rtld: Add glibc.rtld.enable_secure tunable.

Add a tunable for setting __libc_enable_secure to 1. Do not set __libc_enable_secure to 0 if the tunable is set to 0. Ignore all tunables if glib.rtld.enable_secure is set. One use-case for this addition is to enable testing code paths that depend on __libc_enable_secure being set without the need to use setxid binaries. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2 years ago · 71648e8004
6 changed files with 151 additions and 0 deletions
--- a/5
+++ b/5
@ -103,6 +103,11 @@ Major new features:
  exp, expf, exp10, exp10f, exp2, exp2f, expm1, expm1f, log, logf,
  log10, log10f, log1p, log1pf, log2, log2f, sin, sinf, tan, tanf.

+* A new tunable, glibc.rtld.enable_secure, used to run a program
+  as if it were a setuid process. This is currently a testing tool to allow
+  more extensive verification tests for AT_SECURE programs and not meant to
+  be a security feature.
+
 Deprecated and removed features, and other changes affecting compatibility:

 * The ldconfig program now skips file names containing ';' or ending in
--- a/elf/Makefile
+++ b/elf/Makefile
@ -285,6 +285,7 @@ tests-static-internal := \
  tst-tls1-static \
  tst-tls1-static-non-pie \
  tst-tunables \
+  tst-tunables-enable_secure \
  # tests-static-internal

 CRT-tst-tls1-static-non-pie := $(csu-objpfx)crt1.o
@ -2681,6 +2682,7 @@ $(objpfx)tst-glibc-hwcaps-mask.out: \
 $(objpfx)tst-glibc-hwcaps-cache.out: $(objpfx)tst-glibc-hwcaps

 tst-tunables-ARGS = -- $(host-test-program-cmd)
+tst-tunables-enable_secure-ARGS = -- $(host-test-program-cmd)

 $(objpfx)list-tunables.out: tst-rtld-list-tunables.sh $(objpfx)ld.so
 	$(SHELL) $< $(objpfx)ld.so '$(test-wrapper-env)' \
--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
@ -223,6 +223,17 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables)
 	    {
 	      tunables[ntunables++] =
 		(struct tunable_toset_t) { cur, value, p - value };
+
+	      /* Ignore tunables if enable_secure is set */
+	      if (tunable_is_name ("glibc.rtld.enable_secure", name))
+		{
+                  tunable_num_t val = (tunable_num_t) _dl_strtoul (value, NULL);
+		  if (val == 1)
+		    {
+		      __libc_enable_secure = 1;
+		      return 0;
+		    }
+		}
 	      break;
 	    }
 	}
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@ -136,6 +136,12 @@ glibc {
      minval: 0
      default: 512
    }
+    enable_secure {
+      type: INT_32
+      minval: 0
+      maxval: 1
+      default: 0
+    }
  }

  mem {
--- a/elf/tst-rtld-list-tunables.exp
+++ b/elf/tst-rtld-list-tunables.exp
@ -12,5 +12,6 @@ glibc.malloc.tcache_unsorted_limit: 0x0 (min: 0x0, max: 0x[f]+)
 glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+)
 glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+)
 glibc.rtld.dynamic_sort: 2 (min: 1, max: 2)
+glibc.rtld.enable_secure: 0 (min: 0, max: 1)
 glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
 glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
--- a/elf/tst-tunables-enable_secure.c
+++ b/elf/tst-tunables-enable_secure.c
@ -0,0 +1,126 @@
+/* Check GLIBC_TUNABLES parsing for enable_secure.
+   Copyright (C) 2024 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <array_length.h>
+#include <dl-tunables.h>
+#include <getopt.h>
+#include <intprops.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <support/capture_subprocess.h>
+#include <support/check.h>
+#include <sys/auxv.h>
+#include <unistd.h>
+
+static int restart;
+#define CMDLINE_OPTIONS \
+  { "restart", no_argument, &restart, 1 },
+
+static const struct test_t
+{
+  const char *env;
+  int32_t expected_malloc_check;
+  int32_t expected_enable_secure;
+} tests[] =
+{
+  /* Expected tunable format.  */
+  /* Tunables should be ignored if enable_secure is set. */
+  {
+    "glibc.malloc.check=2:glibc.rtld.enable_secure=1",
+    0,
+    1,
+  },
+  /* Tunables should be ignored if enable_secure is set. */
+  {
+    "glibc.rtld.enable_secure=1:glibc.malloc.check=2",
+    0,
+    1,
+  },
+  /* Tunables should be set if enable_secure is unset. */
+  {
+    "glibc.rtld.enable_secure=0:glibc.malloc.check=2",
+    2,
+    0,
+  },
+};
+
+static int
+handle_restart (int i)
+{
+  if (tests[i].expected_enable_secure == 1)
+    {
+      TEST_COMPARE (1, __libc_enable_secure);
+    }
+  else
+    {
+      TEST_COMPARE (tests[i].expected_malloc_check,
+		    TUNABLE_GET_FULL (glibc, malloc, check, int32_t, NULL));
+      TEST_COMPARE (tests[i].expected_enable_secure,
+		    TUNABLE_GET_FULL (glibc, rtld, enable_secure, int32_t,
+		    NULL));
+    }
+  return 0;
+}
+
+static int
+do_test (int argc, char *argv[])
+{
+  /* We must have either:
+     - One or four parameters left if called initially:
+       + path to ld.so         optional
+       + "--library-path"      optional
+       + the library path      optional
+       + the application name
+       + the test to check  */
+
+  TEST_VERIFY_EXIT (argc == 2 || argc == 5);
+
+  if (restart)
+    return handle_restart (atoi (argv[1]));
+
+  char nteststr[INT_BUFSIZE_BOUND (int)];
+
+  char *spargv[10];
+  {
+    int i = 0;
+    for (; i < argc - 1; i++)
+      spargv[i] = argv[i + 1];
+    spargv[i++] = (char *) "--direct";
+    spargv[i++] = (char *) "--restart";
+    spargv[i++] = nteststr;
+    spargv[i] = NULL;
+  }
+
+  for (int i = 0; i < array_length (tests); i++)
+    {
+      snprintf (nteststr, sizeof nteststr, "%d", i);
+
+      printf ("[%d] Spawned test for %s\n", i, tests[i].env);
+      setenv ("GLIBC_TUNABLES", tests[i].env, 1);
+      struct support_capture_subprocess result
+	= support_capture_subprogram (spargv[0], spargv);
+      support_capture_subprocess_check (&result, "tst-tunables-enable_secure",
+		                        0, sc_allow_stderr);
+      support_capture_subprocess_free (&result);
+    }
+
+  return 0;
+}
+
+#define TEST_FUNCTION_ARGV do_test
+#include <support/test-driver.c>