From patchwork Tue Mar 11 17:09:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 872468 Delivered-To: patch@linaro.org Received: by 2002:a5d:64ce:0:b0:38f:210b:807b with SMTP id f14csp1597634wri; Tue, 11 Mar 2025 10:22:21 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVNo8XLvkjiX0sMNyhy2eQbEq2kPAHBqs6Dp5qWUd8EdXWQZdSaPVvdMbcUOhFTFXdMef+/Yg==@linaro.org X-Google-Smtp-Source: AGHT+IGb2Ekf9zcUZADEuXSYZPETuNEhphs3NxnVbDrXtkJidzR6j1Tz0sCiJpqzEMRb8Ed+CFru X-Received: by 2002:a05:6102:5491:b0:4ba:eb24:fb28 with SMTP id ada2fe7eead31-4c34d20cd1fmr4295070137.3.1741713741206; Tue, 11 Mar 2025 10:22:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1741713741; cv=pass; d=google.com; s=arc-20240605; b=eT0AXJmqWpqGcS/Lc/dA0Znbur7zoovgMgcX3cW7e2/CMCBfNhmQQJzVxjM8di66n2 GgOUEa8FYQAm/1hBWPGhwsV8sGuzESWR+QUAaBB86GPNxIOAv6isRrVD+2r6BH0HqYl0 UD8jv0xlWvwvdDrJ2NjFinOnscRLlv5tfsM6KnR1r0OJE8kjlYk/dUrxFI7NBEbhMwam qGu2TyvNoCFlnxwFiPytEtvdVxl42vm4F8rBkNioynkp5Izgtwhln4ZxesGCOr9iBnlT 7mAFhXNPxC3P5vKDLIOL4FezGYIl9OiIfz8qTr5uBa4OnupfPm4bHT2gDK3wm5S/jrXN /rQg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature:dkim-filter:arc-filter:dmarc-filter :delivered-to:dkim-filter; bh=+s5cxJAth6uyLy+HaCEy986tW3ABQnWgByCcGKFmVbs=; fh=KcDe9xnl32Q8s5hC3CF4r26ysVeQspjxpbjrMk+PnIQ=; b=DsudWNCCmGr/FVrCsZAO8lvxJZbg7ngvQGBc8nsoXQY8yPKHpdnXOuv4c9ZBI1zlfG qnhGvBkZN4AuNKSwZCkt1V1/D/WAjIWw6/nlSpqAFYz7qtknzppjyhQ6wgStxbFqBd5p 6dwJ+na1iN7FKTYKazrISnKtMs6emEQG095M9jXGYhvpFb3Vu0NaNxurUO1QQ4mwa4Vw YZLXftQeZUVTGa+pmdzdQMpvofZRCCeRVX9RY+/W/sreRRItnU0ig/E8rBTCcsrVjzb7 bttBPwSL/q6QdXW0wsgVQknQQNeDt1x0lzockyPptp2z3+booYTzfB40UbnslhXMAeLz MJyA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=VMCbIAry; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id ada2fe7eead31-4c2fbcc317fsi2912961137.374.2025.03.11.10.22.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Mar 2025 10:22:21 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=VMCbIAry; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id AB7313857734 for ; Tue, 11 Mar 2025 17:22:12 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org AB7313857734 Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=VMCbIAry X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by sourceware.org (Postfix) with ESMTPS id 99BBB3857BA7 for ; Tue, 11 Mar 2025 17:13:33 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 99BBB3857BA7 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 99BBB3857BA7 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::1030 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741713213; cv=none; b=UYjQ4AeJcEMK0K00HzZVaXOANFfcAboRdsKVtwA242Y1WzJ4VvOkuDVmLlGXD0yaruQnKw7+MqGFc9Pi/8mgFl0z3EJcRvlOAA+uht5YW7UeTQo4ifr1T6bC81C21fsj+BGiWhM/AjuCDM/9AWp6XgS6C+NZpVinQdBnTCQs4fA= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741713213; c=relaxed/simple; bh=ik5Um592PPq0wPxCceg9WbQPKKFfLVkmZawV6qKbXSw=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=acKx9VQ4sfd4gMZW/w9nk1jWRb2wqbHrhLyIxOs0OMgUKLfElj+JXqJvD/Le+iZjcHWleJ011ev5EQl0HfhNfHu4xgqET/91uYrHKvkN+Pz/Z6p+XyoZmM3u4aKsEjmjYNmIfyyGCaGvPbTyE+tC/lv0vEVKRnlb9SkSfieilNQ= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 99BBB3857BA7 Received: by mail-pj1-x1030.google.com with SMTP id 98e67ed59e1d1-2feb91a25bdso8990511a91.1 for ; Tue, 11 Mar 2025 