From patchwork Tue Jun 11 15:27:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1946403 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=JsGE+/Il; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzCNx5LV7z20Py for ; Wed, 12 Jun 2024 01:33:05 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 0C590385DDC0 for ; Tue, 11 Jun 2024 15:33:04 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) by sourceware.org (Postfix) with ESMTPS id B94F7385842C for ; Tue, 11 Jun 2024 15:32:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B94F7385842C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B94F7385842C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42e ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119952; cv=none; b=k9R2Adyu6HBU238SQCXbLvsuwylf4gJYl+0eyf/Kdjwm3vHFb3EIJTgt4QKCL7fKVnvlyv89k8SkHUsmKujfSuxCU1kUJWTKQK3iD9/5y2DKtRapT6v+AX6qlBDO6CzcZNVo2oSUaY1LCx7q+BffGCbaQyRQOkFHli+xANCePE0= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119952; c=relaxed/simple; bh=n+8m14Awi4VduS3zn8DKnXONG7DSvrKwleh5UEchu4Y=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=lWhRlAwPQORg3j8aBvhaXl4s9nwSuNNn70btLAVViJgHNje+k12YXL3L9vTa4gIiN00HlnKkW4d4Go/X2RORIEVgzXLP7HHtpEla/MehORG4FFlOaFknZKyC1KT7DtSV6z6rv8HHe4kzfIBJWcQjydfzXK3y41W7Uh1TFIH4Ymo= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-70109d34a16so5390734b3a.2 for ; Tue, 11 Jun 2024 08:32:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718119949; x=1718724749; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XETpv7TqiryXGkw+uzXMpgeFjwLh0134lUqsLgystGM=; b=JsGE+/IlHhGHi/IR6YLoixjtlO00xkg1EVv5J+oArjPvB/xLaGwalfoDa56+4SYSJn DRGEwHhfqUe7iKNNE2pWVmsadBoszw9Ha+iFC68arYBxqysdR6IWtE4GpRhwdzVns1oF oqjitkfA+vfItf2c1uEZnKxYs1yY9J3JXm8ZLFuIbtr2tK/W8RdrEAfRBv/uAKQ/rZlS qFJA26M9DZPoFWpiR+Sd5JhbWIRj/0bfjuTd5i0+c/0niwaG81hvNj6vrjts7LlOS44q DF+eBxDiuHn+hcAafAQPu1LOLqTuppmyCyhYOf/6xVwox0gfVcw+GNvA+iaFMP2l9k7D VAUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718119949; x=1718724749; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XETpv7TqiryXGkw+uzXMpgeFjwLh0134lUqsLgystGM=; b=SV1wpJXmCwAFD1zIolgvZK2SHgZn8T/EElQIYLtYgAqYG7OrxjfTO2oBghWq0Aw6bo uwdk4ZPH6upE4WDjHJJkhWdORMEVIng8qfEZGiCuufiWuh6+QxB7dSEUrGpsvEZK1JfS 9uUBkkGcP7jKvDvGhtvktaY8azVeLg4ReXH6QLAWyBJ6LfemaozJsZouNlK4ni6kIulg biMHRsg+3+WckfzsBgCcaWoWA3G5iX8rohnYBCiLAIUhRbyaxxjhahIdjaIfFgY1CFTG KPpi21t7c6SCHkZlAWJzVALAsry6lpEIE3CGzVf6RBfPu5pwcUDCrlu2/0P6vps/23dN ZKXA== X-Gm-Message-State: AOJu0YykANgD/FUxGIiFF2dvt1Z8VGfFLI9GryUiRDXoUj7uR0LR802A BI4UX9/BDfkG5gLlnLxosShROybWHQ+Okh/woAV3Es0XbQeUvhR1Ep6QsBxuwtB3XdKzpX5cbPC P X-Google-Smtp-Source: AGHT+IHYScBTuAgrOz7MHa2efhaRixc6Yfk/vColesqLm1DYSXELrwzA3Xlk0sPdEAfbtwnb6ygytg== X-Received: by 2002:a05:6a00:130c:b0:702:2749:6095 with SMTP id d2e1a72fcca58-7040c619b96mr12973424b3a.6.1718119949241; Tue, 11 Jun 2024 08:32:29 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c0:c5fb:1cf6:d480:34ef:aedf]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70422c977dasm6023811b3a.62.2024.06.11.08.32.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 08:32:28 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Stephen Roettger , jeffxu@chromium.org, Carlos O'Donell , Florian Weimer Subject: [RFC 1/5] linux: Remove __stack_prot Date: Tue, 11 Jun 2024 12:27:04 -0300 Message-ID: <20240611153220.165430-2-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240611153220.165430-1-adhemerval.zanella@linaro.org> References: <20240611153220.165430-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org The __stack_prot is used by Linux to make the stack executable if a modules requires it. It is also marked as RELRO, which requires to change the segment permission to RW to update it. Also, there is no need to keep track of the flags: either the stack will have the default permission of the ABI or should be change to PROT_READ | PROT_WRITE | PROT_EXEC. The only additional flag, PROT_GROWSDOWN or PROT_GROWSUP, is Linux only and can be deducted from _STACK_GROWS_DOWN/_STACK_GROWS_UP. Also, the check_consistency was alredy removed some time ago. Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Florian Weimer --- elf/dl-load.c | 46 +------------------------- sysdeps/unix/sysv/linux/dl-execstack.c | 25 ++++++-------- 2 files changed, 11 insertions(+), 60 deletions(-) diff --git a/elf/dl-load.c b/elf/dl-load.c index a34cb3559c..8a89b71016 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -88,16 +88,6 @@ struct filebuf #define STRING(x) __STRING (x) -int __stack_prot attribute_hidden attribute_relro -#if _STACK_GROWS_DOWN && defined PROT_GROWSDOWN - = PROT_GROWSDOWN; -#elif _STACK_GROWS_UP && defined PROT_GROWSUP - = PROT_GROWSUP; -#else - = 0; -#endif - - /* This is the decomposed LD_LIBRARY_PATH search path. */ struct r_search_path_struct __rtld_env_path_list attribute_relro; @@ -1308,41 +1298,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, if (__glibc_unlikely ((stack_flags &~ GL(dl_stack_flags)) & PF_X)) { /* The stack is presently not executable, but this module - requires that it be executable. We must change the - protection of the variable which contains the flags used in - the mprotect calls. */ -#ifdef SHARED - if ((mode & (__RTLD_DLOPEN | __RTLD_AUDIT)) == __RTLD_DLOPEN) - { - const uintptr_t p = (uintptr_t) &__stack_prot & -GLRO(dl_pagesize); - const size_t s = (uintptr_t) (&__stack_prot + 1) - p; - - struct link_map *const m = &GL(dl_rtld_map); - const uintptr_t relro_end = ((m->l_addr + m->l_relro_addr - + m->l_relro_size) - & -GLRO(dl_pagesize)); - if (__glibc_likely (p + s <= relro_end)) - { - /* The variable lies in the region protected by RELRO. */ - if (__mprotect ((void *) p, s, PROT_READ|PROT_WRITE) < 0) - { - errstring = N_("cannot change memory protections"); - goto lose_errno; - } - __stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC; - __mprotect ((void *) p, s, PROT_READ); - } - else - __stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC; - } - else -#endif - __stack_prot |= PROT_READ|PROT_WRITE|PROT_EXEC; - -#ifdef check_consistency - check_consistency (); -#endif - + requires that it be executable. */ #if PTHREAD_IN_LIBC errval = _dl_make_stacks_executable (stack_endp); #else diff --git a/sysdeps/unix/sysv/linux/dl-execstack.c b/sysdeps/unix/sysv/linux/dl-execstack.c index 3d8f3938da..b986898598 100644 --- a/sysdeps/unix/sysv/linux/dl-execstack.c +++ b/sysdeps/unix/sysv/linux/dl-execstack.c @@ -27,35 +27,30 @@ #include #include -extern int __stack_prot attribute_relro attribute_hidden; - static int make_main_stack_executable (void **stack_endp) { /* This gives us the highest/lowest page that needs to be changed. */ uintptr_t page = ((uintptr_t) *stack_endp & -(intptr_t) GLRO(dl_pagesize)); - int result = 0; - if (__builtin_expect (__mprotect ((void *) page, GLRO(dl_pagesize), - __stack_prot) == 0, 1)) - goto return_success; - result = errno; - goto out; + if (__mprotect ((void *) page, GLRO(dl_pagesize), + PROT_READ | PROT_WRITE | PROT_EXEC +#if _STACK_GROWS_DOWN + | PROT_GROWSDOWN +#elif _STACK_GROWS_UP + | PROT_GROWSUP +#endif + ) != 0) + return errno; - return_success: /* Clear the address. */ *stack_endp = NULL; /* Remember that we changed the permission. */ GL(dl_stack_flags) |= PF_X; - out: -#ifdef check_consistency - check_consistency (); -#endif - - return result; + return 0; } int From patchwork Tue Jun 11 15:27:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1946404 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=ha+fCdAs; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzCP44pw2z20Py for ; Wed, 12 Jun 2024 01:33:12 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E9682385DDF9 for ; Tue, 11 Jun 2024 15:33:10 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) by sourceware.org (Postfix) with ESMTPS id 672A2385DC1E for ; Tue, 11 Jun 2024 15:32:34 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 672A2385DC1E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 672A2385DC1E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::52c ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119961; cv=none; b=B4vBSPvSQpRe7GFyNy3A1LHyDLFfZRTvZZPpT0XQyyjxMHBbLfgucUKF8hFLC2YDJGCAMfK5XTzw/LHp5KDXNnoY9dXpeXoBeNn/97M/MEtSlzCaVZV375N+dLWlSJ5s9iMJYxn9RfU49qpkwZIYBQWPGGauqVWFdeUBkB2Mxzg= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119961; c=relaxed/simple; bh=GpHDJeSb1wLtcLdSiVk+B/KRqolqRS9AW/vCiDpgbDQ=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=prds6GCEmbpbU4qw1jhKg1tW85B2FKJCHIVknfiFnu3tO0hxICbwHkYxsEo5p1ByRWJEPNrp1Bwju2ZEq8pwDpWEyaNiK3P8f5HlIkuNBceH0dHj/ifr3cgRTQE66tWQWCzFZ+Ybky1TnKHWF9qjpPt+5dDOtlIL0FaX5HHl7bo= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x52c.google.com with SMTP id 41be03b00d2f7-656d8b346d2so4126116a12.2 for ; Tue, 11 Jun 2024 08:32:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718119953; x=1718724753; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=N1v+D1g8ZSKaIZUfJUE4Yxo+l31g+Fbn6ggrUQyYnhY=; b=ha+fCdAsbp51lnDMAJ/x9+qQTuAu9AZop5JRm0SQQGEL+nol/NeVv25s7343YstFRW slWJjKiHFZY8UUMiqT3oaTYM9LU+2uJ4SSpsRL+jAO48XtKG4yexYbOJKRfDQGgZGVd+ 028jzgPYYe334JGKo81BhBYTG6pbIG/g/OSmUCd8ZqJzLK/exfoaF5+EU9WH9zuveGFq 9Bqgwav5P6NXGYooyY5wv1nfGA9BbK7kAMqSMuJJ9r7mS2dBlfw9Rel9NVt1yzP2aXMW 062ePisLn4heMYnnXA1RjzWnTUwqWO/4O3100WOm2v11925mjpuA26a5EL94Xi0Rxldc 1KcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718119953; x=1718724753; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N1v+D1g8ZSKaIZUfJUE4Yxo+l31g+Fbn6ggrUQyYnhY=; b=W+CXv29hC+yeDIl1ChhrwVtyLuehuaKVMgbYqw8SZJjd0qK7ynq+qlX8LYjwLLeT7v tQ8/R33r+mIdMQxum66oYf3HFI5ORXs8NOSva84jTjHxSLWiyR28VkPdmNUn8Ww2t/8z 3rcvQEfV4V5xQ5vIQki/eGKHWH7ZVvO8LbU5kjprrUNN+z7lPy7sANShEeSlwHrnS+P1 XM4R1zRfmth6PVc/8B5IdN9KPlsOECbtFZiQLqlX1p33gnxvPyU7ZoubSaSaO5VvlXZx p7clv0NQg41MSvDQJQsyrWz9v8Bgv6UKf9lj+yI85rKZWSIxInAFZF0AZS7GdSXdwDrd /IBw== X-Gm-Message-State: AOJu0YwggWCL44XfCWCSYXbgEPCCPPhTwVuiLx5NDMRiYAyCLr0bM76K 8Xbh/xs4hm20h1bu3QKsaSkghS49Z2PJ3TKI+gXuZqhlC1/0HrL92hRJ8GCxU21LyPPQV6bxMg7 q X-Google-Smtp-Source: AGHT+IHDhnx4X6dDapLu77hqGseu6G76ZaLP+wdZ3kj5TT4YTS6KE9DXIlWg9qaEOXSttFoM9/7GAg== X-Received: by 2002:a05:6a20:438d:b0:1b8:9b05:e7a5 with SMTP id adf61e73a8af0-1b89b05ec09mr1473298637.61.1718119952208; Tue, 11 Jun 2024 08:32:32 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c0:c5fb:1cf6:d480:34ef:aedf]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70422c977dasm6023811b3a.62.2024.06.11.08.32.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 08:32:31 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Stephen Roettger , jeffxu@chromium.org, Carlos O'Donell , Florian Weimer Subject: [RFC 2/5] linux: Add mseal syscall support Date: Tue, 11 Jun 2024 12:27:05 -0300 Message-ID: <20240611153220.165430-3-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240611153220.165430-1-adhemerval.zanella@linaro.org> References: <20240611153220.165430-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org It as added on Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370) as way to block operations as unmaping, moving to another location, shrinking the size, expanding the size, or modifying to a pre-existent memory mapping. Although the systecall only work on 64 bit CPU, the entrypoint was added for all ABIs (since kernel might eventually implement it to additional ones and/or the abi can execute on a 64 bit kernel). Checked on x86_64-linux-gnu. --- NEWS | 4 ++ manual/memory.texi | 66 ++++++++++++++++++ sysdeps/unix/sysv/linux/Makefile | 1 + sysdeps/unix/sysv/linux/Versions | 3 + .../unix/sysv/linux/aarch64/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/aarch64/libc.abilist | 1 + sysdeps/unix/sysv/linux/alpha/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/alpha/libc.abilist | 1 + sysdeps/unix/sysv/linux/arc/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/arc/libc.abilist | 1 + sysdeps/unix/sysv/linux/arm/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/arm/be/libc.abilist | 1 + sysdeps/unix/sysv/linux/arm/le/libc.abilist | 1 + sysdeps/unix/sysv/linux/bits/mman-shared.h | 8 +++ sysdeps/unix/sysv/linux/csky/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/csky/libc.abilist | 1 + sysdeps/unix/sysv/linux/hppa/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/hppa/libc.abilist | 1 + sysdeps/unix/sysv/linux/i386/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/i386/libc.abilist | 1 + sysdeps/unix/sysv/linux/kernel-features.h | 8 +++ .../sysv/linux/lib-tst-dl_mseal-preload.c | 19 ++++++ .../unix/sysv/linux/loongarch/arch-syscall.h | 1 + .../sysv/linux/loongarch/lp64/libc.abilist | 1 + sysdeps/unix/sysv/linux/m68k/arch-syscall.h | 1 + .../sysv/linux/m68k/coldfire/libc.abilist | 1 + .../unix/sysv/linux/m68k/m680x0/libc.abilist | 1 + .../unix/sysv/linux/microblaze/arch-syscall.h | 1 + .../sysv/linux/microblaze/be/libc.abilist | 1 + .../sysv/linux/microblaze/le/libc.abilist | 1 + .../sysv/linux/mips/mips32/arch-syscall.h | 1 + .../sysv/linux/mips/mips32/fpu/libc.abilist | 1 + .../sysv/linux/mips/mips64/n32/arch-syscall.h | 1 + .../sysv/linux/mips/mips64/n32/libc.abilist | 1 + .../sysv/linux/mips/mips64/n64/arch-syscall.h | 1 + .../sysv/linux/mips/mips64/n64/libc.abilist | 1 + sysdeps/unix/sysv/linux/nios2/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/nios2/libc.abilist | 1 + sysdeps/unix/sysv/linux/or1k/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/or1k/libc.abilist | 1 + .../linux/powerpc/powerpc32/arch-syscall.h | 1 + .../linux/powerpc/powerpc32/fpu/libc.abilist | 1 + .../powerpc/powerpc32/nofpu/libc.abilist | 1 + .../linux/powerpc/powerpc64/arch-syscall.h | 1 + .../linux/powerpc/powerpc64/be/libc.abilist | 1 + .../linux/powerpc/powerpc64/le/libc.abilist | 1 + .../unix/sysv/linux/riscv/rv32/arch-syscall.h | 1 + .../unix/sysv/linux/riscv/rv32/libc.abilist | 1 + .../unix/sysv/linux/riscv/rv64/arch-syscall.h | 1 + .../unix/sysv/linux/riscv/rv64/libc.abilist | 1 + .../sysv/linux/s390/s390-32/arch-syscall.h | 1 + .../unix/sysv/linux/s390/s390-32/libc.abilist | 1 + .../sysv/linux/s390/s390-64/arch-syscall.h | 1 + .../unix/sysv/linux/s390/s390-64/libc.abilist | 1 + sysdeps/unix/sysv/linux/sh/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/sh/be/libc.abilist | 1 + sysdeps/unix/sysv/linux/sh/le/libc.abilist | 1 + .../sysv/linux/sparc/sparc32/arch-syscall.h | 1 + .../sysv/linux/sparc/sparc32/libc.abilist | 1 + .../sysv/linux/sparc/sparc64/arch-syscall.h | 1 + .../sysv/linux/sparc/sparc64/libc.abilist | 1 + sysdeps/unix/sysv/linux/syscall-names.list | 1 + sysdeps/unix/sysv/linux/syscalls.list | 1 + sysdeps/unix/sysv/linux/tst-mseal.c | 67 +++++++++++++++++++ .../unix/sysv/linux/x86_64/64/arch-syscall.h | 1 + .../unix/sysv/linux/x86_64/64/libc.abilist | 1 + .../unix/sysv/linux/x86_64/x32/arch-syscall.h | 1 + .../unix/sysv/linux/x86_64/x32/libc.abilist | 1 + 68 files changed, 236 insertions(+) create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c create mode 100644 sysdeps/unix/sysv/linux/tst-mseal.c diff --git a/NEWS b/NEWS index 20e263f581..c78a3fd2f7 100644 --- a/NEWS +++ b/NEWS @@ -36,6 +36,10 @@ Major new features: * On Linux, update epoll header to include epoll ioctl definitions and related structure added in Linux kernel 6.9. +* On Linux, the mseal function has been added. It allows to seal memory + mappings to avoid further change during process execution such as protection + permissions, unmapping, moving to another location, or shrinking the size. + Deprecated and removed features, and other changes affecting compatibility: * Architectures which use a 32-bit seconds-since-epoch field in struct diff --git a/manual/memory.texi b/manual/memory.texi index 3710d7ec66..0c1b9fc7c2 100644 --- a/manual/memory.texi +++ b/manual/memory.texi @@ -3072,6 +3072,72 @@ process memory, no matter how it was allocated. However, portable use of the function requires that it is only used with memory regions returned by @code{mmap} or @code{mmap64}. +@deftypefun int mseal (void *@var{address}, size_t @var{length}, unsigned long @var{flags}) +@standards{Linux, sys/mman.h} +@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}} + +A successful call to the @code {mseal} function seals the memory range of +@var{length} bytes, starting at @var{address}. The sealed memory is +protection against further modifictions such as: + +@itemize @bullet +@item +Unmapping, moving to another location, extending or shrinking the size, +via @code{munmap} and @code{mremap}. + +@item +Moving or expanding a different VMA into the current location, via +@code{mremap}. + +@item +Modifying the memory range with @code{mmap} along with flag @code{MAP_FIXED}. + +@item +Expanding the size with @code{mremap}. + +@item +Change the protection flags with @code{mprotect} or @code{pkey_mprotect}. + +@item +Destructive behaviors on anonymous memory, such as @code{madvice} with +@code{MADV_DONTNEED}. +@end itemize + +The @var{address} must be an allocated virtual memory done by @code{mmap} +or @code{mremap}, and it must be page aligned. The end address (@var{address} +plus @var{length}) must be within an allocated virtual memory range. There +should be no unallocated memory between the start and end of address range. + +The @var{flags} is currently ununsed. + +The @code{mseal} function returns @math{0} on sucess and @math{-1} on +failure. + +The following @code{errno} error conditions are defined for this +function: + +@table @code +@item EPERM +The system blocked the operation, and the given address is unmodified +without partion update. This error is also returned when @code{mseal} +is issued on a 32 bit CPUs (the sealing is currently supported only on +64-bit CPUs, although 32 bit binaries running on 64 bit kernel is +supported). + +@item ENOMEM +Either the @var{address} is not allocated, or the end address is not +allocation, or there is an unallocated memory between start and end