seal = lt_seal_sealed;
+}
+
+void
+_dl_mseal_map (struct link_map *l, bool dep)
+{
+ if (l->l_seal == lt_seal_dont || l->l_nodelete_pending)
+ return;
+
+ if (l->l_searchlist.r_list == NULL || !dep)
+ _dl_mseal_map_1 (l);
+ else
+ for (unsigned int i = 0; i < l->l_searchlist.r_nlist; ++i)
+ _dl_mseal_map_1 (l->l_searchlist.r_list[i]);
+}
+
void
__attribute_noinline__
_dl_reloc_bad_type (struct link_map *map, unsigned int type, int plt)
diff --git a/elf/dl-support.c b/elf/dl-support.c
index 451932dd03..8290a380f3 100644
--- a/elf/dl-support.c
+++ b/elf/dl-support.c
@@ -45,6 +45,7 @@
#include <dl-find_object.h>
#include <array_length.h>
#include <dl-symbol-redir-ifunc.h>
+#include <dl-mseal.h>
extern char *__progname;
char **_dl_argv = &__progname; /* This is checked for some error messages. */
@@ -99,6 +100,7 @@ static struct link_map _dl_main_map =
.l_used = 1,
.l_tls_offset = NO_TLS_OFFSET,
.l_serial = 1,
+ .l_seal = SUPPORT_MSEAL,
};
/* Namespace information. */
@@ -340,6 +342,11 @@ _dl_non_dynamic_init (void)
/* Setup relro on the binary itself. */
if (_dl_main_map.l_relro_size != 0)
_dl_protect_relro (&_dl_main_map);
+
+ /* Seal the memory mapping after RELRO setup, we can use the PT_LOAD
+ segments because even if relro splits the the original RW VMA,
+ mseal works with multiple VMAs with different flags. */
+ _dl_mseal_map (&_dl_main_map, false);
}
#ifdef DL_SYSINFO_IMPLEMENTATION
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index 1186272c81..bf71f648e1 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -142,6 +142,12 @@ glibc {
maxval: 1
default: 0
}
+ seal {
+ type: INT_32
+ minval: 0
+ maxval: 2
+ default: 1
+ }
}
mem {
diff --git a/elf/rtld.c b/elf/rtld.c
index e9525ea987..174389e205 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -53,6 +53,7 @@
#include <dl-find_object.h>
#include <dl-audit-check.h>
#include <dl-call_tls_init_tp.h>
+#include <dl-mseal.h>
#include <assert.h>
@@ -477,6 +478,7 @@ _dl_start_final (void *arg, struct dl_start_final_info *info)
GL(dl_rtld_map).l_real = &GL(dl_rtld_map);
GL(dl_rtld_map).l_map_start = (ElfW(Addr)) &__ehdr_start;
GL(dl_rtld_map).l_map_end = (ElfW(Addr)) _end;
+ GL(dl_rtld_map).l_seal = 1;
/* Copy the TLS related data if necessary. */
#ifndef DONT_USE_BOOTSTRAP_MAP
# if NO_TLS_OFFSET != 0
@@ -809,7 +811,8 @@ do_preload (const char *fname, struct link_map *main_map, const char *where)
args.str = fname;
args.loader = main_map;
- args.mode = __RTLD_SECURE;
+ /* RTLD_NODELETE enables sealing. */
+ args.mode = __RTLD_SECURE | RTLD_NODELETE;
unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded;
@@ -1123,6 +1126,7 @@ rtld_setup_main_map (struct link_map *main_map)
/* And it was opened directly. */
++main_map->l_direct_opencount;
main_map->l_contiguous = 1;
+ main_map->l_seal = 1;
/* A PT_LOAD segment at an unexpected address will clear the
l_contiguous flag. The ELF specification says that PT_LOAD
@@ -1636,7 +1640,7 @@ dl_main (const ElfW(Phdr) *phdr,
/* Create a link_map for the executable itself.
This will be what dlopen on "" returns. */
main_map = _dl_new_object ((char *) "", "", lt_executable, NULL,
- __RTLD_OPENEXEC, LM_ID_BASE);
+ __RTLD_OPENEXEC | RTLD_NODELETE, LM_ID_BASE);
assert (main_map != NULL);
main_map->l_phdr = phdr;
main_map->l_phnum = phnum;
@@ -1964,7 +1968,7 @@ dl_main (const ElfW(Phdr) *phdr,
RTLD_TIMING_VAR (start);
rtld_timer_start (&start);
_dl_map_object_deps (main_map, preloads, npreloads,
- state.mode == rtld_mode_trace, 0);
+ state.mode == rtld_mode_trace, RTLD_NODELETE);
rtld_timer_accum (&load_time, start);
}
diff --git a/elf/setup-vdso.h b/elf/setup-vdso.h
index 888e1e4897..f8d9c36453 100644
--- a/elf/setup-vdso.h
+++ b/elf/setup-vdso.h
@@ -66,6 +66,7 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)),
/* The vDSO is always used. */
l->l_used = 1;
+ l->l_seal = lt_seal_toseal;
/* Initialize l_local_scope to contain just this map. This allows
the use of dl_lookup_symbol_x to resolve symbols within the vdso.
@@ -104,6 +105,8 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)),
if (GLRO(dl_sysinfo) == DL_SYSINFO_DEFAULT)
GLRO(dl_sysinfo) = GLRO(dl_sysinfo_dso)->e_entry + l->l_addr;
# endif
+
+ _dl_mseal ((void *) l->l_map_start, l->l_map_end - l->l_map_start);
}
#endif
}
diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp
index db0e1c86e9..d40a478dd7 100644
--- a/elf/tst-rtld-list-tunables.exp
+++ b/elf/tst-rtld-list-tunables.exp
@@ -15,3 +15,4 @@ glibc.rtld.dynamic_sort: 2 (min: 1, max: 2)
glibc.rtld.enable_secure: 0 (min: 0, max: 1)
glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
+glibc.rtld.seal: 1 (min: 0, max: 2)
diff --git a/include/link.h b/include/link.h
index cb0d7d8e2f..fd8e7f25bf 100644
--- a/include/link.h
+++ b/include/link.h
@@ -212,6 +212,12 @@ struct link_map
unsigned int l_find_object_processed:1; /* Zero if _dl_find_object_update
needs to process this
lt_library map. */
+ enum /* Memory sealing status. */
+ {
+ lt_seal_dont, /* Do not seal the object. */
+ lt_seal_toseal, /* The library is marked to be sealed. */
+ lt_seal_sealed /* The library is sealed. */
+ } l_seal:2;
/* NODELETE status of the map. Only valid for maps of type
lt_loaded. Lazy binding sets l_nodelete_active directly,
diff --git a/manual/tunables.texi b/manual/tunables.texi
index 8dd02d8149..26fba6641d 100644
--- a/manual/tunables.texi
+++ b/manual/tunables.texi
@@ -356,6 +356,41 @@ tests for @code{AT_SECURE} programs and not meant to be a security feature.
The default value of this tunable is @samp{0}.
@end deftp
+@deftp Tunable glibc.rtld.seal
+Sets whether to enable memory sealing during program execution. The sealed
+memory prevents further changes to the maped memory region, such as shrinking
+or expanding, mapping another segment over a pre-existing region, or change
+the memory protection flags (check the @code{mseal} for more information).
+The sealing is done in multiple places where the memory is supposed to be
+immuatable over program execution:
+
+@itemize @bullet
+@item
+All shared library dependencies from the binary, including the read-only segments
+after @code{PT_GNU_RELRO} setup.
+
+@item
+The binary itself, including dynamic and static linked. In both cases it is up
+either to binary or the loader to setup the sealing.
+
+@item
+The vDSO vma provided by the kernel (if existent).
+
+@item
+Any preload libraries.
+
+@item
+Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag.
+@end itemize
+
+The tunable accepts three diferent values: @samp{0} where sealing is disabled,
+@samp{1} where sealing is enabled, and @samp{2} where sealing is enforced. For
+the enforced mode, if the memory can not be sealed the process terminates the
+execution.
+
+The default value of this tunable is @samp{1}.
+@end deftp
+
@node Elision Tunables
@section Elision Tunables
@cindex elision tunables
diff --git a/string/strerrorname_np.c b/string/strerrorname_np.c
index 042cea381c..e0e22fa79e 100644
--- a/string/strerrorname_np.c
+++ b/string/strerrorname_np.c
@@ -17,6 +17,7 @@
<https://www.gnu.org/licenses/>. */
#include <stdio.h>
+#include <string.h>
const char *
strerrorname_np (int errnum)
diff --git a/sysdeps/generic/dl-mseal.h b/sysdeps/generic/dl-mseal.h
new file mode 100644
index 0000000000..d542fcac75
--- /dev/null
+++ b/sysdeps/generic/dl-mseal.h
@@ -0,0 +1,25 @@
+/* Memory sealing. Generic version.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+static inline int
+_dl_mseal (void *addr, size_t len)
+{
+ return 0;
+}
+
+#define SUPPORT_MSEAL lt_seal_dont
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index 50f58a60e3..e0d46e9177 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -1017,6 +1017,12 @@ extern void _dl_relocate_object (struct link_map *map,
/* Protect PT_GNU_RELRO area. */
extern void _dl_protect_relro (struct link_map *map) attribute_hidden;
+/* Protect MAP with mseal. If MAP is contiguous the while region is
+ sealed, otherwise iterate over the phdr to seal each PT_LOAD. The DEP
+ specify whether to seal the dependencies as well. */
+extern void _dl_mseal_map (struct link_map *map, bool dep)
+ attribute_hidden;
+
/* Call _dl_signal_error with a message about an unhandled reloc type.
