From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <maskray@google.com>
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com
 [IPv6:2607:f8b0:4864:20::112b])
 by sourceware.org (Postfix) with ESMTPS id AD2593857C43
 for <libc-alpha@sourceware.org>; Mon, 18 Apr 2022 23:50:02 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org AD2593857C43
Received: by mail-yw1-x112b.google.com with SMTP id
 00721157ae682-2ec04a2ebadso155251977b3.12
 for <libc-alpha@sourceware.org>; Mon, 18 Apr 2022 16:50:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=KJXKojONuHbxxs0FEl7MCTZlD3bei4hfznInD25MHsQ=;
 b=BNCl/kbxyVCdu4oWf+8i25EsMtC/L7khgwgSx2Gb8jDdfFWg3IzFphgpNq20wWymZB
 HqL30yIxpWMRev84aYzcO1Kd7/lqlvjVyegTtobgh7i9Rslym36euP69H60EbSgbWfIw
 A8EEPpOdQIoam+ZmvfRrZiB51T749lnYT13+M+vgZlVEt+eWoINiWslUFbNBjPba2EAX
 IZg39QYnOKFvlmyf3Va8P9N8zETJYEjVoJrZxZBU5A3McBpBa71Q7KRp4lOerso6mdiw
 qsepwSmfkmwfbOfOlAcosiBH9hysLNi78BFm58yiSIevcpBzhbcOduk8hsXBsuWuxjFe
 lz0g==
X-Gm-Message-State: AOAM532LbcvuZMPqRbsvSM9eN4aSeZRxVrYJ/Ltg/VMrfFH8kqTkelym
 Q8Jg8el6seKJevP7ovHVp8KVJkiUXSkmrCvn6QWyx/pWru7dIA==
X-Google-Smtp-Source: ABdhPJyKVmVyWT0vXG3hecFxsRIke8J8mbqUD1Srkzf/DWBkPoYJapKB5hzF8QN2xeZbdtR5y940lnq8Ro4D0t7Fhlo=
X-Received: by 2002:a81:9c48:0:b0:2ed:7f5b:84fa with SMTP id
 n8-20020a819c48000000b002ed7f5b84famr12546061ywa.511.1650325801962; Mon, 18
 Apr 2022 16:50:01 -0700 (PDT)
MIME-Version: 1.0
References: <20220417225240.1656529-1-maskray@google.com>
 <8735iau2wj.fsf@oldenburg.str.redhat.com>
In-Reply-To: <8735iau2wj.fsf@oldenburg.str.redhat.com>
From: =?UTF-8?B?RsSBbmctcnXDrCBTw7JuZw==?= <maskray@google.com>
Date: Mon, 18 Apr 2022 16:49:50 -0700
Message-ID: <CAFP8O3+6QVj9571OLEaC+pAM2hQag1dtum9S4Pz3=BT2-XREkQ@mail.gmail.com>
Subject: Re: [PATCH] elf: Remove __libc_enable_secure_decided
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-alpha@sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-23.3 required=5.0 tests=BAYES_00, BODY_8BITS,
 DKIMWL_WL_MED, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF,
 ENV_AND_HDR_SPF_MATCH, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL,
 USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2022 23:50:04 -0000

On Mon, Apr 18, 2022 at 3:00 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * Fangrui Song:
>
> > No functional change. __libc_enable_secure_decided is always 0 since
> > 73fc4e28b9464f0e13edc719a5372839970e7ddb.
> > ---
> >  elf/enbl-secure.c | 7 ++-----
> >  include/unistd.h  | 1 -
> >  2 files changed, 2 insertions(+), 6 deletions(-)
> >
> > diff --git a/elf/enbl-secure.c b/elf/enbl-secure.c
> > index aa2a0bd877..6a0a6d0f0f 100644
> > --- a/elf/enbl-secure.c
> > +++ b/elf/enbl-secure.c
> > @@ -26,15 +26,12 @@
> >  #include <startup.h>
> >  #include <libc-internal.h>
> >
> > -/* If nonzero __libc_enable_secure is already set.  */
> > -int __libc_enable_secure_decided;
> >  /* Safest assumption, if somehow the initializer isn't run.  */
> >  int __libc_enable_secure =3D 1;
> >
> >  void
> >  __libc_init_secure (void)
> >  {
> > -  if (__libc_enable_secure_decided =3D=3D 0)
> > -    __libc_enable_secure =3D (startup_geteuid () !=3D startup_getuid (=
)
> > -                         || startup_getegid () !=3D startup_getgid ())=
;
> > +  __libc_enable_secure =3D (startup_geteuid () !=3D startup_getuid ()
> > +                       || startup_getegid () !=3D startup_getgid ());
> >  }
>
> Thanks for catching this in time before a release, this would have
> turned into a minor security vulnerability.
>
> __libc_init_secure should not overwrite __libc_enable_secure on Linux
> because _dl_aux_init in dl-support.c already initializes it, and the
> real vs effective check does not always yield the right results (it
> exits AT_SECURE mode for a pure capabilities-based transition, for
> example).
>
> Hurd already overrides __libc_init_secure with an empty function.  I
> think we should remove it completely.  Then we can also simply
> <startup.h> a bit, I think.  Would you be able to write a patch along
> those lines, or should I work on this?
>
> Thanks,
> Florian
>

Thanks for the analysis! I debugged it a bit and understand it better now.
Sent https://sourceware.org/pipermail/libc-alpha/2022-April/137942.html
for clean-up.


--=20
=E5=AE=8B=E6=96=B9=E7=9D=BF