Re: [PATCH v5] rtld: Add glibc.rtld.enable_secure tunable.

[Siddhesh Poyarekar <siddhesh@gotplt.org>]

On 2024-01-12 13:23, Joe Simmons-Talbott wrote:
> Add a tunable for setting __libc_enable_secure to 1.  Do not set
> __libc_enable_secure to 0 if the tunable is set to 0.  Ignore all
> tunables if glib.rtld.enable_secure is set.  One use-case for this
> addition is to enable testing code paths that depend on
> __libc_enable_secure being set without the need to use setxid binaries.

Thanks for doing this!  Please note the review comments below; there's a 
tiny nit in the NEWS file and some other notes.  Please fix the nit and 
commit this and then send a [committed] email of the final patch to the 
list so that there's a record.

The only thing missing here is a manual change documenting this tunable. 
  Can you please send a follow-up patch for that?

Thanks,
Sid

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

> ---
> Changes to v4:
>    * Update copyright date to 2024 for new testcase.
> 
> Changes to v3:
>    * Rebase and fix merge conflict in NEWS.
> 
> Changes to v2:
>    * handle the tunable in __tunables_init so that it's done in a single
>      place.
>    * ignore all tunables if the tunable is set.
>    * update the testcase to only check the tunables if the enable_secure
>      tunable is not set.
>    * don't add tunables_strcmp as there is now already a version.
> 
> Changes to v1:
>    * handle the tunable for the dynamic loader as well.
> 
>   NEWS                             |   5 ++
>   elf/Makefile                     |   2 +
>   elf/dl-tunables.c                |  11 +++
>   elf/dl-tunables.list             |   6 ++
>   elf/tst-rtld-list-tunables.exp   |   1 +
>   elf/tst-tunables-enable_secure.c | 126 +++++++++++++++++++++++++++++++
>   6 files changed, 151 insertions(+)
>   create mode 100644 elf/tst-tunables-enable_secure.c
> 
> diff --git a/NEWS b/NEWS
> index 83ae627f47..aff44f6d7f 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -55,6 +55,11 @@ Major new features:
>     unsigned char, unsigned short, unsigned int, unsigned long int and
>     unsigned long long int, and a type-generic macro.
>   
> +* A new tunable, glibc.rtld.enable_secure, used to run a program
> +  as if it were a setuid process, enabling a number of security features. This
> +  is currently a testing tool to allow more extensive verification tests for
> +  AT_SECURE programs and not meant to be a security feature.

Maybe drop "enabling a number of security features", because it 
conflicts with "not meant to be a security feature"?

> +
>   Deprecated and removed features, and other changes affecting compatibility:
>   
>   * The ldconfig program now skips file names containing ';' or ending in
> diff --git a/elf/Makefile b/elf/Makefile
> index 5d78b659ce..45a6aa7a8d 100644
> --- a/elf/Makefile
> +++ b/elf/Makefile
> @@ -285,6 +285,7 @@ tests-static-internal := \
>     tst-tls1-static \
>     tst-tls1-static-non-pie \
>     tst-tunables \
> +  tst-tunables-enable_secure \
>     # tests-static-internal
>   
>   CRT-tst-tls1-static-non-pie := $(csu-objpfx)crt1.o
> @@ -2676,6 +2677,7 @@ $(objpfx)tst-glibc-hwcaps-mask.out: \
>   $(objpfx)tst-glibc-hwcaps-cache.out: $(objpfx)tst-glibc-hwcaps
>   
>   tst-tunables-ARGS = -- $(host-test-program-cmd)
> +tst-tunables-enable_secure-ARGS = -- $(host-test-program-cmd)
>   
>   $(objpfx)list-tunables.out: tst-rtld-list-tunables.sh $(objpfx)ld.so
>   	$(SHELL) $< $(objpfx)ld.so '$(test-wrapper-env)' \
> diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
> index 03e1a68675..d3ccd2ecd4 100644
> --- a/elf/dl-tunables.c
> +++ b/elf/dl-tunables.c
> @@ -223,6 +223,17 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables)
>   	    {
>   	      tunables[ntunables++] =
>   		(struct tunable_toset_t) { cur, value, p - value };
> +
> +	      /* Ignore tunables if enable_secure is set */
> +	      if (tunable_is_name ("glibc.rtld.enable_secure", name))
> +		{
> +                  tunable_num_t val = (tunable_num_t) _dl_strtoul (value, NULL);
> +		  if (val == 1)
> +		    {
> +		      __libc_enable_secure = 1;
> +		      return 0;
> +		    }
> +		}

Enable sxid and ignore all tunables.  It never disables 
__libc_enable_secure because we never come here if it's enabled.  OK. 
This detail should get mentioned in the manual so that we hold ourselves 
to that standard.

