[PATCH v7 00/16] Multiple rtld-audit fixes
Adhemerval Zanella
adhemerval.zanella@linaro.org
Wed Dec 22 13:26:56 GMT 2021
This patchset fixes most of the rtld-audit issues brought by John
Mellor-Crummey [1] while trying to use it along with the HPCToolkit.
This should cover all the issues listed as 'Tier 1' [2] (the aarch64
SVE requires additional work, so it is postpone to 2.36) and also
most of the 'Tier2' issue (BZ#28096 inclusive) which prevents the use
of some glibc function that uses TLS internally on the audit module.
There is also some point brough by John Melloc-Crummey documents that
I don't have a straighforward answer so I haven't added on this
patchset:
1 la_activity(LA_ACT_ADD) is never called for auditor namespaces,
even though la_objopen and la_activity(LA_ACT_CONSISTENT) are.
There is no easy solution for this: we need at least to load the
*first* auditor to actually issue the la_activity(LA_ACT_ADD). It
means that it would *only* work for subsequent audit modules, and
adding this specific semantic is confusing and does not really
improve things (it only helps when multiple audit modules are used).
2. la_objopen is called for the main binary and for ld.so before the
first la_activity(LA_ACT_ADD) call. This contradicts the pattern
found in a successful dlopen (where la_activity(LA_ACT_ADD)
precedes la_objopen).
The constrain here is we need to handle DT_AUDIT and DT_DEPAUDIT
dynamic tags, which means we need to first load the executable in
memory to parse the required audit modules. So we need to first parse
the dynamic audit tags, load the audit modules, and then load the
object itself.
3. For non-PIE executables the base address listed in link_map->l_addr
for the main application binary is 0, even though dladdr is able to
recover the correct offset. La_objopen is affected by this.
This would require to change an internal semantic for link_map->l_addr.
This is not straighfoward and I am not sure about the direct gains.
I have checked the patches on x86_64, i686, aarch64, armv7, powerpc64,
powerpc64le, and powerpc.
[1] https://sourceware.org/pipermail/libc-alpha/2021-June/127636.html
[2] https://docs.google.com/document/d/1dVaDBdzySecxQqD6hLLzDrEF18M1UtjDna9gL5BWWI0/edit#
[3] https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/azanella/ld-audit-fixes
Changes from v6:
- Dropped SVE, main application on main_map l_name, and Run
constructors if executable has a soname of a dependency patches.
- Bumped LAV_VERSION to 2 on la_symbind bind-now support.
- Added extension pointer on aarch64 fix.
- Moved the refactor patch at the start of the set.
- Changed _dl_audit_objsearch interface.
Changes from v5:
- Fixed build with --enable-profiling=yes.
- Moved la_activity (LA_ACT_ADD) *after* _dl_add_to_namespace_list()
for BZ#28062 fix.
- Fixed powerpc64 ELFv1 OPD toc setup for bind-now.
- Fixed testsuite issues for ia64.
- Removed LA_SYMB_BINDNOW now that LA_SYMB_NOPLTENTER and
LA_SYMB_NOPLTEXIT is passed for bind-now.
Changes from v4:
- Added a fix for constructors if executable has a soname of a
dependency
- Rebased against master.
Changes from v3
- Added a aarch64 SVE RFC patch.
- Fixed an issue with bind-now fix on powerpc64 ELFv1.
- Rebased against master.
Changes from v2
- Refactored rtld-audit code to move common come to dl-audit.c.
- Issue audit la_objopen() for vDSO.
- Isseu la_activity during application exit.
- Issue la_symbind() for bind-now (BZ #23734).
- Fix runtime linker auditing on aarch64 (BZ #26643)
Changes from v1
- Fixed -fstack-protector-all tst-auditmod17.
- Simplify the _dl_call_libc_early_init call the 'Fix audit
regression' patch.
- Remove symbind check fr BZ#15333.
- Added the BZ#28096 fix.
