From patchwork Mon Sep 30 20:08:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 831578 Delivered-To: patch@linaro.org Received: by 2002:a5d:66c8:0:b0:367:895a:4699 with SMTP id k8csp2121157wrw; Mon, 30 Sep 2024 13:11:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWeq9jUVaa9AZQpOrk9U5sGjl/GEhFh0n54AOjH1WqOwj8RbLIKsPRS7ynrL9qb2oeUyEWsLw==@linaro.org X-Google-Smtp-Source: AGHT+IEoBvjtj90KKtiktVISMiqJk5QiI8G/o3tvCGnqWkE3qPM6f1o+tKKSu7+lBIWcrqY+fmHm X-Received: by 2002:a05:620a:4442:b0:7ac:b99b:48ef with SMTP id af79cd13be357-7ae5b806974mr117781885a.10.1727727083802; Mon, 30 Sep 2024 13:11:23 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1727727083; cv=pass; d=google.com; s=arc-20240605; b=cEkp/0bVRLJsy0/6K23CzjtCN0VbHabjYTn6cxGdej0xc1zlw8Vlu+e6e2VzwsrcXW WIM5Q8ywAJSSnzqenFzkiUBsv3fHTe+7GFSLx0qCipuC3tgW9f+I5gph1IkpKce6N2Gh SOQyaY9vLfRm54N7w/ttbJ8epeIqoBZ92xgXxIXPaObG02k3gf2ps7axCwx0BGN007qV 6JYfmKyG3PDb2Ve30Yf4x9SUmEhaeK23OWmmaDNWlLLWVb8Xg8V+Kao9mpEa8ht52xhB k0bsLL4rfOAJgoh08bJpkHOBYmWyYvq4QdNMDNn5PQzIt5H4wtYHBlxbo4pylawyQOVH RzIg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=YAK5hb2R88yxkNEJv29csteRw81NdOFRCOCY/R5szWc=; fh=3tUIaab7WH3k5DYf15UFmY7vUQNGmrLDHVJFJrkNDfY=; b=A1q2L+WUNjG9N3+UnKrEHIkjV1V27vZQ36MYZNgYxot4cqxuhNbnstj3FFYqa6bQT7 CdERThdxikCgNcRL1h3ZntgENE7auSI/qh7DmLRVAh/ijisLKnbl5b/N0T0BNdxZA28N BynTt2oC04IAG2KXwsuZCGVmH5JoPje0gBXQReNsHSy3kCZQKoAVLbS0drMn3XiHoPQm vrCasLL8RdWkwk/OSRJDs0a2WiE/LmfkhMaknWAD2f5RWWTdATIgJ0oM+FupdVw4vuKP f3fmqxmQ3rFnw7PlJVa2ArH6x4BCM/p60NdpbNuWJDc0bcV3OppQ0kPyeybpZLCZ+2Tt Nu/g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HexKaFyq; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id af79cd13be357-7ae37837de6si931081685a.285.2024.09.30.13.11.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Sep 2024 13:11:23 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HexKaFyq; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 6375538449CF for ; Mon, 30 Sep 2024 20:11:23 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) by sourceware.org (Postfix) with ESMTPS id 731A2384646C for ; Mon, 30 Sep 2024 20:08:43 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 731A2384646C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 731A2384646C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1727726926; cv=none; b=bSlxqTy2h6Dpvvi2Yv5+uJ5MbzJqZ/oTiIPq6BSOIGPohHCxngx22GAqHxC/qlEfGkawLFRIuGQypQufKlPViZsaSPYKUHHPzPkvkr2nJHOwmm4ohoTVAWIZL8yt1vGNxvbgJ3X+T7gEfXnLQ0Gzf+vTtLLX9DQvL0Zt53Avcy4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1727726926; c=relaxed/simple; bh=hOhf3QjtdSp8YJJC7Qpf3TiGlpURvt5H29HDsteZ+nU=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=R8ks4d78g9aIZG7agWjFlC5D07h6f+BIVTtvTh6D0QSzGeTDE+Gh2C95l/xFP0y6Mdo5s7TPHVG7XPWbO/Gsu8Svj7X/NkNlWMcSTBoPc4x2A6fWo9UGiVnipVDnwg7MHhx7Yukzw4tVtf6EqYGZqC1xyFFbd+Z8JsxPxA+Gt/Y= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-718d91eef2eso3354990b3a.1 for ; Mon, 30 Sep 2024 13:08:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727726922; x=1728331722; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=YAK5hb2R88yxkNEJv29csteRw81NdOFRCOCY/R5szWc=; b=HexKaFyqeRW1g/bm5MIT1RTOgZBWch2GXV7+Inx7npn9z9fP4S5KBDSqCEPlP+ornb 8smyyKimeKYi43uIO+0o4gaqT2+J1o9S5hLmLQhAUMWW0l39FcBfOsHckiVoMtTVOUYy 4ql/FATB/5XseR2Q/DCb8kSu2gdyUZltnHrGD5rwxnywrLAPinCUUtIvx7ys4rmi3lmX TEsoYVbnR2aJJ4yFyRBdPh2yITS79oq7R78K6s5VvTWJHyRggBp/puM3YoQeWE6fo5oK Cfkz0gp/LOJQFzALr49Tv5j22oH06j1qtUM3YuEE6h5YmKfr9Rha1BRMkMUKh2ycvvc3 kY/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727726922; x=1728331722; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YAK5hb2R88yxkNEJv29csteRw81NdOFRCOCY/R5szWc=; b=HBignQ2F+D8w0asc0KAEyXX+l0gvVAe5ht9AxItDE9OHIwR8gMeMpRh11wVhVVPiCZ eitVFzfhH3PsNgKjNfQwnF/GJAsqUIGnB2WlUycgQAPycfbCSL/jgc4xSD7mTQK3+Zqk