From patchwork Tue Oct 17 13:05:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 734382 Delivered-To: patch@linaro.org Received: by 2002:adf:f0cd:0:b0:32d:baff:b0ca with SMTP id x13csp468410wro; Tue, 17 Oct 2023 06:06:32 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGhY4Z/yRPEC6VWuQhAHeOO2fsqjSdRlwC4KwPo7JGjn5ggsj/gFHXbNrBBjj4mS0tk51sR X-Received: by 2002:a1f:2f13:0:b0:49a:1a56:945c with SMTP id v19-20020a1f2f13000000b0049a1a56945cmr2258270vkv.13.1697547991962; Tue, 17 Oct 2023 06:06:31 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1697547991; cv=pass; d=google.com; s=arc-20160816; b=A/Xx+W+tkKcyDlfMfaWrYaJeqj9nkKXwUny46vWvgWJUWiyLBkqd/O2SEk0XoKVeSi BrvDLh9szfpJGxbiOwYvdATeozFU5aqkmfcuDu3ULnKgvFFBABR1jiP3KYMeoTdPnhID wG64BCz+EZzPWDSF6oTj1Do3rcAqHl1zP6aVDwRY7Ab3L/5vD0x7Y24PhSUr8cdewGCp zHPxLUcOc5zCanLEdxUR88TFgb4/u9MgtZuWsVbRaWLayPcmpDAOWpWd1/CZQ+ErKPwi lWDr8lb9mJxeLFuQqrvXAxUoiX9bJvz1GXsDL/Qhmxlrnw3BvnWO2UNv8XVKgwsXziYr DITA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature:arc-filter:dmarc-filter:delivered-to; bh=KVQ5Y3mpHXZuJtRWD67BmnhW4idpLN+oosIj7hO8HjE=; fh=+FUb54tScwW7D3lvWhZcQBi30wyNNn2DusdH7ahfqKk=; b=u6AfQpm0vM5ke5kjOZLgip2dNw7MZfvuBJ4xGjvfvIL2nLM14ocoyh/yJjDKas0kID OVDkygVHDRrXGJ00m6dU51khDAWe7hjuZGfSrBVcTx3J+3adeISPaU3k0Sx2AZcA8Gz5 v9fyeJLj6mO+MDnBMMmApxVrLiWIJgCAuuEiy+TiPem6CG/14Rk2JwKODer+PDKFmxHp FS6eqJ6scAhyRu2GtJRCf7iZdWQYeDkdP4XBKRnYnBtZDtQieArroWVBSA7G/6nIN1lL bZqPqKWH1zU1dK2Zy4Bd+CJwBv/+0PkWQpkx9mpH1b3FIv6KRofBA8qKJR+Kpd/3+Izk CJqg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Q+bKWZJ5; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id g124-20020a1f9d82000000b0049d175d7606si131236vke.69.2023.10.17.06.06.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 06:06:31 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Q+bKWZJ5; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 88B74385B800 for ; Tue, 17 Oct 2023 13:06:31 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) by sourceware.org (Postfix) with ESMTPS id 673323858D33 for ; Tue, 17 Oct 2023 13:06:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 673323858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 673323858D33 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::22a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697547986; cv=none; b=bCgxQE8HpLTqtpvTeaOm1j+3ZERokMKRC149B4GeNaH7RLEU/3t98Ev7jE65uRgUy3P+tFwH43bte5iRGw3iI1PIpFTzXRZ2M9QQDIUb/6zmE9EL4eP8cRA++S2A7Q4R6zDTo6TxKSpLr0Ufee1fPZkOTnoYq8vX3CN4qYgYDkY= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697547986; c=relaxed/simple; bh=1pKpVAu0hyclyzG9sso0M1FtiG7LQXL092jpzgXBlGM=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=KSOWb54Os1lhH5Pq6NVqkjHbdf7FoCw0RoJak++5Kc59fbN4wpSpsh1okowzY+u7ysDHIjkBuspjkAYTHxNoQAAzgHwIF5v8O5O0fqgCwvpBnn56HKN+P5SU1sbhSlkxhWV5YLMz3Z2S+sD9y+3fnQln2rwRkdWs0btB6JKl7Sg= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oi1-x22a.google.com with SMTP id 5614622812f47-3af604c3f8fso3496667b6e.1 for ; Tue, 17 Oct 2023 06:06:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1697547982; x=1698152782; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KVQ5Y3mpHXZuJtRWD67BmnhW4idpLN+oosIj7hO8HjE=; b=Q+bKWZJ5CoWYK3W8bAL2jUc1j1B1xC/ADNyCJBFqhGRQ8VdVkSYY3BQ1YlQo17P8fd Wkhm2SzC1IJaW6v9pSTchqjJfKiUpSsdu8IaFjvKyobyPFlCzE8+Pkrh/rBireMjw0W/ Qbw7pgxEJq4z8T+sseXR3WHJyn4dSSkMGxekixBke2n3CUPninPIaR2IeMruqHeODyF4 Hpxhz4aJleFGoJqoiIVPzxfgk7VUNijMlsGBbX8HUEkFwwWRbZGSGsFAog79kV4jt8Wa jS7WwLsLDNhfke3fnlcyJPGq3A9hR9MI+3GCy+lwSPuPz+3GB+/RoqYAtgSwchIJtRWe rcZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697547982; x=1698152782; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KVQ5Y3mpHXZuJtRWD67BmnhW4idpLN+oosIj7hO8HjE=; b=XQ8VrotaVETyJ7T3KwtzuFm65+CoXsj/LedRNxr18RPVI84Kn2kAQxqeJq7QOriC2s exJEmzvykBI99eazv/wPUtuNtivkBzHS14Nagj9JQzFmpLqsvVgNg21cKlL2SSQUo/wg EqMZDzR3jKBobF6/LZ255aG2Jzp5Woh1N3nPG5i25r/H9BOOrlcuqEF3mavfIuiKBiFQ 7qcxDaKyhDyTy49rf8DxKWeAzW53dAKLDz1Kd4/KVXMYIR/6aB8kmC3BXUF49CbLlTZ7 Fm8eKTrws5d54WhkZ5Mo//QJGZ6CIEhCQ0fQO4SLlu0JJk+dxG3P79awxLoLbiaVOiBe tHTg== X-Gm-Message-State: AOJu0YyzlTSQoD/Wq0OAd3/c+U2ZdxYK5Z3occfNsXHXNDxP9pA/m6uJ UQGyxgmqBo2sKshwkFUrlTE55Fb+Uu6cb7veZRXDeA== X-Received: by 2002:a05:6359:2ea3:b0:166:cae0:6e19 with SMTP id rp35-20020a0563592ea300b00166cae06e19mr2421624rwb.3.1697547981699; Tue, 17 Oct 2023 06:06:21 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c3:7f2e:11d:92b4:4d78:4197]) by smtp.gmail.com with ESMTPSA id l28-20020a635b5c000000b0056b6d1ac949sm1309788pgm.13.2023.10.17.06.06.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 06:06:21 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org, Siddhesh Poyarekar Subject: [PATCH v2 03/19] elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries Date: Tue, 17 Oct 2023 10:05:10 -0300 Message-Id: <20231017130526.2216827-4-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017130526.2216827-1-adhemerval.zanella@linaro.org> References: <20231017130526.2216827-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar Reviewed-by: DJ Delorie --- elf/Makefile | 5 +- elf/dl-tunable-types.h | 10 -- elf/dl-tunables.c | 127 ++++----------- elf/dl-tunables.list | 9 -- elf/tst-env-setuid-tunables.c | 29 +++- elf/tst-tunables.c | 244 +++++++++++++++++++++++++++++ manual/README.tunables | 9 -- scripts/gen-tunables.awk | 18 +-- sysdeps/x86_64/64/dl-tunables.list | 1 - 9 files changed, 299 insertions(+), 153 deletions(-) create mode 100644 elf/tst-tunables.c diff --git a/elf/Makefile b/elf/Makefile index 9176cbf1e3..c824f7dab7 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -263,7 +263,6 @@ tests-static-normal := \ tst-dl-iter-static \ tst-dst-static \ tst-env-setuid \ - tst-env-setuid-tunables \ tst-getauxval-static \ tst-linkall-static \ tst-single_threaded-pthread-static \ @@ -276,10 +275,12 @@ tests-static-normal := \ tests-static-internal := \ tst-dl-printf-static \ tst-dl_find_object-static \ + tst-env-setuid-tunables \ tst-ptrguard1-static \ tst-stackguard1-static \ tst-tls1-static \ tst-tls1-static-non-pie \ + tst-tunables \ # tests-static-internal CRT-tst-tls1-static-non-pie := $(csu-objpfx)crt1.o @@ -2696,6 +2697,8 @@ $(objpfx)tst-glibc-hwcaps-mask.out: \ # tst-glibc-hwcaps-cache. $(objpfx)tst-glibc-hwcaps-cache.out: $(objpfx)tst-glibc-hwcaps +tst-tunables-ARGS = -- $(host-test-program-cmd) + $(objpfx)list-tunables.out: tst-rtld-list-tunables.sh $(objpfx)ld.so $(SHELL) $< $(objpfx)ld.so '$(test-wrapper-env)' \ '$(run_program_env)' > $(objpfx)/tst-rtld-list-tunables.out diff --git a/elf/dl-tunable-types.h b/elf/dl-tunable-types.h index c88332657e..62d6d9e629 100644 --- a/elf/dl-tunable-types.h +++ b/elf/dl-tunable-types.h @@ -64,16 +64,6 @@ struct _tunable tunable_val_t val; /* The value. */ bool initialized; /* Flag to indicate that the tunable is initialized. */ - tunable_seclevel_t security_level; /* Specify the security level for the - tunable with respect to AT_SECURE - programs. See description of - tunable_seclevel_t to see a - description of the values. - - Note that even if the tunable is - read, it may