10:13:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741713212; x=1742318012; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+s5cxJAth6uyLy+HaCEy986tW3ABQnWgByCcGKFmVbs=; b=VMCbIAry03PZ9BDz0uPdRQ1FkBN8wf0ocXUfHx0E0lp3PG8oS+bfcJJRQP5cD2vrpu iijJUj1+QUzSSP1y8V0bMhNwCNogu1LvyXYzKmcDTHN+DI4CxEXqyP8IILxLBws+gR2b YgLww11DkuAWmJgpmE1S/P7kmjOMaHUu+qfg9o+KZuc25CPhAdoqTtegrrZU3C7Hj6ic +l6j4c6hf75t3vDcUSX+JSVYchN7FrlTdSJY3q3QbysVP9WbkdgOYiythILxacivrGsp 2GjpWDRGjxWVT4Zd6daRA5onOtNcG0Ye193nrw8hHFpa+wHTi5v0EaWpuuTL1dFUgcm7 LW8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741713212; x=1742318012; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+s5cxJAth6uyLy+HaCEy986tW3ABQnWgByCcGKFmVbs=; b=w8pmKqrrxjKGC+etvvuGW2MNz1GZwnn9yv/31zZY98qsyopZpbMUx7ff9BXzTlD9aN tRJMOw3a8BdgTb+H9VcxgG1tChHDaopS3w6P39X6dLpxXIKXJIWHGnMxveRy95mkPA4O c/kCp9pNYW+bNHHbX+p0OTpTyfK0sY1yCvryuK2ydMa9LL3Vdf/F3hKDQtMDID6K+ETM b2ZYjK/ZHCSHbLhUe5L2D46+y/X8ZDvdDMQAMd5kfBk5GV6nz+E5BRlWCgq2oX1ZzjLt lH3AroTfMGJ3BXBafea/54oePYjwgjCS+VaRrJ66E0f5z4etTxKr5lnaHmpDksI5QkCs DReQ== X-Gm-Message-State: AOJu0YzvX0VWj3KQ9o+c65al7l7FCvZy4j9xMojpxJUa9oXLI97bZRm5 cV2ngc9wq/799SCbrfONnB+QdyOV/IqoePieOyM0ka54/gDI5Ovx97IhtKLC1yX1MrVjKlIGxw9 j X-Gm-Gg: ASbGncvl6cY5U+NcDx14vqAxZU5+cm5dwdGy8WWbvXBSc8UuIAsiX/t0p/7D13r1MbX bo0e+uoZ9DLD+ENVdv/tbtjiL/Cj47PqF78qQo5UoSEDPcNdaVaAIPv8YS0gyX9uTRUPfflTHs1 yzHN0kQ4sqAV9SgY990mxx5tQVpP3CPo/DRJJAHjfdotgD8y/Uw3+tQXTZvkfwjwpRikbngjFGp e+T0jZo+jD5ccnygaOM/wrBLaiScvkT/43I3EAiVs+SvU6vXYVAjU/c4Weq1lZinJ5Pt81BdZjY hRyRCRjbmGD5uI2WuWk6dQF1em+ltfRW3es+93QEfacyukvRYC+YPfU= X-Received: by 2002:a17:90b:5104:b0:2fe:85f0:e115 with SMTP id 98e67ed59e1d1-300ff34d533mr5202397a91.26.1741713212378; Tue, 11 Mar 2025 10:13:32 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c1:1ebf:8b5:8f5b:dd39:866]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2ff693f8804sm11438131a91.47.2025.03.11.10.13.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Mar 2025 10:13:31 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Jeff Xu , Florian Weimer , "H . J . Lu" , Yury Khrustalev Subject: [PATCH v6 9/9] elf: Add glibc.rtld.seal tunable Date: Tue, 11 Mar 2025 14:09:56 -0300 Message-ID: <20250311171305.89091-10-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250311171305.89091-1-adhemerval.zanella@linaro.org> References: <20250311171305.89091-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org The new tunable can be used to disable memory sealing on the program and all its dependencies. This can be useful for debugging, patchable function entries (-fpatchable-function-entry), or profiling (-mfentry, -mnop-count, -minstrument-return) where the program might be run with or without changes to its text segment. Checked on x86_64-linux-gnu. --- NEWS | 6 ++++ elf/dl-tunables.list | 6 ++++ elf/tst-rtld-list-tunables.exp | 1 + manual/tunables.texi | 36 +++++++++++++++++++ sysdeps/unix/sysv/linux/Makefile | 27 +++++++------- sysdeps/unix/sysv/linux/dl-mseal.c | 9 +++++ sysdeps/unix/sysv/linux/tst-dl_mseal-noseal.c | 6 +++- .../unix/sysv/linux/tst-dl_mseal-skeleton.c | 3 ++ .../unix/sysv/linux/tst-dl_mseal-tunable.c | 24 +++++++++++++ 9 files changed, 103 insertions(+), 15 deletions(-) create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-tunable.c diff --git a/NEWS b/NEWS index ff241b2863..e3362158dc 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,12 @@ Major new features: * A new configure option, "--enable-memory-sealing", can be used to build the GNU C Library libraries and programs with