TYPE is the result of ELFW(R_TYPE) (r_info), i.e. an R_<CPU>_* value.
PLT is nonzero if this was a PLT reloc; it just affects the message. */
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index 82d523e588..922511b4a1 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -625,6 +625,10 @@ sysdep-rtld-routines += \
dl-sbrk \
# sysdep-rtld-routines
+dl-routines += \
+ dl-mseal \
+ # dl-routines
+
others += \
pldd \
# others
@@ -634,6 +638,47 @@ install-bin += \
# install-bin
$(objpfx)pldd: $(objpfx)xmalloc.o
+
+tests-static += \
+ tst-dl_mseal-static \
+ # tests-static
+
+tests += \
+ $(tests-static) \
+ tst-dl_mseal \
+ # tests
+
+modules-names += \
+ lib-tst-dl_mseal-1 \
+ lib-tst-dl_mseal-2 \
+ lib-tst-dl_mseal-dlopen-1 \
+ lib-tst-dl_mseal-dlopen-1-1 \
+ lib-tst-dl_mseal-dlopen-2 \
+ lib-tst-dl_mseal-dlopen-2-1 \
+ lib-tst-dl_mseal-preload \
+ # modules-names
+
+$(objpfx)tst-dl_mseal.out: \
+ $(objpfx)lib-tst-dl_mseal-preload.so \
+ $(objpfx)lib-tst-dl_mseal-1.so \
+ $(objpfx)lib-tst-dl_mseal-2.so \
+ $(objpfx)lib-tst-dl_mseal-dlopen-1.so \
+ $(objpfx)lib-tst-dl_mseal-dlopen-1-1.so \
+ $(objpfx)lib-tst-dl_mseal-dlopen-2.so \
+ $(objpfx)lib-tst-dl_mseal-dlopen-2-1.so
+
+tst-dl_mseal-ARGS = -- $(host-test-program-cmd)
+$(objpfx)tst-dl_mseal: $(objpfx)lib-tst-dl_mseal-1.so
+$(objpfx)lib-tst-dl_mseal-1.so: $(objpfx)lib-tst-dl_mseal-2.so
+
+$(objpfx)lib-tst-dl_mseal-dlopen-1.so: $(objpfx)lib-tst-dl_mseal-dlopen-1-1.so
+$(objpfx)lib-tst-dl_mseal-dlopen-2.so: $(objpfx)lib-tst-dl_mseal-dlopen-2-1.so
+LDFLAGS-lib-tst-dl_mseal-dlopen-1.so = \
+ -Wl,-soname,lib-tst-dl_mseal-dlopen-1.so
+LDFLAGS-lib-tst-dl_mseal-dlopen-2.so = \
+ -Wl,-soname,lib-tst-dl_mseal-dlopen-2.so
+
+tst-dl_mseal-static-ARGS = -- $(host-test-program-cmd)
endif
ifeq ($(subdir),rt)
diff --git a/sysdeps/unix/sysv/linux/dl-mseal.c b/sysdeps/unix/sysv/linux/dl-mseal.c
new file mode 100644
index 0000000000..69124b34af
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/dl-mseal.c
@@ -0,0 +1,51 @@
+/* Memory sealing. Linux version.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <atomic.h>
+#include <dl-mseal.h>
+#include <dl-mseal-mode.h>
+#include <dl-tunables.h>
+#include <ldsodefs.h>
+
+int
+_dl_mseal (void *addr, size_t len)
+{
+ int32_t mode = TUNABLE_GET (glibc, rtld, seal, int32_t, NULL);
+ if (mode == DL_SEAL_DISABLE)
+ return 0;
+
+ int r;
+#if __ASSUME_MSEAL
+ r = INTERNAL_SYSCALL_CALL (mseal, addr, len, 0);
+#else
+ r = -ENOSYS;
+ static int mseal_supported = true;
+ if (atomic_load_relaxed (&mseal_supported))
+ {
+ r = INTERNAL_SYSCALL_CALL (mseal, addr, len, 0);
+ if (r == -ENOSYS)
+ atomic_store_relaxed (&mseal_supported, false);
+ }
+#endif
+ if (mode == DL_SEAL_ENFORCE && r != 0)
+ _dl_fatal_printf ("Fatal error: sealing is enforced and an error "
+ "ocurred for the 0x%lx-0x%lx range\n",
+ (long unsigned int) addr,
+ (long unsigned int) addr + len);
+ return r;
+}
diff --git a/sysdeps/unix/sysv/linux/dl-mseal.h b/sysdeps/unix/sysv/linux/dl-mseal.h
new file mode 100644
index 0000000000..89b19e33c4
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/dl-mseal.h
@@ -0,0 +1,29 @@
+/* Memory sealing. Linux version.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+/* Seal the ADDR or size LEN to protect against modifications, such as
+ changes on the permission flags (through mprotect), remap (through
+ mmap and/or remap), shrink, destruction changes (madvise with
+ MADV_DONTNEED), or change its size. The input has the same constraints
+ as the mseal syscall.
+
+ Return 0 in case of success or a negative value otherwise (a negative
+ errno). */
+int _dl_mseal (void *addr, size_t len) attribute_hidden;
+
+#define SUPPORT_MSEAL lt_seal_toseal
diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c
new file mode 100644
index 0000000000..3bd188efe8
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c
@@ -0,0 +1,19 @@
+/* Additional module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+int foo1 (void) { return 42; }
diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c
new file mode 100644
index 0000000000..636e9777af
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c
@@ -0,0 +1,19 @@
+/* Additional module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+int bar1 (void) { return 42; }
diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c
new file mode 100644
index 0000000000..ef1372f47e
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c
@@ -0,0 +1,19 @@
+/* Additional module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+int foo2_1 (void) { return 42; }
diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c
new file mode 100644
index 0000000000..3c2cbe6035
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c
@@ -0,0 +1,19 @@
+/* Additional module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+int foo2 (void) { return 42; }
diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c
new file mode 100644
index 0000000000..0cd647de46
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c
@@ -0,0 +1,19 @@
+/* Additional module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+int bar2_1 (void) { return 42; }
diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c
new file mode 100644
index 0000000000..f719dd3cba
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c
@@ -0,0 +1,19 @@
+/* Additional module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+int bar2 (void) { return 42; }
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-static.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-static.c
new file mode 100644
index 0000000000..7f26713b35
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-static.c
@@ -0,0 +1,2 @@
+#define TEST_STATIC
+#include "tst-dl_mseal.c"
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
new file mode 100644
index 0000000000..72a33d04c7
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
@@ -0,0 +1,267 @@
+/* Basic tests for sealing.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <array_length.h>
+#include <errno.h>
+#include <getopt.h>
+#include <inttypes.h>
+#include <libgen.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#include <support/capture_subprocess.h>
+#include <support/check.h>
+#include <support/support.h>
+#include <support/xdlfcn.h>
+#include <support/xstdio.h>
+
+#define LIB_PRELOAD "lib-tst-dl_mseal-preload.so"
+
+#define LIB_NEEDED_1 "lib-tst-dl_mseal-1.so"
+#define LIB_NEEDED_2 "lib-tst-dl_mseal-2.so"
+
+#define LIB_DLOPEN_DEFAULT "lib-tst-dl_mseal-dlopen-1.so"
+#define LIB_DLOPEN_DEFAULT_DEP "lib-tst-dl_mseal-dlopen-1-1.so"
+#define LIB_DLOPEN_NODELETE "lib-tst-dl_mseal-dlopen-2.so"
+#define LIB_DLOPEN_NODELETE_DEP "lib-tst-dl_mseal-dlopen-2-1.so"
+
+static int
+new_flags (const char flags[4])
+{
+ bool read_flag = flags[0] == 'r';
+ bool write_flag = flags[1] == 'w';
+ bool exec_flag = flags[2] == 'x';
+
+ write_flag = !write_flag;
+
+ return (read_flag ? PROT_READ : 0)