address. + +@item ENOSYS +The kernel does not support the @code{mseal} syscall. + +@strong{NB:} The memory sealing changes the lifetime of a mapping, where the +sealing memory could not be unmapped until the process terminates or starts +another one through @code{execve} function. + +@end table +@end deftypefun + @subsection Memory Protection Keys @cindex memory protection key diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile index ae66590e91..82d523e588 100644 --- a/sysdeps/unix/sysv/linux/Makefile +++ b/sysdeps/unix/sysv/linux/Makefile @@ -210,6 +210,7 @@ tests += \ tst-misalign-clone \ tst-mlock2 \ tst-mount \ + tst-mseal \ tst-ntp_adjtime \ tst-ntp_gettime \ tst-ntp_gettimex \ diff --git a/sysdeps/unix/sysv/linux/Versions b/sysdeps/unix/sysv/linux/Versions index 268ba1b6ac..630ef354ef 100644 --- a/sysdeps/unix/sysv/linux/Versions +++ b/sysdeps/unix/sysv/linux/Versions @@ -328,6 +328,9 @@ libc { posix_spawnattr_getcgroup_np; posix_spawnattr_setcgroup_np; } + GLIBC_2.40 { + mseal; + } GLIBC_PRIVATE { # functions used in other libraries __syscall_rt_sigqueueinfo; diff --git a/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h b/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h index 7ee8a2167a..19b6316cb6 100644 --- a/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h @@ -158,6 +158,7 @@ #define __NR_mq_timedsend 182 #define __NR_mq_unlink 181 #define __NR_mremap 216 +#define __NR_mseal 462 #define __NR_msgctl 187 #define __NR_msgget 186 #define __NR_msgrcv 188 diff --git a/sysdeps/unix/sysv/linux/aarch64/libc.abilist b/sysdeps/unix/sysv/linux/aarch64/libc.abilist index 68eeca1c08..f6cfbc14cd 100644 --- a/sysdeps/unix/sysv/linux/aarch64/libc.abilist +++ b/sysdeps/unix/sysv/linux/aarch64/libc.abilist @@ -2748,3 +2748,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/alpha/arch-syscall.h b/sysdeps/unix/sysv/linux/alpha/arch-syscall.h index 0f4ea7670b..2e7307f415 100644 --- a/sysdeps/unix/sysv/linux/alpha/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/alpha/arch-syscall.h @@ -190,6 +190,7 @@ #define __NR_mq_unlink 433 #define __NR_mremap 341 #define __NR_msgctl 200 +#define __NR_mseal 572 #define __NR_msgget 201 #define __NR_msgrcv 202 #define __NR_msgsnd 203 diff --git a/sysdeps/unix/sysv/linux/alpha/libc.abilist b/sysdeps/unix/sysv/linux/alpha/libc.abilist index 34c187b721..bc0bd9495f 100644 --- a/sysdeps/unix/sysv/linux/alpha/libc.abilist +++ b/sysdeps/unix/sysv/linux/alpha/libc.abilist @@ -3095,6 +3095,7 @@ GLIBC_2.4 wcstold F GLIBC_2.4 wcstold_l F GLIBC_2.4 wprintf F GLIBC_2.4 wscanf F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/arc/arch-syscall.h b/sysdeps/unix/sysv/linux/arc/arch-syscall.h index 90359482a8..ea581b0a6d 100644 --- a/sysdeps/unix/sysv/linux/arc/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/arc/arch-syscall.h @@ -161,6 +161,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 181 #define __NR_mremap 216 +#define __NR_mseal 462 #define __NR_msgctl 187 #define __NR_msgget 186 #define __NR_msgrcv 188 diff --git a/sysdeps/unix/sysv/linux/arc/libc.abilist b/sysdeps/unix/sysv/linux/arc/libc.abilist index 916c18ea94..2816895ad5 100644 --- a/sysdeps/unix/sysv/linux/arc/libc.abilist +++ b/sysdeps/unix/sysv/linux/arc/libc.abilist @@ -2509,3 +2509,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/arm/arch-syscall.h b/sysdeps/unix/sysv/linux/arm/arch-syscall.h index 4930167a03..2809f52f94 100644 --- a/sysdeps/unix/sysv/linux/arm/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/arm/arch-syscall.h @@ -205,6 +205,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 275 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 304 #define __NR_msgget 303 #define __NR_msgrcv 302 diff --git a/sysdeps/unix/sysv/linux/arm/be/libc.abilist b/sysdeps/unix/sysv/linux/arm/be/libc.abilist index ea95de282a..24e3274c0d 100644 --- a/sysdeps/unix/sysv/linux/arm/be/libc.abilist +++ b/sysdeps/unix/sysv/linux/arm/be/libc.abilist @@ -2801,6 +2801,7 @@ GLIBC_2.4 xdrstdio_create F GLIBC_2.4 xencrypt F GLIBC_2.4 xprt_register F GLIBC_2.4 xprt_unregister F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/arm/le/libc.abilist b/sysdeps/unix/sysv/linux/arm/le/libc.abilist index 1cdbc983e1..350245f608 100644 --- a/sysdeps/unix/sysv/linux/arm/le/libc.abilist +++ b/sysdeps/unix/sysv/linux/arm/le/libc.abilist @@ -2798,6 +2798,7 @@ GLIBC_2.4 xdrstdio_create F GLIBC_2.4 xencrypt F GLIBC_2.4 xprt_register F GLIBC_2.4 xprt_unregister F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/bits/mman-shared.h b/sysdeps/unix/sysv/linux/bits/mman-shared.h index d8ed4436b6..2681218cf9 100644 --- a/sysdeps/unix/sysv/linux/bits/mman-shared.h +++ b/sysdeps/unix/sysv/linux/bits/mman-shared.h @@ -80,6 +80,14 @@ int pkey_free (int __key) __THROW; range. */ int pkey_mprotect (void *__addr, size_t __len, int __prot, int __pkey) __THROW; +/* Seal the address range to avoid further modifications, such as remmap to + shrink or expand the VMA, change protection permission with mprotect, + unmap with munmap, destructive semantic such madvise with MADV_DONTNEED. + The address range must be valid VMA, withouth any gap (unallocated memory) + between start and end, and ADDR much be page aligned (LEN will be page + aligned implicitly). */ +int mseal (void *__addr, size_t __len, unsigned long flags) __THROW; + __END_DECLS #endif /* __USE_GNU */ diff --git a/sysdeps/unix/sysv/linux/csky/arch-syscall.h b/sysdeps/unix/sysv/linux/csky/arch-syscall.h index 3f16a29f57..a3cf859ca1 100644 --- a/sysdeps/unix/sysv/linux/csky/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/csky/arch-syscall.h @@ -168,6 +168,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 181 #define __NR_mremap 216 +#define __NR_mseal 462 #define __NR_msgctl 187 #define __NR_msgget 186 #define __NR_msgrcv 188 diff --git a/sysdeps/unix/sysv/linux/csky/libc.abilist b/sysdeps/unix/sysv/linux/csky/libc.abilist index 96d45961e2..a6dd304b20 100644 --- a/sysdeps/unix/sysv/linux/csky/libc.abilist +++ b/sysdeps/unix/sysv/linux/csky/libc.abilist @@ -2785,3 +2785,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/hppa/arch-syscall.h b/sysdeps/unix/sysv/linux/hppa/arch-syscall.h index a1b2c819d6..08b153f2cc 100644 --- a/sysdeps/unix/sysv/linux/hppa/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/hppa/arch-syscall.h @@ -197,6 +197,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 230 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 191 #define __NR_msgget 190 #define __NR_msgrcv 189 diff --git a/sysdeps/unix/sysv/linux/hppa/libc.abilist b/sysdeps/unix/sysv/linux/hppa/libc.abilist index fbcd60c2b3..f7b08ae0b0 100644 --- a/sysdeps/unix/sysv/linux/hppa/libc.abilist +++ b/sysdeps/unix/sysv/linux/hppa/libc.abilist @@ -2821,6 +2821,7 @@ GLIBC_2.4 sys_errlist D 0x400 GLIBC_2.4 sys_nerr D 0x4 GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/i386/arch-syscall.h b/sysdeps/unix/sysv/linux/i386/arch-syscall.h index cc775432d6..500ca1ec70 100644 --- a/sysdeps/unix/sysv/linux/i386/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/i386/arch-syscall.h @@ -222,6 +222,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 278 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/i386/libc.abilist b/sysdeps/unix/sysv/linux/i386/libc.abilist index c989b433c0..167c737a71 100644 --- a/sysdeps/unix/sysv/linux/i386/libc.abilist +++ b/sysdeps/unix/sysv/linux/i386/libc.abilist @@ -3005,6 +3005,7 @@ GLIBC_2.4 sys_errlist D 0x210 GLIBC_2.4 sys_nerr D 0x4 GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/kernel-features.h b/sysdeps/unix/sysv/linux/kernel-features.h index a25cf07e9f..b9038d18bf 100644 --- a/sysdeps/unix/sysv/linux/kernel-features.h +++ b/sysdeps/unix/sysv/linux/kernel-features.h @@ -257,4 +257,12 @@ # define __ASSUME_FCHMODAT2 0 #endif +/* The mseal system call was introduced across all architectures in Linux 6.10 + (although only supported on 64-bit CPUs). */ +#if __LINUX_KERNEL_VERSION >= 0x060A00 +# define __ASSUME_MSEAL 1 +#else +# define __ASSUME_MSEAL 0 +#endif + #endif /* kernel-features.h */ diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c new file mode 100644 index 0000000000..7831608dd4 --- /dev/null +++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c @@ -0,0 +1,19 @@ +/* Additional module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +int foo (void) { return 42; } diff --git a/sysdeps/unix/sysv/linux/loongarch/arch-syscall.h b/sysdeps/unix/sysv/linux/loongarch/arch-syscall.h index 56bb08718a..8bb82448a7 100644 --- a/sysdeps/unix/sysv/linux/loongarch/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/loongarch/arch-syscall.h @@ -155,6 +155,7 @@ #define __NR_mq_timedsend 182 #define __NR_mq_unlink 181 #define __NR_mremap 216 +#define __NR_mseal 462 #define __NR_msgctl 187 #define __NR_msgget 186 #define __NR_msgrcv 188 diff --git a/sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist b/sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist index 0023ec1fa1..ab318c048d 100644 --- a/sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist +++ b/sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist @@ -2269,3 +2269,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/m68k/arch-syscall.h b/sysdeps/unix/sysv/linux/m68k/arch-syscall.h index 79f277dd5b..4ab34f6228 100644 --- a/sysdeps/unix/sysv/linux/m68k/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/m68k/arch-syscall.h @@ -213,6 +213,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 272 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist b/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist index d9bd6a9b56..e33bfb73c8 100644 --- a/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist +++ b/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist @@ -2781,6 +2781,7 @@ GLIBC_2.4 xdrstdio_create F GLIBC_2.4 xencrypt F GLIBC_2.4 xprt_register F GLIBC_2.4 xprt_unregister F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist b/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist index 439796d693..8d090c3ff8 100644 --- a/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist +++ b/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist @@ -2948,6 +2948,7 @@ GLIBC_2.4 sys_errlist D 0x210 GLIBC_2.4 sys_nerr D 0x4 GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h b/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h index 779d5d5d70..79e225e50c 100644 --- a/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h @@ -221,6 +221,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 278 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 331 #define __NR_msgget 332 #define __NR_msgrcv 333 diff --git a/sysdeps/unix/sysv/linux/microblaze/be/libc.abilist b/sysdeps/unix/sysv/linux/microblaze/be/libc.abilist index 1069d3252c..6545169f82 100644 --- a/sysdeps/unix/sysv/linux/microblaze/be/libc.abilist +++ b/sysdeps/unix/sysv/linux/microblaze/be/libc.abilist @@ -2834,3 +2834,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/microblaze/le/libc.abilist b/sysdeps/unix/sysv/linux/microblaze/le/libc.abilist index 17abe08c8b..6f374884ab 100644 --- a/sysdeps/unix/sysv/linux/microblaze/le/libc.abilist +++ b/sysdeps/unix/sysv/linux/microblaze/le/libc.abilist @@ -2831,3 +2831,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h index 86ffd5ce84..dadd7f3130 100644 --- a/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h @@ -211,6 +211,7 @@ #define __NR_mq_timedsend_time64 4418 #define __NR_mq_unlink 4272 #define __NR_mremap 4167 +#define __NR_mseal 4462 #define __NR_msgctl 4402 #define __NR_msgget 4399 #define __NR_msgrcv 4401 diff --git a/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist index 799e508950..259a51bc7d 100644 --- a/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist +++ b/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist @@ -2909,6 +2909,7 @@ GLIBC_2.4 renameat F GLIBC_2.4 symlinkat F GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h index 