From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: Adhemerval Zanella <adhemerval.zanella@linaro.org>,
libc-alpha@sourceware.org
Subject: Re: [PATCH v3 19/19] elf: Refactor process_envvars
Date: Mon, 20 Nov 2023 18:09:37 -0500 [thread overview]
Message-ID: <4f6da9ac-880e-40da-970a-1cf3dfe0baf6@sourceware.org> (raw)
In-Reply-To: <20231106202552.3404059-20-adhemerval.zanella@linaro.org>
On 2023-11-06 15:25, Adhemerval Zanella wrote:
> It splits between process_envvars_secure and process_envvars_default,
> with the former used to process arguments for __libc_enable_secure.
> It does not have any semantic change, just simplify the code so there
> is no need to handle __libc_enable_secure on each len switch.
>
> Checked on x86_64-linux-gnu and aarch64-linux-gnu.
> ---
> elf/rtld.c | 132 ++++++++++++++++++++++++++++++++++-------------------
> 1 file changed, 84 insertions(+), 48 deletions(-)
>
> diff --git a/elf/rtld.c b/elf/rtld.c
> index cfba30eba0..95dcd32185 100644
> --- a/elf/rtld.c
> +++ b/elf/rtld.c
> @@ -2527,7 +2527,67 @@ a filename can be specified using the LD_DEBUG_OUTPUT environment variable.\n");
> }
> \f
> static void
> -process_envvars (struct dl_main_state *state)
> +process_envvars_secure (struct dl_main_state *state)
> +{
> + char **runp = _environ;
> + char *envline;
> +
> + while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
> + {
> + size_t len = 0;
> +
> + while (envline[len] != '\0' && envline[len] != '=')
> + ++len;
> +
> + if (envline[len] != '=')
> + /* This is a "LD_" variable at the end of the string without
> + a '=' character. Ignore it since otherwise we will access
> + invalid memory below. */
> + continue;
> +
> + switch (len)
> + {
> + case 5:
> + /* For __libc_enable_secure mode, audit pathnames containing slashes
> + are ignored. Also, shared audit objects are only loaded only from
> + the standard search directories and only if they have set-user-ID
> + mode bit enabled. */
> + if (memcmp (envline, "AUDIT", 5) == 0)
> + audit_list_add_string (&state->audit_list, &envline[6]);
> + break;
> +
> + case 7:
> + /* For __libc_enable_secure mode, preload pathnames containing slashes
> + are ignored. Also, shared objects are only preloaded from the
> + standard search directories and only if they have set-user-ID mode
> + bit enabled. */
> + if (memcmp (envline, "PRELOAD", 7) == 0)
> + state->preloadlist = &envline[8];
> + break;
> + }
> + }
We need to talk about whether we should get rid of these too in the
context of setuid programs, but that's a separate discussion. LGTM.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> +
> + /* Extra security for SUID binaries. Remove all dangerous environment
> + variables. */
> + const char *nextp = UNSECURE_ENVVARS;
> + do
> + {
> + unsetenv (nextp);
> + nextp = strchr (nextp, '\0') + 1;
> + }
> + while (*nextp != '\0');
> +
> + if (GLRO(dl_debug_mask) != 0
> + || GLRO(dl_verbose) != 0
> + || GLRO(dl_lazy) != 1
> + || GLRO(dl_bind_not) != 0
> + || state->mode != rtld_mode_normal
> + || state->version_info)
> + _exit (5);
> +}
> +
> +static void
> +process_envvars_default (struct dl_main_state *state)
> {
> char **runp = _environ;
> char *envline;
I wondered if we should add an assert here on __libc_enable_secure ==0,
but there is only one caller, so maybe we can get away without it.