xxqzvUKPPTvRUv1ymmBHezGt/bF7XRMMdsxXJarMVNny2ABGnOF3/oCdUpmLOOyFyeec dNpKaPsN1SxhvLhbkuOCii1FKfT2kTMMqJbg3zwsSV8ZRZ47aqOthBie3Qqz9tp63FaF yQDg3YWlLv5MQPBgxOuMfrS1r/yZaZL5yHQxvpgFLGkmcrKqmfqZyek5xPky+RGh58fc D9og== X-Gm-Message-State: AOJu0YxhVijemCu/I6NzbokRZFCiM+tztfi1eS6my/xh/oHsFwUlHAcP 6IvCnvpCt56mEZ+0NBmcBk5WWVhw1GCeCU9Mxhwy4AClEH+5E7keDdR9gs3rAFjSXVLUk5X2hlA sl1A= X-Received: by 2002:a05:6a00:61c2:b0:718:d4e4:a10a with SMTP id d2e1a72fcca58-71db79f374bmr960393b3a.4.1727726921765; Mon, 30 Sep 2024 13:08:41 -0700 (PDT) Received: from ubuntu-vm.. (201-92-183-102.dsl.telesp.net.br. [201.92.183.102]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7e6db2c4845sm6869565a12.43.2024.09.30.13.08.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Sep 2024 13:08:41 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Stephen Roettger , Jeff Xu , Florian Weimer , Mike Hommey , Adhemerval Zanella Subject: [PATCH v3 0/9] Add support for memory sealing Date: Mon, 30 Sep 2024 17:08:22 -0300 Message-Id: <20240930200831.1669010-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org The Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall that allows blocking some memory operations on the VMA range: * Unmapping, moving to another location, extending or shrinking the size, munmap, and mremap. * Moving or expanding a different VMA into the current location, via mremap. * Modifying the memory range with mmap along with flag MAP_FIXED. * Expanding the size with mremap. * Change the protection flags with mprotect or pkey_mprotect. * Destructive behaviors on anonymous memory, such as madvice with MADV_DONTNEED. Memory sealing is useful as a hardening mechanism to avoid either remapping the memory segments or changing the memory protection segments layout by the dynamic loader (for instance, the RELRO hardening). A similar hardening is done by OpenBSD with the mimmutable syscall [1]. The sealing is an opt-in security feature that requires a new GNU property GNU_PROPERTY_MEMORY_SEAL to indicate that the ELF module supports and should use memory sealing if the loader supports it. Previous versions [2] had the sealing as an opt-out feature, however, it has some drawbacks where the backport is not straightforward, there is no clear semantic if memory sealing is a hint or requirement, some programs bypass the loader to apply relocation themselves and are incompatible with an opt-out feature [3], and it deviates from how other security hardening was added on Linux ecosystem (such as RELRO and non-executable stacks). A GNU property is used instead of a new dynamic section tag (like the one proposed for DT_GNU_FLAGS_1) because the memory sealing should be selectable for ET_EXEC and not only for ET_DYN. It also fits new opt-in security features like x86 CET or AArch64 BTI. The first patch adds the mseal support for Linux. Although most programs will not use it directly, some specific ones, like Chrome, intend to use it. The second and third patches are requirements to enable memory sealing to work on executables, where they add gnu property parsing on the loader and static binaries. The fourth patch moves 'call_init_paths' after gnu attribute parsing, so the loader can seal the rtld_malloc pages (since they are meant to be immutable over process execution). The fifth patch propagates the RTLD_NODELETE flag in case of dlopen. It will be used to extend memory sealing for the object dependencies. The sixth patch adds the memory sealing supports in multiple places where the page is supposed to be immutable over program execution: * All shared library dependencies from the binary, including the read-only segments after PT_GNU_RELRO setup. * The binary itself, including dynamic and static links. In both cases, it is