5d37a686e5..db6b2d4609 100644 --- a/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h @@ -194,6 +194,7 @@ #define __NR_mq_timedsend_time64 6418 #define __NR_mq_unlink 6235 #define __NR_mremap 6024 +#define __NR_mseal 6462 #define __NR_msgctl 6069 #define __NR_msgget 6066 #define __NR_msgrcv 6068 diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist index 03d9655f26..499b5c041c 100644 --- a/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist +++ b/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist @@ -2915,6 +2915,7 @@ GLIBC_2.4 renameat F GLIBC_2.4 symlinkat F GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h index 9b1e846e76..b4129a4dbd 100644 --- a/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h @@ -183,6 +183,7 @@ #define __NR_mq_timedsend 5232 #define __NR_mq_unlink 5231 #define __NR_mremap 5024 +#define __NR_mseal 5462 #define __NR_msgctl 5069 #define __NR_msgget 5066 #define __NR_msgrcv 5068 diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist index 05e402ed30..37cf43b991 100644 --- a/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist +++ b/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist @@ -2817,6 +2817,7 @@ GLIBC_2.4 renameat F GLIBC_2.4 symlinkat F GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/nios2/arch-syscall.h b/sysdeps/unix/sysv/linux/nios2/arch-syscall.h index abbc9ab6b0..f94e212995 100644 --- a/sysdeps/unix/sysv/linux/nios2/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/nios2/arch-syscall.h @@ -167,6 +167,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 181 #define __NR_mremap 216 +#define __NR_mseal 462 #define __NR_msgctl 187 #define __NR_msgget 186 #define __NR_msgrcv 188 diff --git a/sysdeps/unix/sysv/linux/nios2/libc.abilist b/sysdeps/unix/sysv/linux/nios2/libc.abilist index 3aa81766aa..3bf42b6380 100644 --- a/sysdeps/unix/sysv/linux/nios2/libc.abilist +++ b/sysdeps/unix/sysv/linux/nios2/libc.abilist @@ -2873,3 +2873,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/or1k/arch-syscall.h b/sysdeps/unix/sysv/linux/or1k/arch-syscall.h index 7223a93673..2d21fa2085 100644 --- a/sysdeps/unix/sysv/linux/or1k/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/or1k/arch-syscall.h @@ -167,6 +167,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 181 #define __NR_mremap 216 +#define __NR_mseal 462 #define __NR_msgctl 187 #define __NR_msgget 186 #define __NR_msgrcv 188 diff --git a/sysdeps/unix/sysv/linux/or1k/libc.abilist b/sysdeps/unix/sysv/linux/or1k/libc.abilist index 959e59e7e7..7c99f24f13 100644 --- a/sysdeps/unix/sysv/linux/or1k/libc.abilist +++ b/sysdeps/unix/sysv/linux/or1k/libc.abilist @@ -2257,5 +2257,6 @@ GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F GLIBC_2.40 getcontext F GLIBC_2.40 makecontext F +GLIBC_2.40 mseal F GLIBC_2.40 setcontext F GLIBC_2.40 swapcontext F diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h b/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h index af0d2b121e..206d9fd656 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h @@ -211,6 +211,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 263 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist index 9714305608..0661b5f037 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist @@ -3138,6 +3138,7 @@ GLIBC_2.4 wcstold F GLIBC_2.4 wcstold_l F GLIBC_2.4 wprintf F GLIBC_2.4 wscanf F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist index 0beb52c542..f1ad793e64 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist @@ -3183,6 +3183,7 @@ GLIBC_2.4 wcstold F GLIBC_2.4 wcstold_l F GLIBC_2.4 wprintf F GLIBC_2.4 wscanf F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h b/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h index a4c70aa7fe..19f72a7f69 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h @@ -195,6 +195,7 @@ #define __NR_mq_timedsend 264 #define __NR_mq_unlink 263 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist index cfc2ebd3ec..3435f0dde7 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist @@ -2892,6 +2892,7 @@ GLIBC_2.4 wcstold F GLIBC_2.4 wcstold_l F GLIBC_2.4 wprintf F GLIBC_2.4 wscanf F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist index 8c9efc5a16..775e5ef8d4 100644 --- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist @@ -2968,3 +2968,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h b/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h index 7315d164d6..eb9e57b028 100644 --- a/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h @@ -153,6 +153,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 181 #define __NR_mremap 216 +#define __NR_mseal 462 #define __NR_msgctl 187 #define __NR_msgget 186 #define __NR_msgrcv 188 diff --git a/sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist b/sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist index 6397a9cb91..4ac41308f4 100644 --- a/sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist +++ b/sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist @@ -2512,3 +2512,4 @@ GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F GLIBC_2.40 __riscv_hwprobe F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h b/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h index 31a1130db9..1eac18e582 100644 --- a/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h @@ -158,6 +158,7 @@ #define __NR_mq_timedsend 182 #define __NR_mq_unlink 181 #define __NR_mremap 216 +#define __NR_mseal 462 #define __NR_msgctl 187 #define __NR_msgget 186 #define __NR_msgrcv 188 diff --git a/sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist b/sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist index 71bbf94f66..2d49fd07b9 100644 --- a/sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist +++ b/sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist @@ -2712,3 +2712,4 @@ GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F GLIBC_2.40 __riscv_hwprobe F +GLIBC_2.40 mseal F diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h