Adhemerval Zanella (15):
elf: Add _dl_audit_objopen
elf: Add _dl_audit_activity_map and _dl_audit_activity_nsid
elf: Add _dl_audit_objsearch
elf: Add _dl_audit_objclose
elf: Add _dl_audit_symbind_alt and _dl_audit_symbind
elf: Add _dl_audit_preinit
elf: Add _dl_audit_pltenter
elf: Add _dl_audit_pltexit
elf: Avoid unnecessary slowdown from profiling with audit (BZ#15533)
elf: Add audit tests for modules with TLSDESC
elf: Do not fail for failed dlmopen on audit modules (BZ #28061)
elf: Fix initial-exec TLS access on audit modules (BZ #28096)
elf: Issue audit la_objopen for vDSO
elf: Add la_activity during application exit
elf: Issue la_symbind for bind-now (BZ #23734)
Ben Woodard (1):
elf: Fix runtime linker auditing on aarch64 (BZ #26643)
NEWS | 7 +
bits/link_lavcurrent.h | 2 +-
csu/libc-start.c | 23 +-
elf/Makefile | 147 ++++++++-
elf/Versions | 1 +
elf/dl-audit.c | 385 ++++++++++++++++++++++
elf/dl-close.c | 67 +---
elf/dl-fini.c | 25 +-
elf/dl-load.c | 107 ++----
elf/dl-object.c | 20 +-
elf/dl-open.c | 22 +-
elf/dl-reloc.c | 20 +-
elf/dl-runtime.c | 252 ++------------
elf/dl-support.c | 8 +
elf/dl-sym-post.h | 47 +--
elf/dl-tls.c | 16 +-
elf/do-rel.h | 57 +++-
elf/rtld.c | 73 +---
elf/setup-vdso.h | 2 +-
elf/sotruss-lib.c | 6 +
elf/tst-audit-tlsdesc-dlopen.c | 67 ++++
elf/tst-audit-tlsdesc-mod1.c | 41 +++
elf/tst-audit-tlsdesc-mod2.c | 33 ++
elf/tst-audit-tlsdesc.c | 60 ++++
elf/tst-audit19a.c | 38 +++
elf/tst-audit19b.c | 94 ++++++
elf/tst-audit19bmod.c | 23 ++
elf/tst-audit20.c | 25 ++
elf/tst-audit21.c | 42 +++
elf/tst-audit22.c | 124 +++++++
elf/tst-audit23.c | 173 ++++++++++
elf/tst-audit23mod.c | 23 ++
elf/tst-audit24a.c | 36 ++
elf/tst-audit24amod1.c | 31 ++
elf/tst-audit24amod2.c | 25 ++
elf/tst-audit24b.c | 37 +++
elf/tst-audit24bmod1.c | 31 ++
elf/tst-audit24bmod2.c | 23 ++
elf/tst-audit24c.c | 2 +
elf/tst-audit24d.c | 36 ++
elf/tst-audit24dmod1.c | 33 ++
elf/tst-audit24dmod2.c | 28 ++
elf/tst-audit24dmod3.c | 31 ++
elf/tst-audit24dmod4.c | 25 ++
elf/tst-audit25a.c | 127 +++++++
elf/tst-audit25b.c | 128 +++++++
elf/tst-audit25mod1.c | 30 ++
elf/tst-audit25mod2.c | 30 ++
elf/tst-audit25mod3.c | 22 ++
elf/tst-audit25mod4.c | 22 ++
elf/tst-auditmod-tlsdesc.c | 25 ++
elf/tst-auditmod19a.c | 25 ++
elf/tst-auditmod19b.c | 46 +++
elf/tst-auditmod20.c | 57 ++++
elf/tst-auditmod21a.c | 80 +++++
elf/tst-auditmod21b.c | 22 ++
elf/tst-auditmod22.c | 51 +++
elf/tst-auditmod23.c | 69 ++++
elf/tst-auditmod24.h | 29 ++
elf/tst-auditmod24a.c | 114 +++++++
elf/tst-auditmod24b.c | 104 ++++++
elf/tst-auditmod24c.c | 3 +
elf/tst-auditmod24d.c | 120 +++++++
elf/tst-auditmod25.c | 79 +++++
include/dlfcn.h | 2 +
include/link.h | 4 +
sysdeps/aarch64/Makefile | 20 ++
sysdeps/aarch64/bits/link.h | 26 +-
sysdeps/aarch64/dl-audit-check.h | 28 ++
sysdeps/aarch64/dl-link.sym | 6 +-
sysdeps/aarch64/dl-trampoline.S | 99 ++++--
sysdeps/aarch64/tst-audit26.c | 37 +++
sysdeps/aarch64/tst-audit26mod.c | 33 ++
sysdeps/aarch64/tst-audit26mod.h | 50 +++
sysdeps/aarch64/tst-audit27.c | 64 ++++
sysdeps/aarch64/tst-audit27mod.c | 95 ++++++
sysdeps/aarch64/tst-audit27mod.h | 67 ++++
sysdeps/aarch64/tst-auditmod26.c | 103 ++++++
sysdeps/aarch64/tst-auditmod27.c | 180 ++++++++++
sysdeps/alpha/dl-trampoline.S | 8 +-
sysdeps/arm/dl-machine-rel.h | 2 +
sysdeps/arm/dl-trampoline.S | 2 +-
sysdeps/generic/dl-audit-check.h | 23 ++
sysdeps/generic/dl-fixup-attribute.h | 24 ++
sysdeps/generic/dl-lookupcfg.h | 3 +
