[RFC][PATCH v2 0/6] binutils patches to add DT_GNU_UNIQUE

Vivek Das Mohapatra vivek@collabora.com
Mon Jun 29 09:29:56 GMT 2020 

> We need more than a flag.  We have at least these possible states:

Not sure this is the case: More details below.

>  * Unknown state (no indicator).
>  * The object can be loaded into multiple namespaces.
>  * The object can be loaded into one namespace [only]
>  * The object can be loaded into multiple namespaces, but subsequent
>    loads re-use the previous object.  (Current glbic behavior for
>    ld.so.)

> And perhaps (as a future extension):
>  * The object can be loaded multiple times into a single namspace.

> For glibc, I think we need to keep loading libc.so into multiple
> namespaces for LD_AUDIT support.  The audit modules need to be loaded
> very early, triggering the loading of libc.so.  Crucially, at this

The patch series already behaves like this. DF_1_UNIQUE (or whatever)
doesn't enforce any behaviour. What is implementes is the following:

   * dlmopen opens an object into a selected namespace (or a new one if
     requested)

   * if RTLD_SHARED is passed, the object is opened into the base NS
     and a proxy is placed in the target NS

   * if DF_1_UNIQUE is found, the target is treated as if RTLD_SHARED
     was passed

   * BUT if RTLD_ISOLATE is passed (which the audit loading pathways do)
     then RTLD_SHARED behaviour is suppressed.

So audit libraries still result in a separate libc, as before - but
_user_ dlmopen()ed objects get to share the libc/libpthread/etc of
the base NS _by default_ which results in less surprising behaviour
(like syscalls appearing to deadlock or apparent memory corruption
when if the wrong copy of free() is called).

> cannot apply LD_PRELOAD to audit namespaces.  All this suggests to me
> that the main program cannot in general use the same libc.so as an
> audit module.

Under the current design audit modules still don't use the same libc.

> Maybe we need to differentiate further between dlmopen and LD_AUDIT.
> In any case, a single DF_1_UNIQUE flag appears to be inadequate.

I _think_ you've understood the behaviour of DF_1_UNIQUE to be more
dictatorial than it is. I have deliberately (as previously discussed)
exempted LD_AUDIT from all the new shared libc behaviour.

Apologies if I have misunderstood your objection(s).

I will of course extend the tests so far written to add checks
for continued LD_AUDIT separation and for RTLD_ISOLATE behaviour
in general before submitting a final version of the patch so
we can be sure nothing has (or will) regress.

More information about the Libc-alpha mailing list