not get used by the - target module if the value is - considered unsafe. */ /* Compatibility elements. */ const char env_alias[TUNABLE_ALIAS_MAX]; /* The compatibility environment variable name. */ diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c index 24252af22c..a83bd2b8bc 100644 --- a/elf/dl-tunables.c +++ b/elf/dl-tunables.c @@ -154,50 +154,51 @@ __tunable_set_val (tunable_id_t id, tunable_val_t *valp, tunable_num_t *minp, do_tunable_update_val (cur, valp, minp, maxp); } -/* Parse the tunable string TUNESTR and adjust it to drop any tunables that may - be unsafe for AT_SECURE processes so that it can be used as the new - environment variable value for GLIBC_TUNABLES. VALSTRING is the original - environment variable string which we use to make NULL terminated values so - that we don't have to allocate memory again for it. */ +/* Parse the tunable string VALSTRING. VALSTRING is a duplicated values, + where delimiters ':' are replaced with '\0', so string tunables are null + terminated. */ static void -parse_tunables (char *tunestr, char *valstring) +parse_tunables (char *valstring) { - if (tunestr == NULL || *tunestr == '\0') + if (valstring == NULL || *valstring == '\0') return; - char *p = tunestr; - size_t off = 0; + char *p = valstring; + bool done = false; - while (true) + while (!done) { char *name = p; - size_t len = 0; /* First, find where the name ends. */ - while (p[len] != '=' && p[len] != ':' && p[len] != '\0') - len++; + while (*p != '=' && *p != ':' && *p != '\0') + p++; /* If we reach the end of the string before getting a valid name-value pair, bail out. */ - if (p[len] == '\0') + if (*p == '\0') break; /* We did not find a valid name-value pair before encountering the colon. */ - if (p[len]== ':') + if (*p == ':') { - p += len + 1; + p++; continue; } - p += len + 1; + /* Skip the ':' or '='. */ + p++; - /* Take the value from the valstring since we need to NULL terminate it. */ - char *value = &valstring[p - tunestr]; - len = 0; + const char *value = p; - while (p[len] != ':' && p[len] != '\0') - len++; + while (*p != ':' && *p != '\0') + p++; + + if (*p == '\0') + done = true; + else + *p++ = '\0'; /* Add the tunable if it exists. */ for (size_t i = 0; i < sizeof (tunable_list) / sizeof (tunable_t); i++) @@ -206,50 +207,11 @@ parse_tunables (char *tunestr, char *valstring) if (tunable_is_name (cur->name, name)) { - /* If we are in a secure context (AT_SECURE) then ignore the - tunable unless it is explicitly marked as secure. Tunable - values take precedence over their envvar aliases. We write - the tunables that are not SXID_ERASE back to TUNESTR, thus - dropping all SXID_ERASE tunables and any invalid or - unrecognized tunables. */ - if (__libc_enable_secure) - { - if (cur->security_level != TUNABLE_SECLEVEL_SXID_ERASE) - { - if (off > 0) - tunestr[off++] = ':'; - - const char *n = cur->name; - - while (*n != '\0') - tunestr[off++] = *n++; - - tunestr[off++] = '='; - - for (size_t j = 0; j < len; j++) - tunestr[off++] = value[j]; - } - - if (cur->security_level != TUNABLE_SECLEVEL_NONE) - break; - } - - value[len] = '\0'; tunable_initialize (cur, value); break; } } - - /* We reached the end while processing the tunable string. */ - if (p[len] == '\0') - break; - - p += len + 1; } - - /* Terminate tunestr before we leave. */ - if (__libc_enable_secure) - tunestr[off] = '\0'; } /* Initialize the tunables list from the environment. For now we only use the @@ -263,16 +225,16 @@ __tunables_init (char **envp) size_t len = 0; char **prev_envp = envp; + /* Ignore tunables for AT_SECURE programs. */ + if (__libc_enable_secure) + return; + while ((envp = get_next_env (envp, &envname, &len, &envval, &prev_envp)) != NULL) { if (tunable_is_name ("GLIBC_TUNABLES", envname)) { - char *new_env = tunables_strdup (envname); - if (new_env != NULL) - parse_tunables (new_env + len + 1, envval); - /* Put in the updated envval. */ - *prev_envp = new_env; + parse_tunables (tunables_strdup (envval)); continue; } @@ -290,39 +252,6 @@ __tunables_init (char **envp) /* We have a match. Initialize and move on to the next line. */ if (tunable_is_name (name, envname)) { - /* For AT_SECURE binaries, we need to check the security settings of - the tunable and decide whether we read the value and also whether - we erase the value so that child processes don't inherit them in - the environment. */ - if (__libc_enable_secure) - { - if (cur->security_level == TUNABLE_SECLEVEL_SXID_ERASE) - { - /* Erase the environment variable. */ - char **ep = prev_envp; - - while (*ep != NULL) - { - if (tunable_is_name (name, *ep)) - { - char **dp = ep; - - do - dp[0] = dp[1]; - while (*dp++); - } - else - ++ep; - } - /* Reset the iterator so that we read the environment again - from the point we erased. */ - envp = prev_envp; - } - - if (cur->security_level != TUNABLE_SECLEVEL_NONE) - continue; - } - tunable_initialize (cur, envval); break; } diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index 695ba7192e..471895af7b 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -21,14 +21,6 @@ # minval: Optional minimum acceptable value # maxval: Optional maximum acceptable value # env_alias: An alias environment variable -# security_level: Specify security level of the tunable for AT_SECURE binaries. -# Valid values are: -# -# SXID_ERASE: (default) Do not read and do not pass on to -# child processes. -# SXID_IGNORE: Do not read, but retain for non-AT_SECURE -# subprocesses. -# NONE: Read all the time. glibc { malloc { @@ -158,7 +150,6 @@ glibc { type: INT_32 minval: 0 maxval: 255 - security_level: SXID_IGNORE } } diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c index 2603007b7b..ca02dbba58 100644 --- a/elf/tst-env-setuid-tunables.c +++ b/elf/tst-env-setuid-tunables.c @@ -15,14 +15,10 @@ License along with the GNU C Library; if not, see . */ -/* Verify that tunables correctly filter out unsafe tunables like - glibc.malloc.check and glibc.malloc.mmap_threshold but also retain - glibc.malloc.mmap_threshold in an unprivileged child. */ - -#define _LIBC 1 -#include "config.h" -#undef _LIBC +/* Verify that GLIBC_TUNABLES is kept unchanged but no tunable is actually + enabled for AT_SECURE processes. */ +#include #include #include #include @@ -40,7 +36,7 @@ #include #include -const char *teststrings[] = +static const char *teststrings[] = { "glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096", "glibc.malloc.check=2:glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096", @@ -74,6 +70,23 @@ test_child (int off) ret = 0; fflush (stdout); + /* Also check if the set tunables are effectively unchanged. */ + int32_t check = TUNABLE_GET_FULL (glibc, malloc, check, int32_t, NULL); + size_t mmap_threshold = TUNABLE_GET_FULL (glibc, malloc, mmap_threshold, + size_t, NULL); + int32_t perturb = TUNABLE_GET_FULL (glibc, malloc, perturb, int32_t, NULL); + + printf (" [%d] glibc.malloc.check=%d\n", off, check); + fflush (stdout); + printf (" [%d] glibc.malloc.mmap_threshold=%zu\n", off, mmap_threshold); + fflush (stdout); + printf (" [%d] glibc.malloc.perturb=%d\n", off, perturb); + fflush (stdout); + + ret |= check != 0; + ret |= mmap_threshold != 0; + ret |= perturb != 0; + return ret; } diff --git a/elf/tst-tunables.c b/elf/tst-tunables.c new file mode 100644 index 0000000000..57cf532fc4 --- /dev/null +++ b/elf/tst-tunables.c @@ -0,0 +1,244 @@ +/* Check GLIBC_TUNABLES parsing. + Copyright (C) 2023 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include + +static int restart; +#define CMDLINE_OPTIONS \ + { "restart", no_argument, &restart, 1 }, + +static const struct test_t +{ + const char *env; + int32_t expected_malloc_check; + size_t expected_mmap_threshold; + int32_t expected_perturb; +} tests[] = +{ + /* Expected tunable format. */ + { + "glibc.malloc.check=2", + 2, + 0, + 0, + }, + { + "glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096", + 2, + 4096, + 0, + }, + /* Empty tunable are ignored. */ + { + "glibc.malloc.check=2::glibc.malloc.mmap_threshold=4096", + 2, + 4096, + 0, + }, + /* As well empty values. */ + { + "glibc.malloc.check=:glibc.malloc.mmap_threshold=4096", + 0, + 4096, + 0, + }, + /* Tunable are processed from left to right, so last one is the one set. */ + { + "glibc.malloc.check=1:glibc.malloc.check=2", + 2, + 0, + 0, + }, + { + "glibc.malloc.check=2:glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096", + 2, + 4096, + 0, + }, + { + "glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096:glibc.malloc.check=2", + 2, + 4096, + 0, + }, + /* 0x800 is larger than tunable maxval (0xff), so the tunable is unchanged. */ + { + "glibc.malloc.perturb=0x800", + 0, + 0, + 0, + }, + { + "glibc.malloc.perturb=0x55", + 0, + 0, + 0x55, + }, + /* Out of range values are just ignored. */ + { + "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", + 0, + 4096, + 0, + }, + /* Invalid keys are ignored. */ + { + ":glibc.malloc.garbage=2:glibc.malloc.check=1", + 1, + 0, + 0, + }, + { + "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", + 0, + 4096, + 0, + }, + { + "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", + 0, + 4096, + 0, + }, + { + "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", + 0, + 4096, + 0, + }, + /* Invalid subkeys are ignored. */ + { + "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", + 2, + 0, + 0, + }, + { + "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", + 0, + 0, + 0, + }, + { + "not_valid.malloc.check=2", + 0, + 0, + 0, + }, + { + "glibc.not_valid.check=2", + 0, + 0, + 0, + }, + /* An ill-formatted tunable in the for key=key=value will considere the + value as 'key=value' (which can not be parsed as an integer). */ + { + "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", + 0, + 0, + 0, + }, + /* The ill-formatted tunable is also skipped. */ + { + "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096:glibc.malloc.check=2", + 2, + 0, + 0, + }, + /* For an integer tunable, parse will stop on non number character. */ + { + "glibc.malloc.check=2=2", + 2, + 0, + 0, + }, + { + "glibc.malloc.check=2=2:glibc.malloc.mmap_threshold=4096", + 2, + 4096, + 0, + } +}; + +static int +handle_restart (int i) +{ + TEST_COMPARE (tests[i].expected_malloc_check, + TUNABLE_GET_FULL (glibc, malloc, check, int32_t, NULL)); + TEST_COMPARE (tests[i].expected_mmap_threshold, + TUNABLE_GET_FULL (glibc, malloc, mmap_threshold, size_t, NULL)); + TEST_COMPARE (tests[i].expected_perturb, + TUNABLE_GET_FULL (glibc, malloc, perturb, int32_t, NULL)); + return 0; +} + +static int +do_test (int argc, char *argv[]) +{ + /* We must