+ | (write_flag ? PROT_WRITE : 0)
+ | (exec_flag ? PROT_EXEC : 0);
+}
+
+/* Expected libraries that loader will seal. */
+static const char *expected_sealed_libs[] =
+{
+#ifdef TEST_STATIC
+ "tst-dl_mseal-static",
+#else
+ "libc.so",
+ "ld.so",
+ "tst-dl_mseal",
+ LIB_PRELOAD,
+ LIB_NEEDED_1,
+ LIB_NEEDED_2,
+ LIB_DLOPEN_NODELETE,
+ LIB_DLOPEN_NODELETE_DEP,
+#endif
+ "[vdso]",
+};
+
+/* Libraries/VMA that could not be sealed. */
+static const char *non_sealed_vmas[] =
+{
+ ".", /* basename value for empty string anonymous
+ mappings. */
+ "[heap]",
+ "[vsyscall]",
+ "[vvar]",
+ "[stack]",
+ "zero", /* /dev/zero */
+#ifndef TEST_STATIC
+ "tst-dl_mseal-mod-2.so",
+ LIB_DLOPEN_DEFAULT,
+ LIB_DLOPEN_DEFAULT_DEP
+#endif
+};
+
+static int
+is_in_string_list (const char *s, const char *const list[], size_t len)
+{
+ for (size_t i = 0; i != len; i++)
+ if (strcmp (s, list[i]) == 0)
+ return i;
+ return -1;
+}
+
+static int
+handle_restart (void)
+{
+#ifndef TEST_STATIC
+ xdlopen (LIB_DLOPEN_NODELETE, RTLD_NOW | RTLD_NODELETE);
+ xdlopen (LIB_DLOPEN_DEFAULT, RTLD_NOW);
+#endif
+
+ FILE *fp = xfopen ("/proc/self/maps", "r");
+ char *line = NULL;
+ size_t linesiz = 0;
+
+ unsigned long pagesize = getpagesize ();
+
+ bool found_expected[array_length(expected_sealed_libs)] = { false };
+ while (xgetline (&line, &linesiz, fp) > 0)
+ {
+ uintptr_t start;
+ uintptr_t end;
+ char flags[5] = { 0 };
+ char name[256] = { 0 };
+ int idx;
+
+ /* The line is in the form:
+ start-end flags offset dev inode pathname */
+ int r = sscanf (line,
+ "%" SCNxPTR "-%" SCNxPTR " %4s %*s %*s %*s %256s",
+ &start,
+ &end,
+ flags,
+ name);
+ TEST_VERIFY_EXIT (r == 3 || r == 4);
+
+ int found = false;
+
+ const char *libname = basename (name);
+ if ((idx = is_in_string_list (libname, expected_sealed_libs,
+ array_length (expected_sealed_libs)))
+ != -1)
+ {
+ /* Check if we can change the protection flags of the segment. */
+ int new_prot = new_flags (flags);
+ TEST_VERIFY_EXIT (mprotect ((void *) start, end - start,
+ new_prot) == -1);
+ TEST_VERIFY_EXIT (errno == EPERM);
+
+ /* Also checks trying to map over the sealed libraries. */
+ {
+ char *p = mmap ((void *) start, pagesize, new_prot,
+ MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+ TEST_VERIFY_EXIT (p == MAP_FAILED);
+ TEST_VERIFY_EXIT (errno == EPERM);
+ }
+
+ /* And if remap is also blocked. */
+ {
+ char *p = mremap ((void *) start, end - start, end - start, 0);
+ TEST_VERIFY_EXIT (p == MAP_FAILED);
+ TEST_VERIFY_EXIT (errno == EPERM);
+ }
+
+ printf ("sealed: vma: %#" PRIxPTR "-%#" PRIxPTR " %s %s\n",
+ start,
+ end,
+ flags,
+ name);
+
+ found_expected[idx] = true;
+ found = true;
+ }
+
+ if (!found)
+ {
+ if (is_in_string_list (libname, non_sealed_vmas,
+ array_length (non_sealed_vmas)) != -1)
+ printf ("not-sealed: vma: %#" PRIxPTR "-%#" PRIxPTR " %s %s\n",
+ start,
+ end,
+ flags,
+ name);
+ else
+ FAIL_EXIT1 ("unexpected vma: %#" PRIxPTR "-%#" PRIxPTR " %s %s\n",
+ start,
+ end,
+ flags,
+ name);
+ }
+ }
+ xfclose (fp);
+
+ printf ("\n");
+
+ /* Also check if all the expected sealed maps were found. */
+ for (int i = 0; i < array_length (expected_sealed_libs); i++)
+ if (!found_expected[i])
+ FAIL_EXIT1 ("expected VMA %s not sealed\n", expected_sealed_libs[i]);
+
+ return 0;
+}
+
+static int restart;
+#define CMDLINE_OPTIONS \
+ { "restart", no_argument, &restart, 1 },
+
+static int
+do_test (int argc, char *argv[])
+{
+ /* We must have either:
+ - One or four parameters left if called initially:
+ + path to ld.so optional
+ + "--library-path" optional
+ + the library path optional
+ + the application name */
+ if (restart)
+ return handle_restart ();
+
+ /* Check the test requirements. */
+ {
+ int r = mseal (NULL, 0, 0);
+ if (r == -1 && errno == ENOSYS)
+ FAIL_UNSUPPORTED ("mseal is not supported by the kernel");
+ else
+ TEST_VERIFY_EXIT (r == 0);
+ }
+ support_need_proc ("Reads /proc/self/maps to get stack names.");
+
+ char *spargv[9];
+ int i = 0;
+ for (; i < argc - 1; i++)
+ spargv[i] = argv[i + 1];
+ spargv[i++] = (char *) "--direct";
+ spargv[i++] = (char *) "--restart";
+ spargv[i] = NULL;
+
+ char *envvarss[3];
+ envvarss[0] = (char *) "GLIBC_TUNABLES=glibc.rtld.seal=2";
+#ifndef TEST_STATIC
+ envvarss[1] = (char *) "LD_PRELOAD=" LIB_PRELOAD;
+ envvarss[2] = NULL;
+#else
+ envvarss[1] = NULL;
+#endif
+
+ struct support_capture_subprocess result =
+ support_capture_subprogram (spargv[0], spargv, envvarss);
+ support_capture_subprocess_check (&result, "tst-dl_mseal", 0,
+ sc_allow_stdout);
+
+ {
+ FILE *out = fmemopen (result.out.buffer, result.out.length, "r");
+ TEST_VERIFY (out != NULL);
+ char *line = NULL;
+ size_t linesz = 0;
+ while (xgetline (&line, &linesz, out))
+ printf ("%s", line);
+ fclose (out);
+ }
+
+ support_capture_subprocess_free (&result);
+
+ return 0;
+}
+
+#define TEST_FUNCTION_ARGV do_test
+#include <support/test-driver.c>
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
* [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get
2024-06-11 15:27 [RFC 0/5] Add support for memory sealing Adhemerval Zanella
` (2 preceding siblings ...)
2024-06-11 15:27 ` [RFC 3/5] elf: Add support to memory sealing Adhemerval Zanella
@ 2024-06-11 15:27 ` Adhemerval Zanella
2024-06-12 9:54 ` Florian Weimer
2024-06-11 15:27 ` [RFC 5/5] elf: Add support to memory sealing for audit modules Adhemerval Zanella
4 siblings, 1 reply; 26+ messages in thread
From: Adhemerval Zanella @ 2024-06-11 15:27 UTC (permalink / raw)
To: libc-alpha; +Cc: Stephen Roettger, jeffxu, Carlos O'Donell, Florian Weimer
The libgcc_s.so can also be sealed. The library is loaded once
and not unloaded during process execution (only for memory debug
with __libc_unwind_link_freeres).
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
---
include/dlfcn.h | 2 ++
manual/tunables.texi | 4 ++++
misc/unwind-link.c | 5 +++--
sysdeps/unix/sysv/linux/tst-dl_mseal.c | 13 +++++++++++++
4 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/include/dlfcn.h b/include/dlfcn.h
index f49ee1b0c9..06e2ecbdd2 100644
--- a/include/dlfcn.h
+++ b/include/dlfcn.h
@@ -50,6 +50,8 @@ extern char **__libc_argv attribute_hidden;
better error handling semantics for the library. */
#define __libc_dlopen(name) \
__libc_dlopen_mode (name, RTLD_NOW | __RTLD_DLOPEN)
+#define __libc_dlopen_nodelete(name) \
+ __libc_dlopen_mode (name, RTLD_NODELETE | RTLD_NOW | __RTLD_DLOPEN)
extern void *__libc_dlopen_mode (const char *__name, int __mode)
attribute_hidden;
extern void *__libc_dlsym (void *__map, const char *__name)
diff --git a/manual/tunables.texi b/manual/tunables.texi
index 26fba6641d..be36d52cf9 100644
--- a/manual/tunables.texi
+++ b/manual/tunables.texi
@@ -381,6 +381,10 @@ Any preload libraries.
@item
Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag.
+
+@item
+Any runtime library used for process unwind (such as required by @code{backtrace}
+or @code{pthread_exit}).
