This is the mail archive of the libc-help@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [Libguestfs] alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?

From: Eric Blake <eblake at redhat dot com>
To: Florian Weimer <fweimer at redhat dot com>
Cc: libc-help at sourceware dot org, "libguestfs at redhat dot com" <libguestfs at redhat dot com>
Date: Tue, 18 Feb 2020 15:31:56 -0600
Subject: Re: [Libguestfs] alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?
References: <8cf57641-c31e-3db5-49af-d9d7407a9cb8@redhat.com> <39d94f06-5793-16b5-1372-df3248924671@redhat.com> <3ee96b3f-231b-737f-299a-4406f108c30f@redhat.com> <87d0adnt84.fsf@oldenburg2.str.redhat.com>

On 2/17/20 9:12 AM, Florian Weimer wrote:

* Eric Blake:

I'm just now noticing that 'man ld' reports that you may pass '--audit
LIB' during linking to add a DT_DEPAUDIT dependency on a library
implementing the audit interface, which sounds like it might be an
alternative to LD_AUDIT for getting a library with la_objsearch() to
actually do something (but doesn't obviate the need for la_obsearch()
to be in a separate library, rather than part of the main executable,
unless a library can be reused as its own audit library...).


DT_AUDIT support has yet to be implemented in glibc:

   <https://sourceware.org/bugzilla/show_bug.cgi?id=24943>
   <https://sourceware.org/ml/libc-alpha/2019-08/msg00705.html>

If you go on record saying that you need this, maybe someone will review
the patch.  Sorry. 8-(

Another followup: nbdkit-vddk-plugin.so is now using a re-exec setup[1], for several reasons:1. all our other ideas tried so far (such as a dlopen() interposition inthe main nbdkit binary) touched more files and required more exportedAPIs; we managed to get re-exec working with changes limited to just theplugin (other than a minor change to nbdkit to quit messing with argv[]so that /proc/self/cmdline would stay stable - but that did not requirea new API).2. it turns out that overriding dlopen() was insufficient to work aroundVDDK's setup [2]. It _did_ solve the initial dlopen() performed byVDDK, but that library in turn had DT_NEEDED entries for bare librarynames, which dlopen() does NOT affect but which la_objsearch() should.3. for nbdkit, we want to minimize the number of binary files shipped;the re-exec solution works with just the nbdkit binary and thenbdkit-vddk-plugin.so. Any solution that requires a third file to beshipped (be that a shared library providing dlopen, or a LD_AUDITlibrary, or otherwise) is less palatable than the 2-binary solution thatour re-exec solution provides.


[1] https://github.com/libguestfs/nbdkit/commit/0c7ac4e655b
[2] https://www.redhat.com/archives/libguestfs/2020-February/msg00184.html

So with that said, here's a question I just thought of:

If your patch for glibc support for DT_AUDIT is incorporated, is itpossible to mark a shared library as its own audit library via DT_AUDIT?That is, if nbdkit-vddk-plugin.so can provide entry points for _both_the nbdkit interface (which satisfies dlopen() from the nbdkit binary)and la_version/la_objsearch() (which satisfy the requirements for usefrom the audit code in ld.so), _and_ during the compilation ofnbdkit-vddk-plugin.so, we marked the library as its own DT_AUDIT entry,would the mere act of dlopen("nbdkit-vddk-plugin.so") from nbdkit besufficient to trigger audit actions such as la_objsearch() on allsubsequent shared loads (whether by dlopen() or DT_NEEDED) performed bynbdkit-vddk-plugin.so and its descendant loaded libraries? Because ifso, we would have a use case where a single binary, set up to act as itsown audit library, might be sufficient to hook the shared object searchpath without needing any of environment variable modification, a processre-exec, or a third shipping binary - in which case that would indeed bea nicer solution than the current re-exec solution we committed today(of course, nbdkit would not be able to rely on that solution except onsystems with new enough glibc to support DT_AUDIT).

I guess even without DT_AUDIT support, I could at least answer thequestion of whether a single .so can be used to satisfy both dlopen()and LD_AUDIT interfaces at once by setting LD_AUDIT (where the onlyremaining gap is figuring out when glibc can let DT_AUDIT have the sameeffect). During my earlier attempts to get a working dlopen() override,I didn't consider any solution that required setting LD_AUDIT, but nowthat I proved dlopen() override alone was not enough for the case athand, having to re-exec to set LD_AUDIT is no worse than having tore-exec to set LD_LIBRARY_PATH as a fallback to systems where glibc doesnot support DT_AUDIT.


--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Follow-Ups:
- Re: [Libguestfs] alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?
  - From: Florian Weimer

References:
- alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?
  - From: Eric Blake
- Re: [Libguestfs] alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?
  - From: Eric Blake
- Re: [Libguestfs] alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?
  - From: Eric Blake
- Re: [Libguestfs] alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]