sysdeps/generic/dl-machine-rel.h | 2 +
sysdeps/generic/ldsodefs.h | 52 +++
sysdeps/hppa/dl-lookupcfg.h | 3 +
sysdeps/hppa/dl-runtime.c | 2 +-
sysdeps/hppa/dl-trampoline.S | 6 +-
sysdeps/i386/dl-fixup-attribute.h | 30 ++
sysdeps/i386/dl-machine-rel.h | 2 +
sysdeps/i386/dl-machine.h | 23 --
sysdeps/i386/dl-trampoline.S | 2 +-
sysdeps/ia64/dl-lookupcfg.h | 3 +
sysdeps/ia64/dl-trampoline.S | 16 +-
sysdeps/m68k/dl-trampoline.S | 2 +-
sysdeps/mips/dl-machine-rel.h | 1 +
sysdeps/powerpc/dl-lookupcfg.h | 39 +++
sysdeps/powerpc/powerpc64/dl-trampoline.S | 4 +-
sysdeps/s390/s390-32/dl-trampoline.h | 4 +-
sysdeps/s390/s390-64/dl-trampoline.h | 2 +-
sysdeps/sh/dl-trampoline.S | 4 +-
sysdeps/sparc/sparc32/dl-trampoline.S | 2 +-
sysdeps/sparc/sparc64/dl-trampoline.S | 2 +-
sysdeps/x86_64/dl-runtime.h | 2 +-
sysdeps/x86_64/dl-trampoline.h | 6 +-
107 files changed, 3978 insertions(+), 658 deletions(-)
create mode 100644 elf/dl-audit.c
create mode 100644 elf/tst-audit-tlsdesc-dlopen.c
create mode 100644 elf/tst-audit-tlsdesc-mod1.c
create mode 100644 elf/tst-audit-tlsdesc-mod2.c
create mode 100644 elf/tst-audit-tlsdesc.c
create mode 100644 elf/tst-audit19a.c
create mode 100644 elf/tst-audit19b.c
create mode 100644 elf/tst-audit19bmod.c
create mode 100644 elf/tst-audit20.c
create mode 100644 elf/tst-audit21.c
create mode 100644 elf/tst-audit22.c
create mode 100644 elf/tst-audit23.c
create mode 100644 elf/tst-audit23mod.c
create mode 100644 elf/tst-audit24a.c
create mode 100644 elf/tst-audit24amod1.c
create mode 100644 elf/tst-audit24amod2.c
create mode 100644 elf/tst-audit24b.c
create mode 100644 elf/tst-audit24bmod1.c
create mode 100644 elf/tst-audit24bmod2.c
create mode 100644 elf/tst-audit24c.c
create mode 100644 elf/tst-audit24d.c
create mode 100644 elf/tst-audit24dmod1.c
create mode 100644 elf/tst-audit24dmod2.c
create mode 100644 elf/tst-audit24dmod3.c
create mode 100644 elf/tst-audit24dmod4.c
create mode 100644 elf/tst-audit25a.c
create mode 100644 elf/tst-audit25b.c
create mode 100644 elf/tst-audit25mod1.c
create mode 100644 elf/tst-audit25mod2.c
create mode 100644 elf/tst-audit25mod3.c
create mode 100644 elf/tst-audit25mod4.c
create mode 100644 elf/tst-auditmod-tlsdesc.c
create mode 100644 elf/tst-auditmod19a.c
create mode 100644 elf/tst-auditmod19b.c
create mode 100644 elf/tst-auditmod20.c
create mode 100644 elf/tst-auditmod21a.c
create mode 100644 elf/tst-auditmod21b.c
create mode 100644 elf/tst-auditmod22.c
create mode 100644 elf/tst-auditmod23.c
create mode 100644 elf/tst-auditmod24.h
create mode 100644 elf/tst-auditmod24a.c
create mode 100644 elf/tst-auditmod24b.c
create mode 100644 elf/tst-auditmod24c.c
create mode 100644 elf/tst-auditmod24d.c
create mode 100644 elf/tst-auditmod25.c
create mode 100644 sysdeps/aarch64/dl-audit-check.h
create mode 100644 sysdeps/aarch64/tst-audit26.c
create mode 100644 sysdeps/aarch64/tst-audit26mod.c
create mode 100644 sysdeps/aarch64/tst-audit26mod.h
create mode 100644 sysdeps/aarch64/tst-audit27.c
create mode 100644 sysdeps/aarch64/tst-audit27mod.c
create mode 100644 sysdeps/aarch64/tst-audit27mod.h
create mode 100644 sysdeps/aarch64/tst-auditmod26.c
create mode 100644 sysdeps/aarch64/tst-auditmod27.c
create mode 100644 sysdeps/generic/dl-audit-check.h
create mode 100644 sysdeps/generic/dl-fixup-attribute.h
create mode 100644 sysdeps/i386/dl-fixup-attribute.h
create mode 100644 sysdeps/powerpc/dl-lookupcfg.h
--
2.32.0
More information about the Libc-alpha
mailing list