@end itemize
The tunable accepts three diferent values: @samp{0} where sealing is disabled,
diff --git a/misc/unwind-link.c b/misc/unwind-link.c
index 213a0162a4..7267ecbec3 100644
--- a/misc/unwind-link.c
+++ b/misc/unwind-link.c
@@ -48,7 +48,7 @@ __libc_unwind_link_get (void)
/* Initialize a copy of the data, so that we do not need about
unlocking in case the dynamic loader somehow triggers
unwinding. */
- void *local_libgcc_handle = __libc_dlopen (LIBGCC_S_SO);
+ void *local_libgcc_handle = __libc_dlopen_nodelete (LIBGCC_S_SO);
if (local_libgcc_handle == NULL)
{
__libc_lock_unlock (lock);
@@ -100,7 +100,8 @@ __libc_unwind_link_get (void)
__libc_lock_lock (lock);
if (atomic_load_relaxed (&global_libgcc_handle) != NULL)
- /* This thread lost the race. Clean up. */
+ /* This thread lost the race. Drop the l_direct_opencount and issue
+ the debug log. */
__libc_dlclose (local_libgcc_handle);
else
{
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
index 72a33d04c7..da1a3ebe5a 100644
--- a/sysdeps/unix/sysv/linux/tst-dl_mseal.c
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
@@ -19,6 +19,7 @@
#include <array_length.h>
#include <errno.h>
#include <getopt.h>
+#include <gnu/lib-names.h>
#include <inttypes.h>
#include <libgen.h>
#include <stdio.h>
@@ -31,6 +32,7 @@
#include <support/support.h>
#include <support/xdlfcn.h>
#include <support/xstdio.h>
+#include <support/xthread.h>
#define LIB_PRELOAD "lib-tst-dl_mseal-preload.so"
@@ -70,6 +72,7 @@ static const char *expected_sealed_libs[] =
LIB_NEEDED_2,
LIB_DLOPEN_NODELETE,
LIB_DLOPEN_NODELETE_DEP,
+ LIBGCC_S_SO,
#endif
"[vdso]",
};
@@ -100,6 +103,13 @@ is_in_string_list (const char *s, const char *const list[], size_t len)
return -1;
}
+static void *
+tf (void *closure)
+{
+ pthread_exit (NULL);
+ return NULL;
+}
+
static int
handle_restart (void)
{
@@ -108,6 +118,9 @@ handle_restart (void)
xdlopen (LIB_DLOPEN_DEFAULT, RTLD_NOW);
#endif
+ /* pthread_exit will load LIBGCC_S_SO. */
+ xpthread_join (xpthread_create (NULL, tf, NULL));
+
FILE *fp = xfopen ("/proc/self/maps", "r");
char *line = NULL;
size_t linesiz = 0;
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
* [RFC 5/5] elf: Add support to memory sealing for audit modules
2024-06-11 15:27 [RFC 0/5] Add support for memory sealing Adhemerval Zanella
` (3 preceding siblings ...)
2024-06-11 15:27 ` [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get Adhemerval Zanella
@ 2024-06-11 15:27 ` Adhemerval Zanella
4 siblings, 0 replies; 26+ messages in thread
From: Adhemerval Zanella @ 2024-06-11 15:27 UTC (permalink / raw)
To: libc-alpha; +Cc: Stephen Roettger, jeffxu, Carlos O'Donell, Florian Weimer
The memory sealing is done after library loading and sanity check
since an inexistent or wrong la_version might unload the library.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
---
elf/rtld.c | 4 ++++
manual/tunables.texi | 3 +++
sysdeps/unix/sysv/linux/Makefile | 2 ++
.../unix/sysv/linux/tst-dl_mseal-auditmod.c | 23 +++++++++++++++++++
sysdeps/unix/sysv/linux/tst-dl_mseal.c | 7 ++++--
5 files changed, 37 insertions(+), 2 deletions(-)
create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
diff --git a/elf/rtld.c b/elf/rtld.c
index 174389e205..62ad1272a4 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -1044,6 +1044,10 @@ ERROR: audit interface '%s' requires version %d (maximum supported version %d);
/* Mark the DSO as being used for auditing. */
dlmargs.map->l_auditing = 1;
+
+ /* Seal the audit modules and their dependencies. */
+ dlmargs.map->l_seal = lt_seal_toseal;
+ _dl_mseal_map (dlmargs.map, true);
}
/* Load all audit modules. */
diff --git a/manual/tunables.texi b/manual/tunables.texi
index be36d52cf9..63445d74c2 100644
--- a/manual/tunables.texi
+++ b/manual/tunables.texi
@@ -385,6 +385,9 @@ Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag.
@item
Any runtime library used for process unwind (such as required by @code{backtrace}
or @code{pthread_exit}).
+
+@item
+All audit modules and their dependencies.
@end itemize
The tunable accepts three diferent values: @samp{0} where sealing is disabled,
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index 922511b4a1..f11aff84f5 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -656,9 +656,11 @@ modules-names += \
lib-tst-dl_mseal-dlopen-2 \
lib-tst-dl_mseal-dlopen-2-1 \
lib-tst-dl_mseal-preload \
+ tst-dl_mseal-auditmod \
# modules-names
$(objpfx)tst-dl_mseal.out: \
+ $(objpfx)tst-dl_mseal-auditmod.so \
$(objpfx)lib-tst-dl_mseal-preload.so \
$(objpfx)lib-tst-dl_mseal-1.so \
$(objpfx)lib-tst-dl_mseal-2.so \
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
new file mode 100644
index 0000000000..d909a1561c
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
@@ -0,0 +1,23 @@
+/* Audit module for tst-dl_mseal test.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+unsigned int
+la_version (unsigned int v)
+{
+ return v;
+}
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
index da1a3ebe5a..ac60d7342a 100644
--- a/sysdeps/unix/sysv/linux/tst-dl_mseal.c
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
@@ -35,6 +35,7 @@
#include <support/xthread.h>
#define LIB_PRELOAD "lib-tst-dl_mseal-preload.so"
+#define LIB_AUDIT "tst-dl_mseal-auditmod.so"
#define LIB_NEEDED_1 "lib-tst-dl_mseal-1.so"
#define LIB_NEEDED_2 "lib-tst-dl_mseal-2.so"
@@ -68,6 +69,7 @@ static const char *expected_sealed_libs[] =
"ld.so",
"tst-dl_mseal",
LIB_PRELOAD,
+ LIB_AUDIT,
LIB_NEEDED_1,
LIB_NEEDED_2,
LIB_DLOPEN_NODELETE,
@@ -247,11 +249,12 @@ do_test (int argc, char *argv[])
spargv[i++] = (char *) "--restart";
spargv[i] = NULL;
- char *envvarss[3];
+ char *envvarss[4];
envvarss[0] = (char *) "GLIBC_TUNABLES=glibc.rtld.seal=2";
#ifndef TEST_STATIC
envvarss[1] = (char *) "LD_PRELOAD=" LIB_PRELOAD;
- envvarss[2] = NULL;
+ envvarss[2] = (char *) "LD_AUDIT=" LIB_AUDIT,
+ envvarss[3] = NULL;
#else
envvarss[1] = NULL;
#endif
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 1/5] linux: Remove __stack_prot
2024-06-11 15:27 ` [RFC 1/5] linux: Remove __stack_prot Adhemerval Zanella
@ 2024-06-11 19:15 ` Florian Weimer
0 siblings, 0 replies; 26+ messages in thread
From: Florian Weimer @ 2024-06-11 19:15 UTC (permalink / raw)
To: Adhemerval Zanella
Cc: libc-alpha, Stephen Roettger, jeffxu, Carlos O'Donell
* Adhemerval Zanella:
> The __stack_prot is used by Linux to make the stack executable if
> a modules requires it. It is also marked as RELRO, which requires
> to change the segment permission to RW to update it.
>
> Also, there is no need to keep track of the flags: either the stack
> will have the default permission of the ABI or should be change to
> PROT_READ | PROT_WRITE | PROT_EXEC. The only additional flag,
> PROT_GROWSDOWN or PROT_GROWSUP, is Linux only and can be deducted
> from _STACK_GROWS_DOWN/_STACK_GROWS_UP.
>
> Also, the check_consistency was alredy removed some time ago.
“the check_consistency [function] was”, I think.
Patch looks okay to me.
Reviewed-by: Florian Weimer <fweimer@redhat.com>
Thanks,
Florian
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-11 15:27 ` [RFC 3/5] elf: Add support to memory sealing Adhemerval Zanella
@ 2024-06-11 20:47 ` Jonathan Corbet
2024-06-11 21:03 ` Adhemerval Zanella
2024-06-21 5:09 ` Mike Hommey
1 sibling, 1 reply; 26+ messages in thread
From: Jonathan Corbet @ 2024-06-11 20:47 UTC (permalink / raw)
To: Adhemerval Zanella, libc-alpha
Cc: Stephen Roettger, jeffxu, Carlos O'Donell, Florian Weimer
Adhemerval Zanella <adhemerval.zanella@linaro.org> writes:
> The sealing is controlled by a new tunable, glibc.rtld.seal, with
> three different states:
>
> 0. Disabled where no sealing is done. This is the default.
>
> 1. Enabled, where the loader will issue the mseal syscall on the
> memory mappings but any failure will be ignored. This is
> the default.
>
> 2. Enforce, similar to Enabled but any failure from the mseal
> will terminate the process.
Cool - two defaults! :)
It *looks* like the actual default is 0?
