From 44cf6547a328cb82b6fb5560503af2b4c2d887d8 Mon Sep 17 00:00:00 2001 From: Adhemerval Zanella Date: Tue, 4 Jun 2024 14:38:42 -0300 Subject: elf: Add support to memory sealing for audit modules The memory sealing is done after library loading and sanity check since an inexistent or wrong la_version might unload the library. Checked on x86_64-linux-gnu and aarch64-linux-gnu. --- elf/rtld.c | 4 ++++ manual/tunables.texi | 3 +++ sysdeps/unix/sysv/linux/Makefile | 2 ++ sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c | 23 +++++++++++++++++++++++ sysdeps/unix/sysv/linux/tst-dl_mseal.c | 7 +++++-- 5 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c diff --git a/elf/rtld.c b/elf/rtld.c index 174389e..62ad127 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -1044,6 +1044,10 @@ ERROR: audit interface '%s' requires version %d (maximum supported version %d); /* Mark the DSO as being used for auditing. */ dlmargs.map->l_auditing = 1; + + /* Seal the audit modules and their dependencies. */ + dlmargs.map->l_seal = lt_seal_toseal; + _dl_mseal_map (dlmargs.map, true); } /* Load all audit modules. */ diff --git a/manual/tunables.texi b/manual/tunables.texi index a5cc08d..d15eabc 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -384,6 +384,9 @@ Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag. @item Any runtime library used for process unwind (such as required by @code{backtrace} or @code{pthread_exit}). + +@item +All audit modules and their dependencies. @end itemize The tunable accepts three diferent values: @samp{0} where sealing is disabled, diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile index 808f9e5..ffadb56 100644 --- a/sysdeps/unix/sysv/linux/Makefile +++ b/sysdeps/unix/sysv/linux/Makefile @@ -656,9 +656,11 @@ modules-names += \ lib-tst-dl_mseal-dlopen-2 \ lib-tst-dl_mseal-dlopen-2-1 \ lib-tst-dl_mseal-preload \ + tst-dl_mseal-auditmod \ # modules-names $(objpfx)tst-dl_mseal.out: \ + $(objpfx)tst-dl_mseal-auditmod.so \ $(objpfx)lib-tst-dl_mseal-preload.so \ $(objpfx)lib-tst-dl_mseal-1.so \ $(objpfx)lib-tst-dl_mseal-2.so \ diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c new file mode 100644 index 0000000..d909a15 --- /dev/null +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c @@ -0,0 +1,23 @@ +/* Audit module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +unsigned int +la_version (unsigned int v) +{ + return v; +} diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c index da1a3eb..ac60d73 100644 --- a/sysdeps/unix/sysv/linux/tst-dl_mseal.c +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c @@ -35,6 +35,7 @@ #include #define LIB_PRELOAD "lib-tst-dl_mseal-preload.so" +#define LIB_AUDIT "tst-dl_mseal-auditmod.so" #define LIB_NEEDED_1 "lib-tst-dl_mseal-1.so" #define LIB_NEEDED_2 "lib-tst-dl_mseal-2.so" @@ -68,6 +69,7 @@ static const char *expected_sealed_libs[] = "ld.so", "tst-dl_mseal", LIB_PRELOAD, + LIB_AUDIT, LIB_NEEDED_1, LIB_NEEDED_2, LIB_DLOPEN_NODELETE, @@ -247,11 +249,12 @@ do_test (int argc, char *argv[]) spargv[i++] = (char *) "--restart"; spargv[i] = NULL; - char *envvarss[3]; + char *envvarss[4]; envvarss[0] = (char *) "GLIBC_TUNABLES=glibc.rtld.seal=2"; #ifndef TEST_STATIC envvarss[1] = (char *) "LD_PRELOAD=" LIB_PRELOAD; - envvarss[2] = NULL; + envvarss[2] = (char *) "LD_AUDIT=" LIB_AUDIT, + envvarss[3] = NULL; #else envvarss[1] = NULL; #endif -- cgit v1.1