From: "H.J. Lu" <hjl.tools@gmail.com>
To: Joe Simmons-Talbott <josimmon@redhat.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH v4] rtld: Add glibc.rtld.enable_secure tunable.
Date: Fri, 12 Jan 2024 05:53:23 -0800 [thread overview]
Message-ID: <CAMe9rOqKCBVvJJwCt+ZnVSKL5JTKcs9oGfXvROv6eeqdtc1mPg@mail.gmail.com> (raw)
In-Reply-To: <20240112134328.568424-1-josimmon@redhat.com>
On Fri, Jan 12, 2024 at 5:44 AM Joe Simmons-Talbott <josimmon@redhat.com> wrote:
>
> Add a tunable for setting __libc_enable_secure to 1. Do not set
> __libc_enable_secure to 0 if the tunable is set to 0. Ignore all
> tunables if glib.rtld.enable_secure is set. One use-case for this
> addition is to enable testing code paths that depend on
> __libc_enable_secure being set without the need to use setxid binaries.
> ---
> Changes to v3:
> * Rebase and fix merge conflict in NEWS.
>
> Changes to v2:
> * handle the tunable in __tunables_init so that it's done in a single
> place.
> * ignore all tunables if the tunable is set.
> * update the testcase to only check the tunables if the enable_secure
> tunable is not set.
> * don't add tunables_strcmp as there is now already a version.
>
> Changes to v1:
> * handle the tunable for the dynamic loader as well.
>
> NEWS | 5 ++
> elf/Makefile | 2 +
> elf/dl-tunables.c | 11 +++
> elf/dl-tunables.list | 6 ++
> elf/tst-rtld-list-tunables.exp | 1 +
> elf/tst-tunables-enable_secure.c | 126 +++++++++++++++++++++++++++++++
> 6 files changed, 151 insertions(+)
> create mode 100644 elf/tst-tunables-enable_secure.c
>
> diff --git a/NEWS b/NEWS
> index 83ae627f47..aff44f6d7f 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -55,6 +55,11 @@ Major new features:
> unsigned char, unsigned short, unsigned int, unsigned long int and
> unsigned long long int, and a type-generic macro.
>
> +* A new tunable, glibc.rtld.enable_secure, used to run a program
> + as if it were a setuid process, enabling a number of security features. This
> + is currently a testing tool to allow more extensive verification tests for
> + AT_SECURE programs and not meant to be a security feature.
> +
> Deprecated and removed features, and other changes affecting compatibility:
>
> * The ldconfig program now skips file names containing ';' or ending in
> diff --git a/elf/Makefile b/elf/Makefile
> index 5d78b659ce..45a6aa7a8d 100644
> --- a/elf/Makefile
> +++ b/elf/Makefile
> @@ -285,6 +285,7 @@ tests-static-internal := \
> tst-tls1-static \
> tst-tls1-static-non-pie \
> tst-tunables \
> + tst-tunables-enable_secure \
> # tests-static-internal
>
> CRT-tst-tls1-static-non-pie := $(csu-objpfx)crt1.o
> @@ -2676,6 +2677,7 @@ $(objpfx)tst-glibc-hwcaps-mask.out: \
> $(objpfx)tst-glibc-hwcaps-cache.out: $(objpfx)tst-glibc-hwcaps
>
> tst-tunables-ARGS = -- $(host-test-program-cmd)
> +tst-tunables-enable_secure-ARGS = -- $(host-test-program-cmd)
>
> $(objpfx)list-tunables.out: tst-rtld-list-tunables.sh $(objpfx)ld.so
> $(SHELL) $< $(objpfx)ld.so '$(test-wrapper-env)' \
> diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
> index 03e1a68675..d3ccd2ecd4 100644
> --- a/elf/dl-tunables.c
> +++ b/elf/dl-tunables.c
> @@ -223,6 +223,17 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables)
> {
> tunables[ntunables++] =
> (struct tunable_toset_t) { cur, value, p - value };
> +
> + /* Ignore tunables if enable_secure is set */
> + if (tunable_is_name ("glibc.rtld.enable_secure", name))
> + {
> + tunable_num_t val = (tunable_num_t) _dl_strtoul (value, NULL);
> + if (val == 1)
> + {
> + __libc_enable_secure = 1;
> + return 0;
> + }
> + }
> break;
> }
> }
> diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
> index 1b40407814..1186272c81 100644
> --- a/elf/dl-tunables.list
> +++ b/elf/dl-tunables.list
> @@ -136,6 +136,12 @@ glibc {
> minval: 0
> default: 512
> }
> + enable_secure {
> + type: INT_32
> + minval: 0
> + maxval: 1
> + default: 0
> + }
> }
>
> mem {
> diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp
> index 2233ea9c7c..db0e1c86e9 100644
> --- a/elf/tst-rtld-list-tunables.exp
> +++ b/elf/tst-rtld-list-tunables.exp
> @@ -12,5 +12,6 @@ glibc.malloc.tcache_unsorted_limit: 0x0 (min: 0x0, max: 0x[f]+)
> glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+)
> glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+)
> glibc.rtld.dynamic_sort: 2 (min: 1, max: 2)
> +glibc.rtld.enable_secure: 0 (min: 0, max: 1)
> glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
> glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
> diff --git a/elf/tst-tunables-enable_secure.c b/elf/tst-tunables-enable_secure.c
> new file mode 100644
> index 0000000000..790d14237e
> --- /dev/null
> +++ b/elf/tst-tunables-enable_secure.c
> @@ -0,0 +1,126 @@
> +/* Check GLIBC_TUNABLES parsing for enable_secure.