Thanks,
jon
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-11 20:47 ` Jonathan Corbet
@ 2024-06-11 21:03 ` Adhemerval Zanella
0 siblings, 0 replies; 26+ messages in thread
From: Adhemerval Zanella @ 2024-06-11 21:03 UTC (permalink / raw)
To: Jonathan Corbet
Cc: libc-alpha, Stephen Roettger, jeffxu, Carlos O'Donell,
Florian Weimer
> On 11 Jun 2024, at 17:47, Jonathan Corbet <corbet@lwn.net> wrote:
> Adhemerval Zanella <adhemerval.zanella@linaro.org> writes:
>
>> The sealing is controlled by a new tunable, glibc.rtld.seal, with
>> three different states:
>>
>> 0. Disabled where no sealing is done. This is the default.
>>
>> 1. Enabled, where the loader will issue the mseal syscall on the
>> memory mappings but any failure will be ignored. This is
>> the default.
>>
>> 2. Enforce, similar to Enabled but any failure from the mseal
>> will terminate the process.
>
> Cool - two defaults! :)
>
> It *looks* like the actual default is 0?
>
> Thanks,
>
> jon
Oops, the actual default is 1 (apply, not enforce). I will fix the commit message.
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get
2024-06-11 15:27 ` [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get Adhemerval Zanella
@ 2024-06-12 9:54 ` Florian Weimer
2024-06-12 17:16 ` Adhemerval Zanella Netto
0 siblings, 1 reply; 26+ messages in thread
From: Florian Weimer @ 2024-06-12 9:54 UTC (permalink / raw)
To: Adhemerval Zanella
Cc: libc-alpha, Stephen Roettger, jeffxu, Carlos O'Donell
* Adhemerval Zanella:
> The libgcc_s.so can also be sealed. The library is loaded once
> and not unloaded during process execution (only for memory debug
> with __libc_unwind_link_freeres).
The unwind-link change to use RTLD_NODELETE could go in separately.
> diff --git a/misc/unwind-link.c b/misc/unwind-link.c
> index 213a0162a4..7267ecbec3 100644
> --- a/misc/unwind-link.c
> +++ b/misc/unwind-link.c
> @@ -100,7 +100,8 @@ __libc_unwind_link_get (void)
>
> __libc_lock_lock (lock);
> if (atomic_load_relaxed (&global_libgcc_handle) != NULL)
> - /* This thread lost the race. Clean up. */
> + /* This thread lost the race. Drop the l_direct_opencount and issue
> + the debug log. */
> __libc_dlclose (local_libgcc_handle);
> else
> {
I don't understand what “debug log” means in this context.
Thanks,
Florian
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get
2024-06-12 9:54 ` Florian Weimer
@ 2024-06-12 17:16 ` Adhemerval Zanella Netto
2024-06-12 17:50 ` Florian Weimer
0 siblings, 1 reply; 26+ messages in thread
From: Adhemerval Zanella Netto @ 2024-06-12 17:16 UTC (permalink / raw)
To: Florian Weimer; +Cc: libc-alpha, Stephen Roettger, jeffxu, Carlos O'Donell
On 12/06/24 06:54, Florian Weimer wrote:
> * Adhemerval Zanella:
>
>> The libgcc_s.so can also be sealed. The library is loaded once
>> and not unloaded during process execution (only for memory debug
>> with __libc_unwind_link_freeres).
>
> The unwind-link change to use RTLD_NODELETE could go in separately.
Ok, I will send a separate patch.
>
>> diff --git a/misc/unwind-link.c b/misc/unwind-link.c
>> index 213a0162a4..7267ecbec3 100644
>> --- a/misc/unwind-link.c
>> +++ b/misc/unwind-link.c
>
>> @@ -100,7 +100,8 @@ __libc_unwind_link_get (void)
>>
>> __libc_lock_lock (lock);
>> if (atomic_load_relaxed (&global_libgcc_handle) != NULL)
>> - /* This thread lost the race. Clean up. */
>> + /* This thread lost the race. Drop the l_direct_opencount and issue
>> + the debug log. */
>> __libc_dlclose (local_libgcc_handle);
>> else
>> {
>
> I don't understand what “debug log” means in this context.
Sorry, I meant the __libc_unwind_link_freeres usually triggered by
memory profilers. With sealing the dlclose won't unmap the memory.
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get
2024-06-12 17:16 ` Adhemerval Zanella Netto
@ 2024-06-12 17:50 ` Florian Weimer
2024-06-12 17:55 ` Adhemerval Zanella Netto
0 siblings, 1 reply; 26+ messages in thread
From: Florian Weimer @ 2024-06-12 17:50 UTC (permalink / raw)
To: Adhemerval Zanella Netto
Cc: libc-alpha, Stephen Roettger, jeffxu, Carlos O'Donell
* Adhemerval Zanella Netto:
> On 12/06/24 06:54, Florian Weimer wrote:
>> * Adhemerval Zanella:
>>
>>> The libgcc_s.so can also be sealed. The library is loaded once
>>> and not unloaded during process execution (only for memory debug
>>> with __libc_unwind_link_freeres).
>>
>> The unwind-link change to use RTLD_NODELETE could go in separately.
>
> Ok, I will send a separate patch.
>
>>
>>> diff --git a/misc/unwind-link.c b/misc/unwind-link.c
>>> index 213a0162a4..7267ecbec3 100644
>>> --- a/misc/unwind-link.c
>>> +++ b/misc/unwind-link.c
>>
>>> @@ -100,7 +100,8 @@ __libc_unwind_link_get (void)
>>>
>>> __libc_lock_lock (lock);
>>> if (atomic_load_relaxed (&global_libgcc_handle) != NULL)
>>> - /* This thread lost the race. Clean up. */
>>> + /* This thread lost the race. Drop the l_direct_opencount and issue
>>> + the debug log. */
>>> __libc_dlclose (local_libgcc_handle);
>>> else
>>> {
>>
>> I don't understand what “debug log” means in this context.
>
> Sorry, I meant the __libc_unwind_link_freeres usually triggered by
> memory profilers. With sealing the dlclose won't unmap the memory.
I still don't understand the comment.
We can still deallocate the helper data structures. With the switch to
read-only link maps, most of the allocations will be hidden from malloc
tracing anyway and no longer appear as leaks.
Thanks,
Florian
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get
2024-06-12 17:50 ` Florian Weimer
@ 2024-06-12 17:55 ` Adhemerval Zanella Netto
0 siblings, 0 replies; 26+ messages in thread
From: Adhemerval Zanella Netto @ 2024-06-12 17:55 UTC (permalink / raw)
To: Florian Weimer; +Cc: libc-alpha, Stephen Roettger, jeffxu, Carlos O'Donell
On 12/06/24 14:50, Florian Weimer wrote:
> * Adhemerval Zanella Netto:
>
>> On 12/06/24 06:54, Florian Weimer wrote:
>>> * Adhemerval Zanella:
>>>
>>>> The libgcc_s.so can also be sealed. The library is loaded once
>>>> and not unloaded during process execution (only for memory debug
>>>> with __libc_unwind_link_freeres).
>>>
>>> The unwind-link change to use RTLD_NODELETE could go in separately.
>>
>> Ok, I will send a separate patch.
>>
>>>
>>>> diff --git a/misc/unwind-link.c b/misc/unwind-link.c
>>>> index 213a0162a4..7267ecbec3 100644
>>>> --- a/misc/unwind-link.c
>>>> +++ b/misc/unwind-link.c
>>>
>>>> @@ -100,7 +100,8 @@ __libc_unwind_link_get (void)
>>>>
>>>> __libc_lock_lock (lock);
>>>> if (atomic_load_relaxed (&global_libgcc_handle) != NULL)
>>>> - /* This thread lost the race. Clean up. */
>>>> + /* This thread lost the race. Drop the l_direct_opencount and issue
>>>> + the debug log. */
>>>> __libc_dlclose (local_libgcc_handle);
>>>> else
>>>> {
>>>
>>> I don't understand what “debug log” means in this context.
>>
>> Sorry, I meant the __libc_unwind_link_freeres usually triggered by
>> memory profilers. With sealing the dlclose won't unmap the memory.
>
> I still don't understand the comment.
>
> We can still deallocate the helper data structures. With the switch to
> read-only link maps, most of the allocations will be hidden from malloc
> tracing anyway and no longer appear as leaks.
I am not sure if valgrind or any memory profilers won't complain about
lingering map segments, but you are right that at least regarding
_dl_unmap_segments we don't really check the unmmap result.
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-11 15:27 ` [RFC 3/5] elf: Add support to memory sealing Adhemerval Zanella
2024-06-11 20:47 ` Jonathan Corbet
@ 2024-06-21 5:09 ` Mike Hommey
2024-06-25 21:07 ` Adhemerval Zanella Netto
2024-06-27 23:00 ` Mike Hommey
1 sibling, 2 replies; 26+ messages in thread
From: Mike Hommey @ 2024-06-21 5:09 UTC (permalink / raw)
To: Adhemerval Zanella; +Cc: libc-alpha
On Tue, Jun 11, 2024 at 12:27:06PM -0300, Adhemerval Zanella wrote:
> The new Linux mseal syscall allows seal memory mappings to avoid
> further changes such as memory protection or remap. The sealing
> is done in multiple places where the memory is supposed to
> be immutable over program execution:
>
> * All shared library dependencies from the binary, including the
> read-only segments after PT_GNU_RELRO setup.
For what it's worth, this will break current Firefox binaries from
mozilla.org.
