public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed
From: "H.J. Lu" <hjl.tools@gmail.com>
To: Joe Simmons-Talbott <josimmon@redhat.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH v4] rtld: Add glibc.rtld.enable_secure tunable.
Date: Fri, 12 Jan 2024 05:53:23 -0800	[thread overview]
Message-ID: <CAMe9rOqKCBVvJJwCt+ZnVSKL5JTKcs9oGfXvROv6eeqdtc1mPg@mail.gmail.com> (raw)
In-Reply-To: <20240112134328.568424-1-josimmon@redhat.com>

On Fri, Jan 12, 2024 at 5:44 AM Joe Simmons-Talbott <josimmon@redhat.com> wrote:
>
> Add a tunable for setting __libc_enable_secure to 1.  Do not set
> __libc_enable_secure to 0 if the tunable is set to 0.  Ignore all
> tunables if glib.rtld.enable_secure is set.  One use-case for this
> addition is to enable testing code paths that depend on
> __libc_enable_secure being set without the need to use setxid binaries.
> ---
> Changes to v3:
>   * Rebase and fix merge conflict in NEWS.
>
> Changes to v2:
>   * handle the tunable in __tunables_init so that it's done in a single
>     place.
>   * ignore all tunables if the tunable is set.
>   * update the testcase to only check the tunables if the enable_secure
>     tunable is not set.
>   * don't add tunables_strcmp as there is now already a version.
>
> Changes to v1:
>   * handle the tunable for the dynamic loader as well.
>
>  NEWS                             |   5 ++
>  elf/Makefile                     |   2 +
>  elf/dl-tunables.c                |  11 +++
>  elf/dl-tunables.list             |   6 ++
>  elf/tst-rtld-list-tunables.exp   |   1 +
>  elf/tst-tunables-enable_secure.c | 126 +++++++++++++++++++++++++++++++
>  6 files changed, 151 insertions(+)
>  create mode 100644 elf/tst-tunables-enable_secure.c
>
> diff --git a/NEWS b/NEWS
> index 83ae627f47..aff44f6d7f 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -55,6 +55,11 @@ Major new features:
>    unsigned char, unsigned short, unsigned int, unsigned long int and
>    unsigned long long int, and a type-generic macro.
>
> +* A new tunable, glibc.rtld.enable_secure, used to run a program
> +  as if it were a setuid process, enabling a number of security features. This
> +  is currently a testing tool to allow more extensive verification tests for
> +  AT_SECURE programs and not meant to be a security feature.
> +
>  Deprecated and removed features, and other changes affecting compatibility:
>
>  * The ldconfig program now skips file names containing ';' or ending in
> diff --git a/elf/Makefile b/elf/Makefile
> index 5d78b659ce..45a6aa7a8d 100644
> --- a/elf/Makefile
> +++ b/elf/Makefile
> @@ -285,6 +285,7 @@ tests-static-internal := \
>    tst-tls1-static \
>    tst-tls1-static-non-pie \
>    tst-tunables \
> +  tst-tunables-enable_secure \
>    # tests-static-internal
>
>  CRT-tst-tls1-static-non-pie := $(csu-objpfx)crt1.o
> @@ -2676,6 +2677,7 @@ $(objpfx)tst-glibc-hwcaps-mask.out: \
>  $(objpfx)tst-glibc-hwcaps-cache.out: $(objpfx)tst-glibc-hwcaps
>
>  tst-tunables-ARGS = -- $(host-test-program-cmd)
> +tst-tunables-enable_secure-ARGS = -- $(host-test-program-cmd)
>
>  $(objpfx)list-tunables.out: tst-rtld-list-tunables.sh $(objpfx)ld.so
>         $(SHELL) $< $(objpfx)ld.so '$(test-wrapper-env)' \
> diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
> index 03e1a68675..d3ccd2ecd4 100644
> --- a/elf/dl-tunables.c
> +++ b/elf/dl-tunables.c
> @@ -223,6 +223,17 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables)
>             {
>               tunables[ntunables++] =
>                 (struct tunable_toset_t) { cur, value, p - value };
> +
> +             /* Ignore tunables if enable_secure is set */
> +             if (tunable_is_name ("glibc.rtld.enable_secure", name))
> +               {
> +                  tunable_num_t val = (tunable_num_t) _dl_strtoul (value, NULL);
> +                 if (val == 1)
> +                   {
> +                     __libc_enable_secure = 1;
> +                     return 0;
> +                   }
> +               }
>               break;
>             }
>         }
> diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
> index 1b40407814..1186272c81 100644
> --- a/elf/dl-tunables.list
> +++ b/elf/dl-tunables.list
> @@ -136,6 +136,12 @@ glibc {
>        minval: 0
>        default: 512
>      }
> +    enable_secure {
> +      type: INT_32
> +      minval: 0
> +      maxval: 1
> +      default: 0
> +    }
>    }
>
>    mem {
> diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp
> index 2233ea9c7c..db0e1c86e9 100644
> --- a/elf/tst-rtld-list-tunables.exp
> +++ b/elf/tst-rtld-list-tunables.exp
> @@ -12,5 +12,6 @@ glibc.malloc.tcache_unsorted_limit: 0x0 (min: 0x0, max: 0x[f]+)
>  glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+)
>  glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+)
>  glibc.rtld.dynamic_sort: 2 (min: 1, max: 2)
> +glibc.rtld.enable_secure: 0 (min: 0, max: 1)
>  glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
>  glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
> diff --git a/elf/tst-tunables-enable_secure.c b/elf/tst-tunables-enable_secure.c
> new file mode 100644
> index 0000000000..790d14237e
> --- /dev/null
> +++ b/elf/tst-tunables-enable_secure.c
> @@ -0,0 +1,126 @@
> +/* Check GLIBC_TUNABLES parsing for enable_secure.
> +   Copyright (C) 2023 Free Software Foundation, Inc.

