From: Eric Blake <eblake@redhat.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-help@sourceware.org,
"libguestfs@redhat.com" <libguestfs@redhat.com>
Subject: Re: [Libguestfs] alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?
Date: Tue, 18 Feb 2020 21:32:00 -0000 [thread overview]
Message-ID: <cf414869-2f3f-ca70-9a16-e0fbfa4e4a0d@redhat.com> (raw)
In-Reply-To: <87d0adnt84.fsf@oldenburg2.str.redhat.com>
On 2/17/20 9:12 AM, Florian Weimer wrote:
> * Eric Blake:
>
>> I'm just now noticing that 'man ld' reports that you may pass '--audit
>> LIB' during linking to add a DT_DEPAUDIT dependency on a library
>> implementing the audit interface, which sounds like it might be an
>> alternative to LD_AUDIT for getting a library with la_objsearch() to
>> actually do something (but doesn't obviate the need for la_obsearch()
>> to be in a separate library, rather than part of the main executable,
>> unless a library can be reused as its own audit library...).
>
> DT_AUDIT support has yet to be implemented in glibc:
>
> <https://sourceware.org/bugzilla/show_bug.cgi?id=24943>
> <https://sourceware.org/ml/libc-alpha/2019-08/msg00705.html>
>
> If you go on record saying that you need this, maybe someone will review
> the patch. Sorry. 8-(
Another followup: nbdkit-vddk-plugin.so is now using a re-exec setup
[1], for several reasons:
1. all our other ideas tried so far (such as a dlopen() interposition in
the main nbdkit binary) touched more files and required more exported
APIs; we managed to get re-exec working with changes limited to just the
plugin (other than a minor change to nbdkit to quit messing with argv[]
so that /proc/self/cmdline would stay stable - but that did not require
a new API).
2. it turns out that overriding dlopen() was insufficient to work around
VDDK's setup [2]. It _did_ solve the initial dlopen() performed by
VDDK, but that library in turn had DT_NEEDED entries for bare library
names, which dlopen() does NOT affect but which la_objsearch() should.
3. for nbdkit, we want to minimize the number of binary files shipped;
the re-exec solution works with just the nbdkit binary and the
nbdkit-vddk-plugin.so. Any solution that requires a third file to be
shipped (be that a shared library providing dlopen, or a LD_AUDIT
library, or otherwise) is less palatable than the 2-binary solution that
our re-exec solution provides.
[1] https://github.com/libguestfs/nbdkit/commit/0c7ac4e655b
[2] https://www.redhat.com/archives/libguestfs/2020-February/msg00184.html
So with that said, here's a question I just thought of:
If your patch for glibc support for DT_AUDIT is incorporated, is it
possible to mark a shared library as its own audit library via DT_AUDIT?
That is, if nbdkit-vddk-plugin.so can provide entry points for _both_
the nbdkit interface (which satisfies dlopen() from the nbdkit binary)
and la_version/la_objsearch() (which satisfy the requirements for use
from the audit code in ld.so), _and_ during the compilation of
nbdkit-vddk-plugin.so, we marked the library as its own DT_AUDIT entry,
would the mere act of dlopen("nbdkit-vddk-plugin.so") from nbdkit be
sufficient to trigger audit actions such as la_objsearch() on all
subsequent shared loads (whether by dlopen() or DT_NEEDED) performed by
nbdkit-vddk-plugin.so and its descendant loaded libraries? Because if
so, we would have a use case where a single binary, set up to act as its
own audit library, might be sufficient to hook the shared object search
path without needing any of environment variable modification, a process
re-exec, or a third shipping binary - in which case that would indeed be
a nicer solution than the current re-exec solution we committed today
(of course, nbdkit would not be able to rely on that solution except on
systems with new enough glibc to support DT_AUDIT).
I guess even without DT_AUDIT support, I could at least answer the
question of whether a single .so can be used to satisfy both dlopen()
and LD_AUDIT interfaces at once by setting LD_AUDIT (where the only
remaining gap is figuring out when glibc can let DT_AUDIT have the same
effect). During my earlier attempts to get a working dlopen() override,
I didn't consider any solution that required setting LD_AUDIT, but now
that I proved dlopen() override alone was not enough for the case at
hand, having to re-exec to set LD_AUDIT is no worse than having to
re-exec to set LD_LIBRARY_PATH as a fallback to systems where glibc does
not support DT_AUDIT.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2020-02-18 21:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-14 19:02 Eric Blake
2020-02-14 21:29 ` [Libguestfs] " Eric Blake
2020-02-14 22:20 ` Carlos O'Donell
2020-02-17 15:04 ` Eric Blake
2020-02-17 15:12 ` Florian Weimer
2020-02-18 21:32 ` Eric Blake [this message]
2020-02-21 12:19 ` Florian Weimer
2020-02-21 13:26 ` Eric Blake
2020-02-21 14:51 ` Richard W.M. Jones
2020-02-21 15:00 ` Florian Weimer
2020-02-21 15:40 ` Richard W.M. Jones
2020-02-21 16:02 ` Florian Weimer
2020-02-21 17:42 ` Richard W.M. Jones
2020-02-21 20:28 ` Eric Blake
2020-02-21 20:21 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cf414869-2f3f-ca70-9a16-e0fbfa4e4a0d@redhat.com \
--to=eblake@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-help@sourceware.org \
--cc=libguestfs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).