Why? Long story short, they are linked with both -Wl,-z,pack-relative-relocs
and -Wl,-z,relro, but because they need to run on old and new systems,
and because the first glibc insists that a binary using RELR relocations
_has_ to have a dependency on the GLIBC_ABI_DT_RELR symbol version,
which is not backwards compatible with older glibcs, the Firefox
binaries are edited to change the DT_RELR tags to something else,
and they contain an init function that applies the relocations instead
of ld.so. That code also temporarily undoes the RELRO madvise to be
able to apply those relocations, and redoes it afterwards.
mseal would prevent that temporary undoing from working and make Firefox
crash on startup.
Had the GLIBC_ABI_DT_RELR symbol version not been a hard requirement, we
wouldn't have ended up in this situation, but here we are.
I'm not sure what the best way to handle the situation would be.
Obviously, there are hackish ways to handle the situation, like removing
the PT_GNU_RELRO and applying it and the mseal manually.
One question is, should a binary be able to opt out of the seal for
whatever reason, individually? (rather than the global tunable, which a
binary can't opt-into on its own, too, although in Firefox's case,
there's a wrapper binary that could set GLIBC_TUNABLES...).
Sorry for the rambling. All the gory details on https://glandium.org/blog/?p=4297.
Mike
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-21 5:09 ` Mike Hommey
@ 2024-06-25 21:07 ` Adhemerval Zanella Netto
2024-06-25 23:18 ` Mike Hommey
2024-06-27 23:00 ` Mike Hommey
1 sibling, 1 reply; 26+ messages in thread
From: Adhemerval Zanella Netto @ 2024-06-25 21:07 UTC (permalink / raw)
To: Mike Hommey; +Cc: libc-alpha, DJ Delorie
On 21/06/24 02:09, Mike Hommey wrote:
> On Tue, Jun 11, 2024 at 12:27:06PM -0300, Adhemerval Zanella wrote:
>> The new Linux mseal syscall allows seal memory mappings to avoid
>> further changes such as memory protection or remap. The sealing
>> is done in multiple places where the memory is supposed to
>> be immutable over program execution:
>>
>> * All shared library dependencies from the binary, including the
>> read-only segments after PT_GNU_RELRO setup.
>
> For what it's worth, this will break current Firefox binaries from
> mozilla.org.
>
> Why? Long story short, they are linked with both -Wl,-z,pack-relative-relocs
> and -Wl,-z,relro, but because they need to run on old and new systems,
> and because the first glibc insists that a binary using RELR relocations
> _has_ to have a dependency on the GLIBC_ABI_DT_RELR symbol version,
> which is not backwards compatible with older glibcs, the Firefox
> binaries are edited to change the DT_RELR tags to something else,
> and they contain an init function that applies the relocations instead
> of ld.so. That code also temporarily undoes the RELRO madvise to be
> able to apply those relocations, and redoes it afterwards.
>
> mseal would prevent that temporary undoing from working and make Firefox
> crash on startup.
>
> Had the GLIBC_ABI_DT_RELR symbol version not been a hard requirement, we
> wouldn't have ended up in this situation, but here we are.
There was a recent question about the the need of GLIBC_ABI_DT_RELR on
libc-help maillist [1] and the main reason, as Florian has said, is to
avoid hard to debug crashes with binaries/libraries built with DT_RELR
on glibc versions that do not support DT_RELR.
>
> I'm not sure what the best way to handle the situation would be.
> Obviously, there are hackish ways to handle the situation, like removing
> the PT_GNU_RELRO and applying it and the mseal manually.
Well that's the price you pay by bypassing the loader without a proper
interface to do so, the result will most likely be brittle. At least with
this RFC you can always disable sealing and apply it yourself after the
_init hack described in the post.
>
> One question is, should a binary be able to opt out of the seal for
> whatever reason, individually? (rather than the global tunable, which a
> binary can't opt-into on its own, too, although in Firefox's case,
> there's a wrapper binary that could set GLIBC_TUNABLES...).
Currently there is not ELF marking like GNU_PROPERTY_AARCH64_FEATURE_1_AND
for aarch64 BTI, although I won't oppose adding something similar. However,
I still think we should still apply sealing as default, and make the
sealing flag as opt-out (so we will have hardening as default). And I think
if it is the idea, to also add its support on same version that sealing was
added to avoid the same issue you trying to hack with RELR.
There is also some discussion on adding system-wide tunables, and my plan
would to allow to add binary specific rules (DJ is working on this).
What I *really* do not want is to add interface sto operate on sealing/hardening
for link_maps (to for instance, disable sealing and apply it after main with
a libc function). These tend to become quite complex and bleed out implementation
details, and, as you have put in the blog post, obsolete over time.
>
> Sorry for the rambling. All the gory details on https://glandium.org/blog/?p=4297.
[1] https://sourceware.org/pipermail/libc-help/2024-June/006701.html
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-25 21:07 ` Adhemerval Zanella Netto
@ 2024-06-25 23:18 ` Mike Hommey
2024-06-26 11:58 ` Adhemerval Zanella Netto
0 siblings, 1 reply; 26+ messages in thread
From: Mike Hommey @ 2024-06-25 23:18 UTC (permalink / raw)
To: Adhemerval Zanella Netto; +Cc: libc-alpha, DJ Delorie
Thanks for your answer. Just an additional comment below.
On Tue, Jun 25, 2024 at 06:07:23PM -0300, Adhemerval Zanella Netto wrote:
> There was a recent question about the the need of GLIBC_ABI_DT_RELR on
> libc-help maillist [1] and the main reason, as Florian has said, is to
> avoid hard to debug crashes with binaries/libraries built with DT_RELR
> on glibc versions that do not support DT_RELR.
That's a valid reason for the linker to add the version dependency, not
for ld.so to enforce it. But it's too late to relax it anyways.
Mike
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-25 23:18 ` Mike Hommey
@ 2024-06-26 11:58 ` Adhemerval Zanella Netto
2024-06-26 19:58 ` Mike Hommey
0 siblings, 1 reply; 26+ messages in thread
From: Adhemerval Zanella Netto @ 2024-06-26 11:58 UTC (permalink / raw)
To: Mike Hommey; +Cc: libc-alpha, DJ Delorie
On 25/06/24 20:18, Mike Hommey wrote:
> Thanks for your answer. Just an additional comment below.
>
> On Tue, Jun 25, 2024 at 06:07:23PM -0300, Adhemerval Zanella Netto wrote:
>> There was a recent question about the the need of GLIBC_ABI_DT_RELR on
>> libc-help maillist [1] and the main reason, as Florian has said, is to
>> avoid hard to debug crashes with binaries/libraries built with DT_RELR
>> on glibc versions that do not support DT_RELR.
>
> That's a valid reason for the linker to add the version dependency, not
> for ld.so to enforce it. But it's too late to relax it anyways.
Old glibc will just ignore the DT_RELR, meaning that relocation won't apply
and the binary will misbehave after loading time. We are moving away of
such failures mode because such issues are really hard to debug, you have
to know both dynamic linker and ELF internals to understand why your library
that you built with a recent binutils works on a recent glibc but fails on
an older one.
Enforcing it is the main reason to add the version dependency.
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-26 11:58 ` Adhemerval Zanella Netto
@ 2024-06-26 19:58 ` Mike Hommey
2024-06-26 21:20 ` Adhemerval Zanella Netto
0 siblings, 1 reply; 26+ messages in thread
From: Mike Hommey @ 2024-06-26 19:58 UTC (permalink / raw)
To: Adhemerval Zanella Netto; +Cc: libc-alpha, DJ Delorie
On Wed, Jun 26, 2024 at 08:58:30AM -0300, Adhemerval Zanella Netto wrote:
>
>
> On 25/06/24 20:18, Mike Hommey wrote:
> > Thanks for your answer. Just an additional comment below.
> >
> > On Tue, Jun 25, 2024 at 06:07:23PM -0300, Adhemerval Zanella Netto wrote:
> >> There was a recent question about the the need of GLIBC_ABI_DT_RELR on
> >> libc-help maillist [1] and the main reason, as Florian has said, is to
> >> avoid hard to debug crashes with binaries/libraries built with DT_RELR
> >> on glibc versions that do not support DT_RELR.
> >
> > That's a valid reason for the linker to add the version dependency, not
> > for ld.so to enforce it. But it's too late to relax it anyways.
>
> Old glibc will just ignore the DT_RELR, meaning that relocation won't apply
> and the binary will misbehave after loading time. We are moving away of
> such failures mode because such issues are really hard to debug, you have
> to know both dynamic linker and ELF internals to understand why your library
> that you built with a recent binutils works on a recent glibc but fails on
> an older one.
The point is, if you built your binary with a recent binutils, it
already won't run on an old glibc because of the version dependency.
That will happen whether or not the newer glibc barks when the version
dependency is not there.