b/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h index cf8569304d..464eca58b2 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h @@ -214,6 +214,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 272 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist index a7467e2850..552860dd1e 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist +++ b/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist @@ -3136,6 +3136,7 @@ GLIBC_2.4 wcstold F GLIBC_2.4 wcstold_l F GLIBC_2.4 wprintf F GLIBC_2.4 wscanf F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h b/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h index f3536ed03f..57842702fd 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h @@ -185,6 +185,7 @@ #define __NR_mq_timedsend 273 #define __NR_mq_unlink 272 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist index fd1cb2972d..5e50b0d878 100644 --- a/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist +++ b/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist @@ -2929,6 +2929,7 @@ GLIBC_2.4 wcstold F GLIBC_2.4 wcstold_l F GLIBC_2.4 wprintf F GLIBC_2.4 wscanf F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/sh/arch-syscall.h b/sysdeps/unix/sysv/linux/sh/arch-syscall.h index 0c88bf10c7..226fbbe61d 100644 --- a/sysdeps/unix/sysv/linux/sh/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/sh/arch-syscall.h @@ -206,6 +206,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 278 #define __NR_mremap 163 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/sh/be/libc.abilist b/sysdeps/unix/sysv/linux/sh/be/libc.abilist index ff6e6b1a13..090358767b 100644 --- a/sysdeps/unix/sysv/linux/sh/be/libc.abilist +++ b/sysdeps/unix/sysv/linux/sh/be/libc.abilist @@ -2828,6 +2828,7 @@ GLIBC_2.4 sys_errlist D 0x210 GLIBC_2.4 sys_nerr D 0x4 GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/sh/le/libc.abilist b/sysdeps/unix/sysv/linux/sh/le/libc.abilist index 449d92bbc5..ea9117cc82 100644 --- a/sysdeps/unix/sysv/linux/sh/le/libc.abilist +++ b/sysdeps/unix/sysv/linux/sh/le/libc.abilist @@ -2825,6 +2825,7 @@ GLIBC_2.4 sys_errlist D 0x210 GLIBC_2.4 sys_nerr D 0x4 GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h b/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h index 19fa614624..3bad6f102f 100644 --- a/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h @@ -211,6 +211,7 @@ #define __NR_mq_timedsend_time64 418 #define __NR_mq_unlink 274 #define __NR_mremap 250 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist index e615be759a..ddd9a9f435 100644 --- a/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist +++ b/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist @@ -3157,6 +3157,7 @@ GLIBC_2.4 wcstold F GLIBC_2.4 wcstold_l F GLIBC_2.4 wprintf F GLIBC_2.4 wscanf F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h b/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h index 18516f20cb..98e1437920 100644 --- a/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h @@ -192,6 +192,7 @@ #define __NR_mq_timedsend 275 #define __NR_mq_unlink 274 #define __NR_mremap 250 +#define __NR_mseal 462 #define __NR_msgctl 402 #define __NR_msgget 399 #define __NR_msgrcv 401 diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist index bd36431dd7..a687003e75 100644 --- a/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist +++ b/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist @@ -2793,6 +2793,7 @@ GLIBC_2.4 sys_errlist D 0x430 GLIBC_2.4 sys_nerr D 0x4 GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list index 672d39eaad..7f2e132e80 100644 --- a/sysdeps/unix/sysv/linux/syscall-names.list +++ b/sysdeps/unix/sysv/linux/syscall-names.list @@ -287,6 +287,7 @@ mq_timedsend mq_timedsend_time64 mq_unlink mremap +mseal msgctl msgget msgrcv diff --git a/sysdeps/unix/sysv/linux/syscalls.list b/sysdeps/unix/sysv/linux/syscalls.list index 9ac42c3436..00ebceb574 100644 --- a/sysdeps/unix/sysv/linux/syscalls.list +++ b/sysdeps/unix/sysv/linux/syscalls.list @@ -39,6 +39,7 @@ mlockall - mlockall i:i mlockall mount EXTRA mount i:sssUp __mount mount mount_setattr EXTRA mount_setattr i:isUpU mount_setattr move_mount EXTRA move_mount i:isisU move_mount +mseal EXTRA mseal i:bUU __mseal mseal munlock - munlock i:aU munlock munlockall - munlockall i: munlockall nfsservctl EXTRA nfsservctl i:ipp __compat_nfsservctl nfsservctl@GLIBC_2.0:GLIBC_2.28 diff --git a/sysdeps/unix/sysv/linux/tst-mseal.c b/sysdeps/unix/sysv/linux/tst-mseal.c new file mode 100644 index 0000000000..dfed57411e --- /dev/null +++ b/sysdeps/unix/sysv/linux/tst-mseal.c @@ -0,0 +1,67 @@ +/* Basic tests for mseal. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +static int +do_test (void) +{ + TEST_VERIFY_EXIT (mseal (MAP_FAILED, 0, 0) == -1); + if (errno == ENOSYS) + FAIL_UNSUPPORTED ("kernel does not support mseal"); + TEST_COMPARE (errno, EINVAL); + + size_t pagesize = getpagesize (); + void *p = xmmap (NULL, 4 * pagesize, PROT_READ, + MAP_ANONYMOUS | MAP_PRIVATE, -1); + xmunmap (p + 2 * pagesize, pagesize); + + /* Unaligned address. */ + TEST_VERIFY_EXIT (mseal (p + 1, pagesize, 0) == -1); + TEST_COMPARE (errno, EINVAL); + + /* Length too big. */ + TEST_VERIFY_EXIT (mseal (p, 3 * pagesize, 0) == -1); + TEST_COMPARE (errno, ENOMEM); + + TEST_VERIFY_EXIT (mseal (p, pagesize, 0) == 0); + /* Apply the same seal should be idempotent. */ + TEST_VERIFY_EXIT (mseal (p, pagesize, 0) == 0); + + TEST_VERIFY_EXIT (mprotect (p, pagesize, PROT_WRITE) == -1); + TEST_COMPARE (errno, EPERM); + + TEST_VERIFY_EXIT (munmap (p, pagesize) == -1); + TEST_COMPARE (errno, EPERM); + + TEST_VERIFY_EXIT (mremap (p, pagesize, 2 * pagesize, 0) == MAP_FAILED); + TEST_COMPARE (errno, EPERM); + + TEST_VERIFY_EXIT (madvise (p, pagesize, MADV_DONTNEED) == -1); + TEST_COMPARE (errno, EPERM); + + xmunmap (p + pagesize, pagesize); + xmunmap (p + 3 * pagesize, pagesize); + + return 0; +} + +#include diff --git a/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h