>   	      break;
>   	    }
>   	}
> diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
> index 1b40407814..1186272c81 100644
> --- a/elf/dl-tunables.list
> +++ b/elf/dl-tunables.list
> @@ -136,6 +136,12 @@ glibc {
>         minval: 0
>         default: 512
>       }
> +    enable_secure {
> +      type: INT_32
> +      minval: 0
> +      maxval: 1
> +      default: 0
> +    }
>     }
>   
>     mem {
> diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp
> index 2233ea9c7c..db0e1c86e9 100644
> --- a/elf/tst-rtld-list-tunables.exp
> +++ b/elf/tst-rtld-list-tunables.exp
> @@ -12,5 +12,6 @@ glibc.malloc.tcache_unsorted_limit: 0x0 (min: 0x0, max: 0x[f]+)
>   glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+)
>   glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+)
>   glibc.rtld.dynamic_sort: 2 (min: 1, max: 2)
> +glibc.rtld.enable_secure: 0 (min: 0, max: 1)
>   glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
>   glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
> diff --git a/elf/tst-tunables-enable_secure.c b/elf/tst-tunables-enable_secure.c
> new file mode 100644
> index 0000000000..e31e1f7faa
> --- /dev/null
> +++ b/elf/tst-tunables-enable_secure.c
> @@ -0,0 +1,126 @@
> +/* Check GLIBC_TUNABLES parsing for enable_secure.
> +   Copyright (C) 2024 Free Software Foundation, Inc.
> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +#include <array_length.h>
> +#include <dl-tunables.h>
> +#include <getopt.h>
> +#include <intprops.h>
> +#include <stdint.h>
> +#include <stdlib.h>
> +#include <support/capture_subprocess.h>
> +#include <support/check.h>
> +#include <sys/auxv.h>
> +#include <unistd.h>
> +
> +static int restart;
> +#define CMDLINE_OPTIONS \
> +  { "restart", no_argument, &restart, 1 },
> +
> +static const struct test_t
> +{
> +  const char *env;
> +  int32_t expected_malloc_check;
> +  int32_t expected_enable_secure;
> +} tests[] =
> +{
> +  /* Expected tunable format.  */
> +  /* Tunables should be ignored if enable_secure is set. */
> +  {
> +    "glibc.malloc.check=2:glibc.rtld.enable_secure=1",
> +    0,
> +    1,
> +  },
> +  /* Tunables should be ignored if enable_secure is set. */
> +  {
> +    "glibc.rtld.enable_secure=1:glibc.malloc.check=2",
> +    0,
> +    1,
> +  },
> +  /* Tunables should be set if enable_secure is unset. */
> +  {
> +    "glibc.rtld.enable_secure=0:glibc.malloc.check=2",
> +    2,
> +    0,
> +  },
> +};
> +
> +static int
> +handle_restart (int i)
> +{
> +  if (tests[i].expected_enable_secure == 1)
> +    {
> +      TEST_COMPARE (1, __libc_enable_secure);
> +    }
> +  else
> +    {
> +      TEST_COMPARE (tests[i].expected_malloc_check,
> +		    TUNABLE_GET_FULL (glibc, malloc, check, int32_t, NULL));
> +      TEST_COMPARE (tests[i].expected_enable_secure,
> +		    TUNABLE_GET_FULL (glibc, rtld, enable_secure, int32_t,
> +		    NULL));
> +    }
> +  return 0;
> +}
> +
> +static int
> +do_test (int argc, char *argv[])
> +{
> +  /* We must have either:
> +     - One or four parameters left if called initially:
> +       + path to ld.so         optional
> +       + "--library-path"      optional
> +       + the library path      optional
> +       + the application name
> +       + the test to check  */
> +
> +  TEST_VERIFY_EXIT (argc == 2 || argc == 5);
> +
> +  if (restart)
> +    return handle_restart (atoi (argv[1]));
> +
> +  char nteststr[INT_BUFSIZE_BOUND (int)];
> +
> +  char *spargv[10];
> +  {
> +    int i = 0;
> +    for (; i < argc - 1; i++)
> +      spargv[i] = argv[i + 1];
> +    spargv[i++] = (char *) "--direct";
> +    spargv[i++] = (char *) "--restart";
> +    spargv[i++] = nteststr;
> +    spargv[i] = NULL;
> +  }
> +
> +  for (int i = 0; i < array_length (tests); i++)
> +    {
> +      snprintf (nteststr, sizeof nteststr, "%d", i);
> +
> +      printf ("[%d] Spawned test for %s\n", i, tests[i].env);
> +      setenv ("GLIBC_TUNABLES", tests[i].env, 1);
> +      struct support_capture_subprocess result
> +	= support_capture_subprogram (spargv[0], spargv);
> +      support_capture_subprocess_check (&result, "tst-tunables-enable_secure",
> +		                        0, sc_allow_stderr);
> +      support_capture_subprocess_free (&result);
> +    }
> +
> +  return 0;
> +}
> +
> +#define TEST_FUNCTION_ARGV do_test
> +#include <support/test-driver.c>