Mike
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-26 19:58 ` Mike Hommey
@ 2024-06-26 21:20 ` Adhemerval Zanella Netto
2024-06-26 21:39 ` Mike Hommey
0 siblings, 1 reply; 26+ messages in thread
From: Adhemerval Zanella Netto @ 2024-06-26 21:20 UTC (permalink / raw)
To: Mike Hommey; +Cc: libc-alpha, DJ Delorie
On 26/06/24 16:58, Mike Hommey wrote:
> On Wed, Jun 26, 2024 at 08:58:30AM -0300, Adhemerval Zanella Netto wrote:
>>
>>
>> On 25/06/24 20:18, Mike Hommey wrote:
>>> Thanks for your answer. Just an additional comment below.
>>>
>>> On Tue, Jun 25, 2024 at 06:07:23PM -0300, Adhemerval Zanella Netto wrote:
>>>> There was a recent question about the the need of GLIBC_ABI_DT_RELR on
>>>> libc-help maillist [1] and the main reason, as Florian has said, is to
>>>> avoid hard to debug crashes with binaries/libraries built with DT_RELR
>>>> on glibc versions that do not support DT_RELR.
>>>
>>> That's a valid reason for the linker to add the version dependency, not
>>> for ld.so to enforce it. But it's too late to relax it anyways.
>>
>> Old glibc will just ignore the DT_RELR, meaning that relocation won't apply
>> and the binary will misbehave after loading time. We are moving away of
>> such failures mode because such issues are really hard to debug, you have
>> to know both dynamic linker and ELF internals to understand why your library
>> that you built with a recent binutils works on a recent glibc but fails on
>> an older one.
>
> The point is, if you built your binary with a recent binutils, it
> already won't run on an old glibc because of the version dependency.
> That will happen whether or not the newer glibc barks when the version
> dependency is not there.
The version dependency is only added if you explicitly use DT_RELR,
which is an optional feature, otherwise the version tags will be ones
from the glibc version is building against. Different PT_GNU_RELRO, which
is also optional and added a opt-in hardening, specifying DT_RELR and r
unning on old loader will cause runtime inconsistency.
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-26 21:20 ` Adhemerval Zanella Netto
@ 2024-06-26 21:39 ` Mike Hommey
2024-06-26 21:56 ` Adhemerval Zanella Netto
0 siblings, 1 reply; 26+ messages in thread
From: Mike Hommey @ 2024-06-26 21:39 UTC (permalink / raw)
To: Adhemerval Zanella Netto; +Cc: libc-alpha, DJ Delorie
On Wed, Jun 26, 2024 at 06:20:22PM -0300, Adhemerval Zanella Netto wrote:
>
>
> On 26/06/24 16:58, Mike Hommey wrote:
> > On Wed, Jun 26, 2024 at 08:58:30AM -0300, Adhemerval Zanella Netto wrote:
> >>
> >>
> >> On 25/06/24 20:18, Mike Hommey wrote:
> >>> Thanks for your answer. Just an additional comment below.
> >>>
> >>> On Tue, Jun 25, 2024 at 06:07:23PM -0300, Adhemerval Zanella Netto wrote:
> >>>> There was a recent question about the the need of GLIBC_ABI_DT_RELR on
> >>>> libc-help maillist [1] and the main reason, as Florian has said, is to
> >>>> avoid hard to debug crashes with binaries/libraries built with DT_RELR
> >>>> on glibc versions that do not support DT_RELR.
> >>>
> >>> That's a valid reason for the linker to add the version dependency, not
> >>> for ld.so to enforce it. But it's too late to relax it anyways.
> >>
> >> Old glibc will just ignore the DT_RELR, meaning that relocation won't apply
> >> and the binary will misbehave after loading time. We are moving away of
> >> such failures mode because such issues are really hard to debug, you have
> >> to know both dynamic linker and ELF internals to understand why your library
> >> that you built with a recent binutils works on a recent glibc but fails on
> >> an older one.
> >
> > The point is, if you built your binary with a recent binutils, it
> > already won't run on an old glibc because of the version dependency.
> > That will happen whether or not the newer glibc barks when the version
> > dependency is not there.
>
> The version dependency is only added if you explicitly use DT_RELR,
> which is an optional feature, otherwise the version tags will be ones
> from the glibc version is building against. Different PT_GNU_RELRO, which
> is also optional and added a opt-in hardening, specifying DT_RELR and r
> unning on old loader will cause runtime inconsistency.
I'm not talking about PT_GNU_RELRO here. My point is, if you build your
binary with a recent binutils and opt-in to DT_RELR, the linker is going
to add the GLIBC_ABI_DT_RELR dependency. If you have a binary using
DT_RELR without a GLIBC_ABI_DT_RELR dependency, it was not produced by a
recent binutils. Currently, the only way to end up in a situation where
you don't have the version depenendency is to either use an old lld
flag, or edit ELF headers manually, and in both cases, you'd be asking
for it. The ld.so check is unnecessary.
But as I said already, it's already too late, it doesn't matter anymore.
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-26 21:39 ` Mike Hommey
@ 2024-06-26 21:56 ` Adhemerval Zanella Netto
0 siblings, 0 replies; 26+ messages in thread
From: Adhemerval Zanella Netto @ 2024-06-26 21:56 UTC (permalink / raw)
To: Mike Hommey; +Cc: libc-alpha, H.J. Lu, Fangrui Song
On 26/06/24 18:39, Mike Hommey wrote:
> On Wed, Jun 26, 2024 at 06:20:22PM -0300, Adhemerval Zanella Netto wrote:
>>
>>
>> On 26/06/24 16:58, Mike Hommey wrote:
>>> On Wed, Jun 26, 2024 at 08:58:30AM -0300, Adhemerval Zanella Netto wrote:
>>>>
>>>>
>>>> On 25/06/24 20:18, Mike Hommey wrote:
>>>>> Thanks for your answer. Just an additional comment below.
>>>>>
>>>>> On Tue, Jun 25, 2024 at 06:07:23PM -0300, Adhemerval Zanella Netto wrote:
>>>>>> There was a recent question about the the need of GLIBC_ABI_DT_RELR on
>>>>>> libc-help maillist [1] and the main reason, as Florian has said, is to
>>>>>> avoid hard to debug crashes with binaries/libraries built with DT_RELR
>>>>>> on glibc versions that do not support DT_RELR.
>>>>>
>>>>> That's a valid reason for the linker to add the version dependency, not
>>>>> for ld.so to enforce it. But it's too late to relax it anyways.
>>>>
>>>> Old glibc will just ignore the DT_RELR, meaning that relocation won't apply
>>>> and the binary will misbehave after loading time. We are moving away of
>>>> such failures mode because such issues are really hard to debug, you have
>>>> to know both dynamic linker and ELF internals to understand why your library
>>>> that you built with a recent binutils works on a recent glibc but fails on
>>>> an older one.
>>>
>>> The point is, if you built your binary with a recent binutils, it
>>> already won't run on an old glibc because of the version dependency.
>>> That will happen whether or not the newer glibc barks when the version
>>> dependency is not there.
>>
>> The version dependency is only added if you explicitly use DT_RELR,
>> which is an optional feature, otherwise the version tags will be ones
>> from the glibc version is building against. Different PT_GNU_RELRO, which
>> is also optional and added a opt-in hardening, specifying DT_RELR and r
>> unning on old loader will cause runtime inconsistency.
>
> I'm not talking about PT_GNU_RELRO here. My point is, if you build your
> binary with a recent binutils and opt-in to DT_RELR, the linker is going
> to add the GLIBC_ABI_DT_RELR dependency. If you have a binary using
> DT_RELR without a GLIBC_ABI_DT_RELR dependency, it was not produced by a
> recent binutils. Currently, the only way to end up in a situation where
> you don't have the version depenendency is to either use an old lld
> flag, or edit ELF headers manually, and in both cases, you'd be asking
> for it. The ld.so check is unnecessary.
>
> But as I said already, it's already too late, it doesn't matter anymore.
But DT_RELR was added on glibc before binutils support with the precondition
that GLIBC_ABI_DT_RELR should be added, as per contract. H.J implemented
it on x86 Fangrui adapted it on lld side.
A binary with DT_RELR without GLIBC_ABI_DT_RELR was never supported, you
could have created with some lld version *before* supported was added on
glibc.
The GLIBC_ABI_DT_RELR dependency was added exactly to avoid the very hack
you are trying to do: building a binary that might eventually trigger
runtime inconsistency depending of the glibc version you ran it.
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-21 5:09 ` Mike Hommey
2024-06-25 21:07 ` Adhemerval Zanella Netto
@ 2024-06-27 23:00 ` Mike Hommey
2024-06-28 5:51 ` Florian Weimer
1 sibling, 1 reply; 26+ messages in thread
From: Mike Hommey @ 2024-06-27 23:00 UTC (permalink / raw)
To: Adhemerval Zanella; +Cc: libc-alpha
On Fri, Jun 21, 2024 at 02:09:04PM +0900, Mike Hommey wrote:
> On Tue, Jun 11, 2024 at 12:27:06PM -0300, Adhemerval Zanella wrote:
> > The new Linux mseal syscall allows seal memory mappings to avoid
> > further changes such as memory protection or remap. The sealing
> > is done in multiple places where the memory is supposed to
> > be immutable over program execution:
> >
> > * All shared library dependencies from the binary, including the
> > read-only segments after PT_GNU_RELRO setup.
