elf: Add support to memory sealing for audit modulesazanella/mseal

The memory sealing is done after library loading and sanity check
since an inexistent or wrong la_version might unload the library.

Checked on x86_64-linux-gnu and aarch64-linux-gnu.

5 files changed, 37 insertions, 2 deletions

diff --git a/elf/rtld.c b/elf/rtld.c
index 174389e..62ad127 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -1044,6 +1044,10 @@ ERROR: audit interface '%s' requires version %d (maximum supported version %d);
 
   /* Mark the DSO as being used for auditing.  */
   dlmargs.map->l_auditing = 1;
+
+  /* Seal the audit modules and their dependencies.  */
+  dlmargs.map->l_seal = lt_seal_toseal;
+  _dl_mseal_map (dlmargs.map, true);
 }
 
 /* Load all audit modules.  */
diff --git a/manual/tunables.texi b/manual/tunables.texi
index a5cc08d..d15eabc 100644
--- a/manual/tunables.texi
+++ b/manual/tunables.texi
@@ -384,6 +384,9 @@ Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag.
 @item
 Any runtime library used for process unwind (such as required by @code{backtrace}
 or @code{pthread_exit}).
+
+@item
+All audit modules and their dependencies.
 @end itemize
 
 The tunable accepts three diferent values: @samp{0} where sealing is disabled,
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index 808f9e5..ffadb56 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -656,9 +656,11 @@ modules-names += \
   lib-tst-dl_mseal-dlopen-2 \
   lib-tst-dl_mseal-dlopen-2-1 \
   lib-tst-dl_mseal-preload \
+  tst-dl_mseal-auditmod \
   # modules-names
 
 $(objpfx)tst-dl_mseal.out: \
+  $(objpfx)tst-dl_mseal-auditmod.so \
   $(objpfx)lib-tst-dl_mseal-preload.so \
   $(objpfx)lib-tst-dl_mseal-1.so \
   $(objpfx)lib-tst-dl_mseal-2.so \
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
new file mode 100644
index 0000000..d909a15
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c
@@ -0,0 +1,23 @@
+/* Audit module for tst-dl_mseal test.
+   Copyright (C) 2024 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+unsigned int
+la_version (unsigned int v)
+{
+  return v;
+}
diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
index da1a3eb..ac60d73 100644
--- a/sysdeps/unix/sysv/linux/tst-dl_mseal.c
+++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c
@@ -35,6 +35,7 @@
 #include <support/xthread.h>
 
 #define LIB_PRELOAD              "lib-tst-dl_mseal-preload.so"
+#define LIB_AUDIT                "tst-dl_mseal-auditmod.so"
 
 #define LIB_NEEDED_1             "lib-tst-dl_mseal-1.so"
 #define LIB_NEEDED_2             "lib-tst-dl_mseal-2.so"
@@ -68,6 +69,7 @@ static const char *expected_sealed_libs[] =
   "ld.so",
   "tst-dl_mseal",
   LIB_PRELOAD,
+  LIB_AUDIT,
   LIB_NEEDED_1,
   LIB_NEEDED_2,
   LIB_DLOPEN_NODELETE,
@@ -247,11 +249,12 @@ do_test (int argc, char *argv[])
   spargv[i++] = (char *) "--restart";
   spargv[i] = NULL;
 
-  char *envvarss[3];
+  char *envvarss[4];
   envvarss[0] = (char *) "GLIBC_TUNABLES=glibc.rtld.seal=2";
 #ifndef TEST_STATIC
   envvarss[1] = (char *) "LD_PRELOAD=" LIB_PRELOAD;
-  envvarss[2] = NULL;
+  envvarss[2] = (char *) "LD_AUDIT=" LIB_AUDIT,
+  envvarss[3] = NULL;
 #else
   envvarss[1] = NULL;
 #endif