have either: + - One our fource parameters left if called initially: + + path to ld.so optional + + "--library-path" optional + + the library path optional + + the application name + + the test to check */ + + TEST_VERIFY_EXIT (argc == 2 || argc == 5); + + if (restart) + return handle_restart (atoi (argv[1])); + + char nteststr[INT_BUFSIZE_BOUND (int)]; + + char *spargv[10]; + { + int i = 0; + for (; i < argc - 1; i++) + spargv[i] = argv[i + 1]; + spargv[i++] = (char *) "--direct"; + spargv[i++] = (char *) "--restart"; + spargv[i++] = nteststr; + spargv[i] = NULL; + } + + for (int i = 0; i < array_length (tests); i++) + { + snprintf (nteststr, sizeof nteststr, "%d", i); + + printf ("[%d] Spawned test for %s\n", i, tests[i].env); + setenv ("GLIBC_TUNABLES", tests[i].env, 1); + struct support_capture_subprocess result + = support_capture_subprogram (spargv[0], spargv); + support_capture_subprocess_check (&result, "tst-tunables", 0, + sc_allow_stderr); + support_capture_subprocess_free (&result); + } + + return 0; +} + +#define TEST_FUNCTION_ARGV do_test +#include diff --git a/manual/README.tunables b/manual/README.tunables index 605ddd78cd..72ae00dc02 100644 --- a/manual/README.tunables +++ b/manual/README.tunables @@ -59,15 +59,6 @@ The list of allowed attributes are: - env_alias: An alias environment variable -- security_level: Specify security level of the tunable for AT_SECURE - binaries. Valid values are: - - SXID_ERASE: (default) Do not read and do not pass on to - child processes. - SXID_IGNORE: Do not read, but retain for non-AT_SECURE - child processes. - NONE: Read all the time. - 2. Use TUNABLE_GET/TUNABLE_SET/TUNABLE_SET_WITH_BOUNDS to get and set tunables. 3. OPTIONAL: If tunables in a namespace are being used multiple times within a diff --git a/scripts/gen-tunables.awk b/scripts/gen-tunables.awk index d6de100df0..1e9d6b534e 100644 --- a/scripts/gen-tunables.awk +++ b/scripts/gen-tunables.awk @@ -61,9 +61,6 @@ $1 == "}" { if (!env_alias[top_ns,ns,tunable]) { env_alias[top_ns,ns,tunable] = "{0}" } - if (!security_level[top_ns,ns,tunable]) { - security_level[top_ns,ns,tunable] = "SXID_ERASE" - } len = length(top_ns"."ns"."tunable) if (len > max_name_len) max_name_len = len @@ -118,17 +115,6 @@ $1 == "}" { if (len > max_alias_len) max_alias_len = len } - else if (attr == "security_level") { - if (val == "SXID_ERASE" || val == "SXID_IGNORE" || val == "NONE") { - security_level[top_ns,ns,tunable] = val - } - else { - printf("Line %d: Invalid value (%s) for security_level: %s, ", NR, val, - $0) - print("Allowed values are 'SXID_ERASE', 'SXID_IGNORE', or 'NONE'") - exit 1 - } - } else if (attr == "default") { if (types[top_ns,ns,tunable] == "STRING") { default_val[top_ns,ns,tunable] = sprintf(".strval = \"%s\"", val); @@ -177,9 +163,9 @@ END { n = indices[2]; m = indices[3]; printf (" {TUNABLE_NAME_S(%s, %s, %s)", t, n, m) - printf (", {TUNABLE_TYPE_%s, %s, %s}, {%s}, false, TUNABLE_SECLEVEL_%s, %s},\n", + printf (", {TUNABLE_TYPE_%s, %s, %s}, {%s}, false, %s},\n", types[t,n,m], minvals[t,n,m], maxvals[t,n,m], - default_val[t,n,m], security_level[t,n,m], env_alias[t,n,m]); + default_val[t,n,m], env_alias[t,n,m]); } print "};" print "#endif" diff --git a/sysdeps/x86_64/64/dl-tunables.list b/sysdeps/x86_64/64/dl-tunables.list index 0aab52e662..54a216a461 100644 --- a/sysdeps/x86_64/64/dl-tunables.list +++ b/sysdeps/x86_64/64/dl-tunables.list @@ -23,7 +23,6 @@ glibc { minval: 0 maxval: 1 env_alias: LD_PREFER_MAP_32BIT_EXEC - security_level: SXID_IGNORE } } }