>
> For what it's worth, this will break current Firefox binaries from
> mozilla.org.
>
> Why? Long story short, they are linked with both -Wl,-z,pack-relative-relocs
> and -Wl,-z,relro, but because they need to run on old and new systems,
> and because the first glibc insists that a binary using RELR relocations
> _has_ to have a dependency on the GLIBC_ABI_DT_RELR symbol version,
> which is not backwards compatible with older glibcs, the Firefox
> binaries are edited to change the DT_RELR tags to something else,
> and they contain an init function that applies the relocations instead
> of ld.so. That code also temporarily undoes the RELRO madvise to be
> able to apply those relocations, and redoes it afterwards.
>
> mseal would prevent that temporary undoing from working and make Firefox
> crash on startup.
>
> Had the GLIBC_ABI_DT_RELR symbol version not been a hard requirement, we
> wouldn't have ended up in this situation, but here we are.
>
> I'm not sure what the best way to handle the situation would be.
> Obviously, there are hackish ways to handle the situation, like removing
> the PT_GNU_RELRO and applying it and the mseal manually.
I just realized this can't work. For some reason I had the impression
the mseal was applied to the RELRO segment, but it's over the entire
library, which makes sense, in hindsight. The problem is that if we
remove RELRO, then... we can't even reapply it afterwards because of the
mseal, leaving us with a writable data section.
But if we disable mseal, we only get to disable it for everything, not
only our libs! (and only if we re-exec with GLIBC_TUNABLES set?)
Mike
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-27 23:00 ` Mike Hommey
@ 2024-06-28 5:51 ` Florian Weimer
2024-06-28 5:58 ` Mike Hommey
0 siblings, 1 reply; 26+ messages in thread
From: Florian Weimer @ 2024-06-28 5:51 UTC (permalink / raw)
To: Mike Hommey; +Cc: Adhemerval Zanella, libc-alpha
* Mike Hommey:
> I just realized this can't work. For some reason I had the impression
> the mseal was applied to the RELRO segment, but it's over the entire
> library, which makes sense, in hindsight. The problem is that if we
> remove RELRO, then... we can't even reapply it afterwards because of the
> mseal, leaving us with a writable data section.
> But if we disable mseal, we only get to disable it for everything, not
> only our libs! (and only if we re-exec with GLIBC_TUNABLES set?)
We can introduce a flag in a dynamic tag at the same time we implement
mseal. The flag would isntruct the dynamic linker to skip mseal. It's
going to be some time until link editors know about the flag, but that
doesn't matter in your case because you have a custom linker anyway,
more or less.
Thanks,
Florian
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-28 5:51 ` Florian Weimer
@ 2024-06-28 5:58 ` Mike Hommey
2024-06-28 6:06 ` Florian Weimer
0 siblings, 1 reply; 26+ messages in thread
From: Mike Hommey @ 2024-06-28 5:58 UTC (permalink / raw)
To: Florian Weimer; +Cc: Adhemerval Zanella, libc-alpha
On Fri, Jun 28, 2024 at 07:51:05AM +0200, Florian Weimer wrote:
> * Mike Hommey:
>
> > I just realized this can't work. For some reason I had the impression
> > the mseal was applied to the RELRO segment, but it's over the entire
> > library, which makes sense, in hindsight. The problem is that if we
> > remove RELRO, then... we can't even reapply it afterwards because of the
> > mseal, leaving us with a writable data section.
> > But if we disable mseal, we only get to disable it for everything, not
> > only our libs! (and only if we re-exec with GLIBC_TUNABLES set?)
>
> We can introduce a flag in a dynamic tag at the same time we implement
> mseal. The flag would isntruct the dynamic linker to skip mseal. It's
> going to be some time until link editors know about the flag, but that
> doesn't matter in your case because you have a custom linker anyway,
> more or less.
That would be the most useful, thank you. Are you thinking about some
DT_FLAGS/DT_FLAGS_1, or some other (new) tag?
Mike
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-28 5:58 ` Mike Hommey
@ 2024-06-28 6:06 ` Florian Weimer
2024-06-28 7:39 ` Mike Hommey
0 siblings, 1 reply; 26+ messages in thread
From: Florian Weimer @ 2024-06-28 6:06 UTC (permalink / raw)
To: Mike Hommey; +Cc: Adhemerval Zanella, libc-alpha
* Mike Hommey:
> On Fri, Jun 28, 2024 at 07:51:05AM +0200, Florian Weimer wrote:
>> * Mike Hommey:
>>
>> > I just realized this can't work. For some reason I had the impression
>> > the mseal was applied to the RELRO segment, but it's over the entire
>> > library, which makes sense, in hindsight. The problem is that if we
>> > remove RELRO, then... we can't even reapply it afterwards because of the
>> > mseal, leaving us with a writable data section.
>> > But if we disable mseal, we only get to disable it for everything, not
>> > only our libs! (and only if we re-exec with GLIBC_TUNABLES set?)
>>
>> We can introduce a flag in a dynamic tag at the same time we implement
>> mseal. The flag would isntruct the dynamic linker to skip mseal. It's
>> going to be some time until link editors know about the flag, but that
>> doesn't matter in your case because you have a custom linker anyway,
>> more or less.
>
> That would be the most useful, thank you. Are you thinking about some
> DT_FLAGS/DT_FLAGS_1, or some other (new) tag?
I think we'd add this to the GNU generic ABI or the Linux ABI, so we
can't use the existing flag tags.
Thanks,
Florian
^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [RFC 3/5] elf: Add support to memory sealing
2024-06-28 6:06 ` Florian Weimer
@ 2024-06-28 7:39 ` Mike Hommey
0 siblings, 0 replies; 26+ messages in thread
From: Mike Hommey @ 2024-06-28 7:39 UTC (permalink / raw)
To: Florian Weimer; +Cc: Adhemerval Zanella, libc-alpha
On Fri, Jun 28, 2024 at 08:06:46AM +0200, Florian Weimer wrote:
> * Mike Hommey:
>
> > On Fri, Jun 28, 2024 at 07:51:05AM +0200, Florian Weimer wrote:
> >> * Mike Hommey:
> >>
> >> > I just realized this can't work. For some reason I had the impression
> >> > the mseal was applied to the RELRO segment, but it's over the entire
> >> > library, which makes sense, in hindsight. The problem is that if we
> >> > remove RELRO, then... we can't even reapply it afterwards because of the
> >> > mseal, leaving us with a writable data section.
> >> > But if we disable mseal, we only get to disable it for everything, not
> >> > only our libs! (and only if we re-exec with GLIBC_TUNABLES set?)
> >>
> >> We can introduce a flag in a dynamic tag at the same time we implement
> >> mseal. The flag would isntruct the dynamic linker to skip mseal. It's
> >> going to be some time until link editors know about the flag, but that
> >> doesn't matter in your case because you have a custom linker anyway,
> >> more or less.
> >
> > That would be the most useful, thank you. Are you thinking about some
> > DT_FLAGS/DT_FLAGS_1, or some other (new) tag?
>
> I think we'd add this to the GNU generic ABI or the Linux ABI, so we
> can't use the existing flag tags.
https://sourceware.org/gnu-gabi/program-loading-and-dynamic-linking.txt
lists DT_GNU_FLAGS_1, although it's not in glibc.
Mike
^ permalink raw reply [flat|nested] 26+ messages in thread
end of thread, other threads:[~2024-06-28 7:39 UTC | newest]
Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-11 15:27 [RFC 0/5] Add support for memory sealing Adhemerval Zanella
2024-06-11 15:27 ` [RFC 1/5] linux: Remove __stack_prot Adhemerval Zanella
2024-06-11 19:15 ` Florian Weimer
2024-06-11 15:27 ` [RFC 2/5] linux: Add mseal syscall support Adhemerval Zanella
2024-06-11 15:27 ` [RFC 3/5] elf: Add support to memory sealing Adhemerval Zanella
2024-06-11 20:47 ` Jonathan Corbet
2024-06-11 21:03 ` Adhemerval Zanella
2024-06-21 5:09 ` Mike Hommey
2024-06-25 21:07 ` Adhemerval Zanella Netto
2024-06-25 23:18 ` Mike Hommey
2024-06-26 11:58 ` Adhemerval Zanella Netto
2024-06-26 19:58 ` Mike Hommey
2024-06-26 21:20 ` Adhemerval Zanella Netto
2024-06-26 21:39 ` Mike Hommey
2024-06-26 21:56 ` Adhemerval Zanella Netto
2024-06-27 23:00 ` Mike Hommey
2024-06-28 5:51 ` Florian Weimer
2024-06-28 5:58 ` Mike Hommey
2024-06-28 6:06 ` Florian Weimer
2024-06-28 7:39 ` Mike Hommey
2024-06-11 15:27 ` [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get Adhemerval Zanella
2024-06-12 9:54 ` Florian Weimer
2024-06-12 17:16 ` Adhemerval Zanella Netto
2024-06-12 17:50 ` Florian Weimer
2024-06-12 17:55 ` Adhemerval Zanella Netto
2024-06-11 15:27 ` [RFC 5/5] elf: Add support to memory sealing for audit modules Adhemerval Zanella
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).