> @@ -2550,15 +2610,13 @@ process_envvars (struct dl_main_state *state)
> {
> case 4:
> /* Warning level, verbose or not. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "WARN", 4) == 0)
> + if (memcmp (envline, "WARN", 4) == 0)
> GLRO(dl_verbose) = envline[5] != '\0';
> break;
>
> case 5:
> /* Debugging of the dynamic linker? */
> - if (!__libc_enable_secure
> - && memcmp (envline, "DEBUG", 5) == 0)
> + if (memcmp (envline, "DEBUG", 5) == 0)
> {
> process_dl_debug (state, &envline[6]);
> break;
> @@ -2573,8 +2631,7 @@ process_envvars (struct dl_main_state *state)
>
> case 7:
> /* Print information about versions. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "VERBOSE", 7) == 0)
> + if (memcmp (envline, "VERBOSE", 7) == 0)
> {
> state->version_info = envline[8] != '\0';
> break;
> @@ -2591,43 +2648,37 @@ process_envvars (struct dl_main_state *state)
> }
>
> /* Which shared object shall be profiled. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
> + if (memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
> GLRO(dl_profile) = &envline[8];
> break;
>
> case 8:
> /* Do we bind early? */
> - if (!__libc_enable_secure
> - && memcmp (envline, "BIND_NOW", 8) == 0)
> + if (memcmp (envline, "BIND_NOW", 8) == 0)
> {
> GLRO(dl_lazy) = envline[9] == '\0';
> break;
> }
> - if (! __libc_enable_secure
> - && memcmp (envline, "BIND_NOT", 8) == 0)
> + if (memcmp (envline, "BIND_NOT", 8) == 0)
> GLRO(dl_bind_not) = envline[9] != '\0';
> break;
>
> case 9:
> /* Test whether we want to see the content of the auxiliary
> array passed up from the kernel. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "SHOW_AUXV", 9) == 0)
> + if (memcmp (envline, "SHOW_AUXV", 9) == 0)
> _dl_show_auxv ();
> break;
>
> case 11:
> /* Path where the binary is found. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "ORIGIN_PATH", 11) == 0)
> + if (memcmp (envline, "ORIGIN_PATH", 11) == 0)
> GLRO(dl_origin_path) = &envline[12];
> break;
>
> case 12:
> /* The library search path. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "LIBRARY_PATH", 12) == 0)
> + if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
> {
> state->library_path = &envline[13];
> state->library_path_source = "LD_LIBRARY_PATH";
> @@ -2635,30 +2686,26 @@ process_envvars (struct dl_main_state *state)
> }
>
> /* Where to place the profiling data file. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
> + if (memcmp (envline, "DEBUG_OUTPUT", 12) == 0)
> {
> debug_output = &envline[13];
> break;
> }
>
> - if (!__libc_enable_secure
> - && memcmp (envline, "DYNAMIC_WEAK", 12) == 0)
> + if (memcmp (envline, "DYNAMIC_WEAK", 12) == 0)
> GLRO(dl_dynamic_weak) = 1;
> break;
>
> case 14:
> /* Where to place the profiling data file. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "PROFILE_OUTPUT", 14) == 0
> + if (memcmp (envline, "PROFILE_OUTPUT", 14) == 0
> && envline[15] != '\0')
> GLRO(dl_profile_output) = &envline[15];
> break;
>
> case 20:
> /* The mode of the dynamic linker can be set. */
> - if (!__libc_enable_secure
> - && memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
> + if (memcmp (envline, "TRACE_LOADED_OBJECTS", 20) == 0)
> {
> state->mode = rtld_mode_trace;
> state->mode_trace_program
> @@ -2668,30 +2715,10 @@ process_envvars (struct dl_main_state *state)
> }
> }
>
> - /* Extra security for SUID binaries. Remove all dangerous environment
> - variables. */
> - if (__glibc_unlikely (__libc_enable_secure))
> - {
> - const char *nextp = UNSECURE_ENVVARS;
> - do
> - {
> - unsetenv (nextp);
> - nextp = strchr (nextp, '\0') + 1;
> - }
> - while (*nextp != '\0');
> -
> - if (GLRO(dl_debug_mask) != 0
> - || GLRO(dl_verbose) != 0
> - || GLRO(dl_lazy) != 1
> - || GLRO(dl_bind_not) != 0
> - || state->mode != rtld_mode_normal
> - || state->version_info)
> - _exit (5);
> - }
> /* If we have to run the dynamic linker in debugging mode and the