2024

> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +#include <array_length.h>
> +#include <dl-tunables.h>
> +#include <getopt.h>
> +#include <intprops.h>
> +#include <stdint.h>
> +#include <stdlib.h>
> +#include <support/capture_subprocess.h>
> +#include <support/check.h>
> +#include <sys/auxv.h>
> +#include <unistd.h>
> +
> +static int restart;
> +#define CMDLINE_OPTIONS \
> +  { "restart", no_argument, &restart, 1 },
> +
> +static const struct test_t
> +{
> +  const char *env;
> +  int32_t expected_malloc_check;
> +  int32_t expected_enable_secure;
> +} tests[] =
> +{
> +  /* Expected tunable format.  */
> +  /* Tunables should be ignored if enable_secure is set. */
> +  {
> +    "glibc.malloc.check=2:glibc.rtld.enable_secure=1",
> +    0,
> +    1,
> +  },
> +  /* Tunables should be ignored if enable_secure is set. */
> +  {
> +    "glibc.rtld.enable_secure=1:glibc.malloc.check=2",
> +    0,
> +    1,
> +  },
> +  /* Tunables should be set if enable_secure is unset. */
> +  {
> +    "glibc.rtld.enable_secure=0:glibc.malloc.check=2",
> +    2,
> +    0,
> +  },
> +};
> +
> +static int
> +handle_restart (int i)
> +{
> +  if (tests[i].expected_enable_secure == 1)
> +    {
> +      TEST_COMPARE (1, __libc_enable_secure);
> +    }
> +  else
> +    {
> +      TEST_COMPARE (tests[i].expected_malloc_check,
> +                   TUNABLE_GET_FULL (glibc, malloc, check, int32_t, NULL));
> +      TEST_COMPARE (tests[i].expected_enable_secure,
> +                   TUNABLE_GET_FULL (glibc, rtld, enable_secure, int32_t,
> +                   NULL));
> +    }
> +  return 0;
> +}
> +
> +static int
> +do_test (int argc, char *argv[])
> +{
> +  /* We must have either:
> +     - One or four parameters left if called initially:
> +       + path to ld.so         optional
> +       + "--library-path"      optional
> +       + the library path      optional
> +       + the application name
> +       + the test to check  */
> +
> +  TEST_VERIFY_EXIT (argc == 2 || argc == 5);
> +
> +  if (restart)
> +    return handle_restart (atoi (argv[1]));
> +
> +  char nteststr[INT_BUFSIZE_BOUND (int)];
> +
> +  char *spargv[10];
> +  {
> +    int i = 0;
> +    for (; i < argc - 1; i++)
> +      spargv[i] = argv[i + 1];
> +    spargv[i++] = (char *) "--direct";
> +    spargv[i++] = (char *) "--restart";
> +    spargv[i++] = nteststr;
> +    spargv[i] = NULL;
> +  }
> +
> +  for (int i = 0; i < array_length (tests); i++)
> +    {
> +      snprintf (nteststr, sizeof nteststr, "%d", i);
> +
> +      printf ("[%d] Spawned test for %s\n", i, tests[i].env);
> +      setenv ("GLIBC_TUNABLES", tests[i].env, 1);
> +      struct support_capture_subprocess result
> +       = support_capture_subprogram (spargv[0], spargv);
> +      support_capture_subprocess_check (&result, "tst-tunables-enable_secure",
> +                                       0, sc_allow_stderr);
> +      support_capture_subprocess_free (&result);
> +    }
> +
> +  return 0;
> +}
> +
> +#define TEST_FUNCTION_ARGV do_test
> +#include <support/test-driver.c>
> --
> 2.41.0
>


-- 
H.J.

  reply	other threads:[~2024-01-12 13:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-12 13:43 Joe Simmons-Talbott
2024-01-12 13:53 ` H.J. Lu [this message]
2024-01-12 18:25   ` Joe Simmons-Talbott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMe9rOqKCBVvJJwCt+ZnVSKL5JTKcs9oGfXvROv6eeqdtc1mPg@mail.gmail.com \
    --to=hjl.tools@gmail.com \
    --cc=josimmon@redhat.com \
    --cc=libc-alpha@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).