> + Copyright (C) 2023 Free Software Foundation, Inc.
2024
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <https://www.gnu.org/licenses/>. */
> +
> +#include <array_length.h>
> +#include <dl-tunables.h>
> +#include <getopt.h>
> +#include <intprops.h>
> +#include <stdint.h>
> +#include <stdlib.h>
> +#include <support/capture_subprocess.h>
> +#include <support/check.h>
> +#include <sys/auxv.h>
> +#include <unistd.h>
> +
> +static int restart;
> +#define CMDLINE_OPTIONS \
> + { "restart", no_argument, &restart, 1 },
> +
> +static const struct test_t
> +{
> + const char *env;
> + int32_t expected_malloc_check;
> + int32_t expected_enable_secure;
> +} tests[] =
> +{
> + /* Expected tunable format. */
> + /* Tunables should be ignored if enable_secure is set. */
> + {
> + "glibc.malloc.check=2:glibc.rtld.enable_secure=1",
> + 0,
> + 1,
> + },
> + /* Tunables should be ignored if enable_secure is set. */
> + {
> + "glibc.rtld.enable_secure=1:glibc.malloc.check=2",
> + 0,
> + 1,
> + },
> + /* Tunables should be set if enable_secure is unset. */
> + {
> + "glibc.rtld.enable_secure=0:glibc.malloc.check=2",
> + 2,
> + 0,
> + },
> +};
> +
> +static int
> +handle_restart (int i)
> +{
> + if (tests[i].expected_enable_secure == 1)
> + {
> + TEST_COMPARE (1, __libc_enable_secure);
> + }
> + else
> + {
> + TEST_COMPARE (tests[i].expected_malloc_check,
> + TUNABLE_GET_FULL (glibc, malloc, check, int32_t, NULL));
> + TEST_COMPARE (tests[i].expected_enable_secure,
> + TUNABLE_GET_FULL (glibc, rtld, enable_secure, int32_t,
> + NULL));
> + }
> + return 0;
> +}
> +
> +static int
> +do_test (int argc, char *argv[])
> +{
> + /* We must have either:
> + - One or four parameters left if called initially:
> + + path to ld.so optional
> + + "--library-path" optional
> + + the library path optional
> + + the application name
> + + the test to check */
> +
> + TEST_VERIFY_EXIT (argc == 2 || argc == 5);
> +
> + if (restart)
> + return handle_restart (atoi (argv[1]));
> +
> + char nteststr[INT_BUFSIZE_BOUND (int)];
> +
> + char *spargv[10];
> + {
> + int i = 0;
> + for (; i < argc - 1; i++)
> + spargv[i] = argv[i + 1];
> + spargv[i++] = (char *) "--direct";
> + spargv[i++] = (char *) "--restart";
> + spargv[i++] = nteststr;
> + spargv[i] = NULL;
> + }
> +
> + for (int i = 0; i < array_length (tests); i++)
> + {
> + snprintf (nteststr, sizeof nteststr, "%d", i);
> +
> + printf ("[%d] Spawned test for %s\n", i, tests[i].env);
> + setenv ("GLIBC_TUNABLES", tests[i].env, 1);
> + struct support_capture_subprocess result
> + = support_capture_subprogram (spargv[0], spargv);
> + support_capture_subprocess_check (&result, "tst-tunables-enable_secure",
> + 0, sc_allow_stderr);
> + support_capture_subprocess_free (&result);
> + }
> +
> + return 0;
> +}
> +
> +#define TEST_FUNCTION_ARGV do_test
> +#include <support/test-driver.c>
> --
> 2.41.0
>
--
H.J.
next prev parent reply other threads:[~2024-01-12 13:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-12 13:43 Joe Simmons-Talbott
2024-01-12 13:53 ` H.J. Lu [this message]
2024-01-12 18:25 ` Joe Simmons-Talbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMe9rOqKCBVvJJwCt+ZnVSKL5JTKcs9oGfXvROv6eeqdtc1mPg@mail.gmail.com \
--to=hjl.tools@gmail.com \
--cc=josimmon@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).