up either to binary or the loader to set up the sealing. * Any preload libraries. * Any library loaded with dlopen with RTLD_NODELETE flag (including libgcc.so loaded to enable process unwind and thread cancellation). * Audit modules. * The loader bump allocator. The seventh patch makes glibc enable memory sealing as default if the linker supports the option (-Wl,memory-seal). A new configure option, --disable-default-memory-seal, disable it. The eighth patch adds memory sealing tests, they are enabled if the linker supports it. The last patch adds a new tunable, glibc.rtld.seal, which can be used to enforce memory sealing even if the programs or dependencies do not have the GNU_PROPERTY_MEMORY_SEAL. The tunable accepts two different values: * '0': where loaders follow the GNU_PROPERTY_MEMORY_SEAL attribute if * present. This is the default and no sealing would be applied if the * object does not have the memory sealing attribute. * '1': where sealing is enforced even if the object does not have the * GNU_PROPERTY_MEMORY_SEAL. Also, any syscall failure on memory sealing * aborts the programs. This patchset does not delay RELRO activation until after their ELF constructors have been executed, as suggested on the previous RFC for mseal support. It is not strictly required, and it requires extensive changes on_dl_start_user to either make _dl_init call RELRO/sealing setup after ctor/initarray is done, or call it after _dl_init. There is also the question of whether to apply RELRO/sealing per module after dtor/initarray or in bulk after _dt_init. I tested on both x86_64-linux-gnu and aarch64-linux-gnu with Linux 6.11, along with some testing on a powerpc64le-linux-gnu VM. [1] https://man.openbsd.org/mimmutable.2 [2] https://sourceware.org/pipermail/libc-alpha/2024-August/158836.html [3] https://glandium.org/blog/?p=4297 Changes v2->v3: * Make the option opt-int instead of opt-out. Adhemerval Zanella (9): linux: Add mseal syscall support elf: Parse gnu properties for static linked binaries elf: Parse gnu properties for the loader rtld: Move call_init_paths after _dl_process_pt_gnu_property elf: Use RTLD_NODELETE for dependencies elf: Add support to memory sealing Enable memory sealing automatically linux: Add memory sealing tests elf: Add glibc.rtld.seal tunable INSTALL | 5 + Makeconfig | 17 ++ Makerules | 2 + NEWS | 20 ++ configure | 57 ++++ configure.ac | 19 ++ elf/Makefile | 1 + elf/dl-load.c | 7 + elf/dl-map-segments.h | 6 + elf/dl-minimal-malloc.c | 3 + elf/dl-mseal-mode.h | 28 ++ elf/dl-open.c | 7 +- elf/dl-reloc.c | 64 ++++ elf/dl-support.c | 22 ++ elf/dl-tunables.list | 6 + elf/elf.h | 2 + elf/rtld.c | 27 +- elf/setup-vdso.h | 2 + elf/tst-rtld-list-tunables.exp | 1 + include/link.h | 8 + manual/install.texi | 5 + manual/memory.texi | 66 +++++ manual/tunables.texi | 35 +++ sysdeps/aarch64/dl-prop.h | 5 + sysdeps/generic/dl-mseal.h | 23 ++ sysdeps/generic/dl-prop-mseal.h | 36 +++ sysdeps/generic/dl-prop.h | 5 + sysdeps/generic/ldsodefs.h | 14 + sysdeps/unix/sysv/linux/Makefile | 107 +++++++ sysdeps/unix/sysv/linux/Versions | 1 + sysdeps/unix/sysv/linux/aarch64/libc.abilist | 1 + sysdeps/unix/sysv/linux/alpha/libc.abilist | 1 + sysdeps/unix/sysv/linux/arc/libc.abilist | 1 + sysdeps/unix/sysv/linux/arm/be/libc.abilist | 1 + sysdeps/unix/sysv/linux/arm/le/libc.abilist | 1 + sysdeps/unix/sysv/linux/bits/mman-shared.h | 8 + sysdeps/unix/sysv/linux/csky/libc.abilist | 1 + sysdeps/unix/sysv/linux/dl-mseal.c | 48 +++ sysdeps/unix/sysv/linux/dl-mseal.h | 27 ++ sysdeps/unix/sysv/linux/hppa/libc.abilist | 1 + sysdeps/unix/sysv/linux/i386/libc.abilist | 1 + sysdeps/unix/sysv/linux/kernel-features.h | 8 + .../sysv/linux/loongarch/lp64/libc.abilist | 1 + .../sysv/linux/m68k/coldfire/libc.abilist | 1 + .../unix/sysv/linux/m68k/m680x0/libc.abilist | 1 + .../sysv/linux/microblaze/be/libc.abilist | 1 + .../sysv/linux/microblaze/le/libc.abilist | 1 + .../sysv/linux/mips/mips32/fpu/libc.abilist | 1 + .../sysv/linux/mips/mips64/n32/libc.abilist | 1 + .../sysv/linux/mips/mips64/n64/libc.abilist | 1 + sysdeps/unix/sysv/linux/nios2/libc.abilist | 1 + sysdeps/unix/sysv/linux/or1k/libc.abilist | 1 + .../linux/powerpc/powerpc32/fpu/libc.abilist | 1 + .../powerpc/powerpc32/nofpu/libc.abilist | 1 + .../linux/powerpc/powerpc64/be/libc.abilist | 1 + .../linux/powerpc/powerpc64/le/libc.abilist | 1 + .../unix/sysv/linux/riscv/rv32/libc.abilist | 1 + .../unix/sysv/linux/riscv/rv64/libc.abilist | 1 + .../unix/sysv/linux/s390/s390-32/libc.abilist | 1 + .../unix/sysv/linux/s390/s390-64/libc.abilist | 1 + sysdeps/unix/sysv/linux/sh/be/libc.abilist | 1 + sysdeps/unix/sysv/linux/sh/le/libc.abilist | 1 + .../sysv/linux/sparc/sparc32/libc.abilist | 1 + .../sysv/linux/sparc/sparc64/libc.abilist | 1 + sysdeps/unix/sysv/linux/syscalls.list | 1 + .../sysv/linux/tst-dl_mseal-auditmod-noseal.c | 1 + .../unix/sysv/linux/tst-dl_mseal-auditmod.c | 23 ++ .../unix/sysv/linux/tst-dl_mseal-dlopen-1-1.c | 19 ++ .../unix/sysv/linux/tst-dl_mseal-dlopen-1.c | 19 ++ .../linux/tst-dl_mseal-dlopen-2-1-noseal.c | 19 ++ .../unix/sysv/linux/tst-dl_mseal-dlopen-2-1.c | 19 ++ .../sysv/linux/tst-dl_mseal-dlopen-2-noseal.c | 19 ++ .../unix/sysv/linux/tst-dl_mseal-dlopen-2.c | 19 ++ .../sysv/linux/tst-dl_mseal-mod-1-noseal.c | 19 ++ sysdeps/unix/sysv/linux/tst-dl_mseal-mod-1.c | 19 ++ .../sysv/linux/tst-dl_mseal-mod-2-noseal.c | 19 ++ sysdeps/unix/sysv/linux/tst-dl_mseal-mod-2.c | 19 ++ sysdeps/unix/sysv/linux/tst-dl_mseal-noseal.c | 74 +++++ .../sysv/linux/tst-dl_mseal-preload-noseal.c | 1 + .../unix/sysv/linux/tst-dl_mseal-preload.c | 19 ++ .../unix/sysv/linux/tst-dl_mseal-skeleton.c | 278 ++++++++++++++++++ .../sysv/linux/tst-dl_mseal-static-noseal.c | 45 +++ sysdeps/unix/sysv/linux/tst-dl_mseal-static.c | 42 +++ .../unix/sysv/linux/tst-dl_mseal-tunable.c | 76 +++++ sysdeps/unix/sysv/linux/tst-dl_mseal.c | 72 +++++ sysdeps/unix/sysv/linux/tst-mseal.c | 67 +++++ .../unix/sysv/linux/x86_64/64/libc.abilist | 1 + .../unix/sysv/linux/x86_64/x32/libc.abilist | 1 + sysdeps/x86/dl-prop.h | 4 + 89 files changed, 1611 insertions(+), 6 deletions(-) create mode 100644 elf/dl-mseal-mode.h create mode 100644 sysdeps/generic/dl-mseal.h create mode 100644 sysdeps/generic/dl-prop-mseal.h create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.c create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.h create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod-noseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-dlopen-1-1.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-dlopen-1.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-dlopen-2-1-noseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-dlopen-2-1.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-dlopen-2-noseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-dlopen-2.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-mod-1-noseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-mod-1.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-mod-2-noseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-mod-2.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-noseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-preload-noseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-preload.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-skeleton.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-static-noseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-static.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-tunable.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-mseal.c