From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.web.de (mout.web.de [212.227.15.3]) by sourceware.org (Postfix) with ESMTPS id 0E9FA38930DF for ; Wed, 20 Jan 2021 11:00:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0E9FA38930DF X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from localhost ([213.55.225.21]) by smtp.web.de (mrweb004 [213.165.67.108]) with ESMTPSA (Nemesis) id 0MOlTq-1l8FDy37Go-0068q7 for ; Wed, 20 Jan 2021 12:00:08 +0100 Date: Wed, 20 Jan 2021 12:00:06 +0100 From: Andreas Fink To: libc-help@sourceware.org Subject: Re: Hooking execve for an LD_PRELOAD library In-Reply-To: <87sg6yr0ju.fsf@oldenburg.str.redhat.com> References: <1MiMEW-1lf4081KQ2-00fS4y@smtp.web.de> <878s8srmnh.fsf@oldenburg.str.redhat.com> <0LgHf2-1lmY0O29NE-00ngvl@smtp.web.de> <87sg6yr0ju.fsf@oldenburg.str.redhat.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Message-ID: <0MZims-1lJHra3Yac-00LSnn@smtp.web.de> X-Provags-ID: V03:K1:aqYDjbkEx47PoHMtENS0RZ5jDIO3yEQJ9+3QW8hNLzIN6AVvLxB ClxpzOLe2LOE+1oaL17JV4GTJoYejQTVNPCcko8cYDtZTYUiuwJ5OwaYdT+aHx7LJUF4VDj /CZ6uEzpSV+KpKL2X8yYsSOTWbLImNSvxVS4KoiV/mqjFOaKLhbBHeqcn8h1h8vlCXgWXWl 457kMx9HRk0kIH89VfX6w== X-UI-Out-Filterresults: notjunk:1;V03:K0:DzOK+qGlN9o=:bu0SRrjeuvtRtgdpqhN8pO Y/uQaKfTu2CgSy/89wzfMKAxzy4Gtg3pbcSyrc3L1L+AWXIRRY2vjloKOXm8i1OmLVlCnETPW 2U5nY5dly20P/43Nr7rbZHPINqppjcAe+bW+OrIlIBZgUCh00i8gTeE+n0IN0XEWemTiPMceA UmvbTgiHHSynug7q44Y5fa6uhVomln96xeve6KaUbSO0POEIHtAuV9HTCYamMRoW+hFEqc3Ct kWFeYdzF6hSxpwdPrMwlDuJ5mPVfDb1Z4zcj9JZ3Skgs58eKN8UoI3NuCGwxb+IKj5wdPoKtW wxacGUCCWpGYWNNeb2pz44aH0zLNj6WPKSaAy0ruvmhIfGP4RsNm+X2oFACZM55jJDM43tjJH MtlS09Gx/t7KnTW8TO4o7TO6zpsK2kXGw0GV2fBPsUOtUNrQRzh0YJBmZAP4v/z77Y5YH6mi5 4fp36lE2AWlJlvbWgj3ZqlzU1jsSrJf3m3RZP+8E1KOWOJtX5APU/mv9lS70HJzu/U9YfyoIJ cLh2XeWYsXqATCdGONLvG4oWAVRqm+sWqeZxu2RHtn+UpE0156C5Uyugvk7wyVqx7akB0MLI2 DSjeSiqY2KCbzmMRnVuff+jxBWBMm6OxL6f29bi57Dt9f3O2h6o8vhq3E42kI+GGRq1v5JknQ VYpQTSuLVckyOH8T8dGq6vvudGkKLic7gyZlwkY6nbsKIZVlJEONe8zz+74jqQeAYZUrYs1tS URhhMb2D8SdNlJw4xMWrjKrQmgeW4xmfKavY4msQTZ4kZGDu6S3UKNwMcdbFeQzdBVEgkjr4U gs+glKTMtNSQOAV3CC7kgkreBjBNPTygcjCo3SvaZOlmXIXkGNsZllelk/J/+mn3GF1c/ZLgL ZChjn98qNmfwj8fJAy1A== X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-help@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-help mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jan 2021 11:00:12 -0000 On Mon, 18 Jan 2021 11:39:49 +0100 Florian Weimer wrote: > * Andreas Fink via Libc-help: > > > Ok, if I understood you correctly this is the expected behaviour. I wa= s > > afraid of it, but ok I can live with it. > > Assuming I want to hook the whole exec-family, it seems easy to just > > add hooks for the execv* functions while forwarding all arguments to > > the corresponding glibc implementation. > > You will also have to deal with system, popen, posix_spawn, > posix_spawnp. Yes, definitely for posix_spawn and posix_spawnp (I did not know about these two). I figured out, that I can ignore system(cmd) and popen(cmd, type) at the moment, as the actual stuff in cmd would come in later by execve because /bin/sh inherits the environment with LD_PRELOAD and calls itself execve for everything that is in cmd. I.e. I "miss" the call to /bin/sh, but this is ok for my use-case. > > > Forwarding the execl* functions seems a bit more involved, as I would > > have to bend the va_list to an array, or is there some way to forward > > the arguments to the glibc function without unwrapping the va_list? > > I don't think this is possible in general. GCC has __builtin_apply and > __builtin_apply_args, but I don't know if they work with variadic > functions on all architectures. I think I will skip it, if it is non-standard, wrap it into arrays and forward to execv-family. > > > Kernel-based mechanism (in my case that's Linux) sounds also interesti= ng > > as it is one level lower I guess, but honestly speaking I have no idea > > where to start to look at. Do you know of an example (not necesserily > > execve, but any system call where this is done)? > > You can find examples for ptrace system call interception and emulation > on the web. Niels Provos' systrace also has a ptrace backend, which > could serve as a source of inspiration. Thanks for the pointers, I had a quick look at them, but for now I think I can get away with overriding all exec-family functions and posix_spawn(p). Your help is highly appreciated, and was very helpful to get to a working solution. Thank you Andreas