> LD_DEBUG_OUTPUT environment variable is given, we write the debug
> messages to this file. */
> - else if (GLRO(dl_debug_mask) != 0 && debug_output != NULL)
> + if (GLRO(dl_debug_mask) != 0 && debug_output != NULL)
> {
> const int flags = O_WRONLY | O_APPEND | O_CREAT | O_NOFOLLOW;
> size_t name_len = strlen (debug_output);
> @@ -2710,6 +2737,15 @@ process_envvars (struct dl_main_state *state)
> }
> }
>
> +static void
> +process_envvars (struct dl_main_state *state)
> +{
> + if (__glibc_unlikely (__libc_enable_secure))
> + process_envvars_secure (state);
> + else
> + process_envvars_default (state);
> +}
> +
> #if HP_TIMING_INLINE
> static void
> print_statistics_item (const char *title, hp_timing_t time,
next prev parent reply other threads:[~2023-11-20 23:09 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 20:25 [PATCH v3 00/19] Improve loader environment variable handling Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 01/19] elf: Remove /etc/suid-debug support Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 02/19] elf: Add GLIBC_TUNABLES to unsecvars Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 03/19] elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 04/19] elf: Add all malloc tunable to unsecvars Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 05/19] elf: Do not process invalid tunable format Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 06/19] elf: Do not parse ill-formatted strings Adhemerval Zanella
2023-11-20 21:48 ` Siddhesh Poyarekar
2023-11-06 20:25 ` [PATCH v3 07/19] elf: Fix _dl_debug_vdprintf to work before self-relocation Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 08/19] elf: Emit warning if tunable is ill-formatted Adhemerval Zanella
2023-11-20 21:50 ` Siddhesh Poyarekar
2023-11-06 20:25 ` [PATCH v3 09/19] x86: Use dl-symbol-redir-ifunc.h on cpu-tunables Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 10/19] s390: " Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 11/19] elf: Do not duplicate the GLIBC_TUNABLES string Adhemerval Zanella
2023-11-20 22:44 ` Siddhesh Poyarekar
2023-11-21 18:12 ` Adhemerval Zanella Netto
2023-11-22 11:39 ` Adhemerval Zanella Netto
2023-11-22 12:23 ` Siddhesh Poyarekar
2023-11-22 13:03 ` Adhemerval Zanella Netto
2023-11-22 13:24 ` Siddhesh Poyarekar
2023-11-22 14:13 ` Adhemerval Zanella Netto
2023-11-06 20:25 ` [PATCH v3 12/19] elf: Ignore LD_PROFILE for setuid binaries Adhemerval Zanella
2023-11-20 22:47 ` Siddhesh Poyarekar
2023-11-06 20:25 ` [PATCH v3 13/19] elf: Remove LD_PROFILE for static binaries Adhemerval Zanella
2023-11-20 22:55 ` Siddhesh Poyarekar
2023-11-06 20:25 ` [PATCH v3 14/19] elf: Ignore loader debug env vars for setuid Adhemerval Zanella
2023-11-20 22:57 ` Siddhesh Poyarekar
2023-11-21 18:24 ` Adhemerval Zanella Netto
2023-11-06 20:25 ` [PATCH v3 15/19] elf: Remove any_debug from dl_main_state Adhemerval Zanella
2023-11-20 22:58 ` Siddhesh Poyarekar
2023-11-06 20:25 ` [PATCH v3 16/19] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static Adhemerval Zanella
2023-11-20 22:59 ` Siddhesh Poyarekar
2023-11-06 20:25 ` [PATCH v3 17/19] elf: Add comments on how LD_AUDIT and LD_PRELOAD handle __libc_enable_secure Adhemerval Zanella
2023-11-06 20:25 ` [PATCH v3 18/19] elf: Ignore LD_BIND_NOW and LD_BIND_NOT for setuid binaries Adhemerval Zanella
2023-11-20 23:02 ` Siddhesh Poyarekar
2023-11-06 20:25 ` [PATCH v3 19/19] elf: Refactor process_envvars Adhemerval Zanella
2023-11-20 23:09 ` Siddhesh Poyarekar [this message]
2023-11-21 19:00 ` Adhemerval Zanella Netto
2023-11-20 23:12 ` [PATCH v3 00/19] Improve loader environment variable handling Siddhesh Poyarekar
2023-11-21 19:37 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4f6da9ac-880e-40da-970a-1cf3dfe0baf6@sourceware.org \
--to=siddhesh@sourceware.org \
--cc=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).