memory sealing. +* A new tunable, glibc.rtld.seal, can enable memory sealing on the program + and all its dependencies. The tunable accepts two different values, where + '0' disable memory sealing (even if the GNU_PROPERTY_MEMORY_SEAL attribute + is present), while '1' applies sealing accordingly to the sealing + attribute. + Deprecated and removed features, and other changes affecting compatibility: [Add deprecations, removals and changes affecting compatibility here] diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index 0b6721bc51..43758f9755 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -141,6 +141,12 @@ glibc { maxval: 1 default: 1 } + seal { + type: INT_32 + minval: 0 + maxval: 1 + default: 1 + } } mem { diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp index 9f5990f340..e398b9f020 100644 --- a/elf/tst-rtld-list-tunables.exp +++ b/elf/tst-rtld-list-tunables.exp @@ -16,3 +16,4 @@ glibc.rtld.enable_secure: 0 (min: 0, max: 1) glibc.rtld.execstack: 1 (min: 0, max: 1) glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10) glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+) +glibc.rtld.seal: 1 (min: 0, max: 1) diff --git a/manual/tunables.texi b/manual/tunables.texi index 7f0246c789..1af0956808 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -383,6 +383,42 @@ main program does not require an executable stack at loading time. This is enforced regardless of the tunable value. @end deftp +@deftp Tunable glibc.rtld.seal +Sets whether to enable memory sealing during program execution. The sealed +memory prevents further changes to the metadata associated with an ELF mapped +memory region, such as shrinking or expanding its size, mapping another +segment over a pre-existing region, or changing the memory protection flags +(check the @code{mseal} for more information). + +The sealing is done in multiple places where the memory is supposed to be +immutable over program execution: + +@itemize @bullet +@item +All shared library dependencies from the binary, including the read-only segments +after @code{PT_GNU_RELRO} setup. + +@item +The binary itself, including dynamic and static linked ones. In both cases, it is +up either to binary or the loader to set up the sealing. + +@item +Any preload libraries. + +@item +Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag. + +@item +All audit modules and their dependencies. +@end itemize + +The tunable accepts two values: @samp{0} where sealing is disabled even if the +program has the GNU attribute @code{GNU_PROPERTY_MEMORY_SEAL} if present, +and @samp{1} where sealing is aplied accondingly to the GNU attribute existent. + +The default value of this tunable is @samp{1}. +@end deftp + @node Elision Tunables @section Elision Tunables @cindex elision tunables diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile index 2faa377fd5..9bb3eeb53e 100644 --- a/sysdeps/unix/sysv/linux/Makefile +++ b/sysdeps/unix/sysv/linux/Makefile @@ -698,6 +698,7 @@ tests += \ $(tests-static) \ tst-dl_mseal \ tst-dl_mseal-noseal \ + tst-dl_mseal-tunable \ # tests modules-names += \ @@ -713,25 +714,22 @@ modules-names += \ tst-dl_mseal-preload \ # modules-names -$(objpfx)tst-dl_mseal.out: \ +test-dl_mseal-mods = \ $(objpfx)tst-dl_mseal-auditmod.so \ - $(objpfx)tst-dl_mseal-preload.so \ - $(objpfx)tst-dl_mseal-mod-1.so \ - $(objpfx)tst-dl_mseal-mod-2.so \ - $(objpfx)tst-dl_mseal-dlopen-1.so \ $(objpfx)tst-dl_mseal-dlopen-1-1.so \ + $(objpfx)tst-dl_mseal-dlopen-1.so \ + $(objpfx)tst-dl_mseal-dlopen-2-1.so \ $(objpfx)tst-dl_mseal-dlopen-2.so \ - $(objpfx)tst-dl_mseal-dlopen-2-1.so - -$(objpfx)tst-dl_mseal-noseal.out: \ - $(objpfx)tst-dl_mseal-auditmod.so \ - $(objpfx)tst-dl_mseal-preload.so \ $(objpfx)tst-dl_mseal-mod-1.so \ $(objpfx)tst-dl_mseal-mod-2.so \ - $(objpfx)tst-dl_mseal-dlopen-1.so \ - $(objpfx)tst-dl_mseal-dlopen-1-1.so \ - $(objpfx)tst-dl_mseal-dlopen-2.so \ - $(objpfx)tst-dl_mseal-dlopen-2-1.so + $(objpfx)tst-dl_mseal-preload.so \ + # test-dl_mseal-mods + +$(objpfx)tst-dl_mseal.out: $(test-dl_mseal-mods) + +$(objpfx)tst-dl_mseal-noseal.out: $(test-dl_mseal-mods) + +$(objpfx)tst-dl_mseal-tunable.out: $(test-dl_mseal-mods) $(objpfx)tst-dl_mseal-mutable.out: \ $(objpfx)tst-dl_mseal-mutable-mod.so \ @@ -771,6 +769,7 @@ tst-dl_mseal-ARGS = -- $(host-test-program-cmd) tst-dl_mseal-static-ARGS = -- $(host-test-program-cmd) tst-dl_mseal-noseal-ARGS = -- $(host-test-program-cmd) tst-dl_mseal-static-noseal-ARGS = -- $(host-test-program-cmd) +tst-dl_mseal-tunable-ARGS = -- $(host-test-program-cmd) ifeq ($(have-pt-gnu-mutable),yes) tests-static += \ diff --git a/sysdeps/unix/sysv/linux/dl-mseal.c b/sysdeps/unix/sysv/linux/dl-mseal.c index 74ab688ef3..acdbf79f1b 100644 --- a/sysdeps/unix/sysv/linux/dl-mseal.c +++ b/sysdeps/unix/sysv/linux/dl-mseal.c @@ -22,9 +22,18 @@ #include #include +static inline bool +is_sealing_enable (void) +{ + return TUNABLE_GET (glibc, rtld, seal, int32_t, NULL) == 1; +} + void _dl_mseal (void *addr, size_t len, const char *object) { + if (__glibc_unlikely (!is_sealing_enable ())) + return; + int r = 0; bool fail = false; #if __ASSUME_MSEAL diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-noseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-noseal.c index 686347c86e..a1d0f077c4 100644 --- a/sysdeps/unix/sysv/linux/tst-dl_mseal-noseal.c +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-noseal.c @@ -32,6 +32,10 @@ #include "tst-dl_mseal-common.h" +#ifndef TEST_NAME +# define TEST_NAME "tst-dl_mseal-noseal" +#endif + /* Expected libraries that loader will seal. */ static const char *expected_sealed_vmas[] = { @@ -43,7 +47,7 @@ static const char *expected_non_sealed_vmas[] = { "libc.so", "ld.so", - "tst-dl_mseal-noseal", + TEST_NAME, LIB_PRELOAD, LIB_AUDIT, LIB_MODULE1, diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-skeleton.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-skeleton.c index 570a0a867d..1be341df5f 100644 --- a/sysdeps/unix/sysv/linux/tst-dl_mseal-skeleton.c +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-skeleton.c @@ -235,6 +235,9 @@ do_test (int argc, char *argv[]) #endif #ifdef LD_AUDIT (char *) "LD_AUDIT=" LD_AUDIT, +#endif +#ifdef TUNABLE_ENV_VAR + TUNABLE_ENV_VAR, #endif NULL }; diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-tunable.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-tunable.c new file mode 100644 index 0000000000..df70132cd2 --- /dev/null +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-tunable.c @@ -0,0 +1,24 @@ +/* Check glibc.rtld.seal tunable. + Copyright (C) 2025 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* Check if memory sealing is not applied if glibc.rtld.seal is set to 0. */ + +#define TUNABLE_ENV_VAR (char *)"GLIBC_TUNABLES=glibc.rtld.seal=0" + +#define TEST_NAME "tst-dl_mseal-tunable" +#include "tst-dl_mseal-noseal.c"