b/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h index b122216013..5d86e75dd5 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h @@ -189,6 +189,7 @@ #define __NR_mq_timedsend 242 #define __NR_mq_unlink 241 #define __NR_mremap 25 +#define __NR_mseal 462 #define __NR_msgctl 71 #define __NR_msgget 68 #define __NR_msgrcv 70 diff --git a/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist index aea7848ed6..accdab4bf0 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist +++ b/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist @@ -2744,6 +2744,7 @@ GLIBC_2.4 sys_errlist D 0x420 GLIBC_2.4 sys_nerr D 0x4 GLIBC_2.4 unlinkat F GLIBC_2.4 unshare F +GLIBC_2.40 mseal F GLIBC_2.5 __readlinkat_chk F GLIBC_2.5 inet6_opt_append F GLIBC_2.5 inet6_opt_find F diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h b/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h index 3040a47d72..dce4473fbc 100644 --- a/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h +++ b/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h @@ -182,6 +182,7 @@ #define __NR_mq_timedsend 1073742066 #define __NR_mq_unlink 1073742065 #define __NR_mremap 1073741849 +#define __NR_mseal 1073742286 #define __NR_msgctl 1073741895 #define __NR_msgget 1073741892 #define __NR_msgrcv 1073741894 diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist index 4ab3681914..dfd3eb9416 100644 --- a/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist +++ b/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist @@ -2763,3 +2763,4 @@ GLIBC_2.39 stdc_trailing_zeros_ui F GLIBC_2.39 stdc_trailing_zeros_ul F GLIBC_2.39 stdc_trailing_zeros_ull F GLIBC_2.39 stdc_trailing_zeros_us F +GLIBC_2.40 mseal F From patchwork Tue Jun 11 15:27:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1946407 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=GquAknuy; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzCQ90Cqsz20Py for ; Wed, 12 Jun 2024 01:34:09 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 434D3385DDFC for ; Tue, 11 Jun 2024 15:34:07 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) by sourceware.org (Postfix) with ESMTPS id 599E1385DDD9 for ; Tue, 11 Jun 2024 15:32:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 599E1385DDD9 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 599E1385DDD9 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::436 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119963; cv=none; b=r3j5X72HOYnjj4WAjJu5vvpLrhk6ugc/CNUNSB+LHyhbaiZE0P/GXyysl3nSq+DP89xTqSjyOROcxtpAunh1TDFeaWLICGvbPctH6GQIlfjxHMQo6DUC6k8NZT9rSy/8lYGR1qDGHOtpQjmZBQI8oLh+r4qQbpHZZvHMl25n/M4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119963; c=relaxed/simple; bh=FOSC1spf49wF1WgngvCvEtFfKlj6iaGJwzLmCj1XPIk=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=faSdPWyQ3HrLrBMYa+Af0bTCP9VNf9Ianv1RBHqQdkzHLp+FH3eY36gk0bXo/opWgBo2erPiXzmLrLe5seGD9Po2+XgyIdxfOjB4Pwr4PePEUmUlexbQ8TieaM8frno0jHl/EzSpJ4zIcYGZiy8MDJGZy5OH/av1+iObPJTKAMw= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x436.google.com with SMTP id d2e1a72fcca58-70109d34a16so5390854b3a.2 for ; Tue, 11 Jun 2024 08:32:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718119956; x=1718724756; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=A/1K8NHM4aIxmhhRBIes19ZRS9iOSarB/uNW/CP3UvA=; b=GquAknuyhEGTlZ3LkyucCSUZJzkAvUxR9umHT/VTAifIYMmC1jdUr8Icaf6e/CbNTD 5bklrDjw2Hl2uB7g3JljKhZP3brIldBCacAIIl2isMNn0BmgfxKXOQquC2HuOv39fqiq VCrUcYg3NyQtx86YRgaL14Cp81SEqpOUl0zZwaXaCYTY6SN3SSlDsnPBHjkJY6qi2VcG CkEnJFPzlJlSQzYpdNmOwRI1Z8v9PDGorfbofZRG6B+j8MqxtNf6vyGYzD3jPz/hxylz vxxS+sAuMzQf3hPKVmWmZxFq9cMkH0Gf7s+pyPoXoBp009p+fbK4TZcM+FvItHELhgia +/tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718119956; x=1718724756; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A/1K8NHM4aIxmhhRBIes19ZRS9iOSarB/uNW/CP3UvA=; b=Rv1fI/+JIENmI9V+8995rQEQz50VSzQRQyADfsQY74FZL/WkMdX5Uhl84FfaBOFV4g sEe0+lVJ3gQHcKjBWdxs+Vi2Gm8USiawyuEA3568NBOdBlSk7ukjOMafjYSAQlKiGmf+ rduu8u3CO8aZkJY+iS1myfUvZv1IjBTy5VUgzLbfBqnHrb4u1LV48JIARlSdaUsXQC4v M2YvPMlzJcy+bz8MkFRssRh6pbYHBrIEkmAlXhPnvHfOSixEXqjdr/7uscyJFJgQSAUV GAXf3Pk4UMZt7+Q230jB+rB7KbKrlmTRKjr7T6D8oaJQp9zBwHkdYBrtY/HFL9CxXsjC /LGA== X-Gm-Message-State: AOJu0Ywul7cZ/d+CVv7e3dSkZarczjcHcmrZpOTM++iGY7DzshKGWiyM k+C+ci3QiBBepVshewzZZGpIpz7J0Apj+bj2z9ZSluARTtC1XVUeXuybWZovCwMRG3lbWxi0Hz8 b X-Google-Smtp-Source: AGHT+IFQbTuetX+jDE0HwrXJrtCOS3KqbYPlsHD5PtQGmcVTmD/P9MpmX2/pHUqIhAPL/Zdzee9tDw== X-Received: by 2002:a05:6a20:da93:b0:1b8:5ac6:4bd3 with SMTP id adf61e73a8af0-1b85ac652dcmr4026318637.7.1718119955216; Tue, 11 Jun 2024 08:32:35 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c0:c5fb:1cf6:d480:34ef:aedf]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70422c977dasm6023811b3a.62.2024.06.11.08.32.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 08:32:34 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Stephen Roettger , jeffxu@chromium.org, Carlos O'Donell , Florian Weimer Subject: [RFC 3/5] elf: Add support to memory sealing Date: Tue, 11 Jun 2024 12:27:06 -0300 Message-ID: <20240611153220.165430-4-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240611153220.165430-1-adhemerval.zanella@linaro.org> References: <20240611153220.165430-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org The new Linux mseal syscall allows seal memory mappings to avoid further changes such as memory protection or remap. The sealing is done in multiple places where the memory is supposed to be immutable over program execution: * All shared library dependencies from the binary, including the read-only segments after PT_GNU_RELRO setup. * The binary itself, including dynamic and static links. In both It is up either to binary or the loader to set up the sealing. * The vDSO vma provided by the kernel (if existent). * Any preload libraries. * Any library loaded with dlopen with RTLD_NODELETE flag. For binary dependencies, the RTLD_NODELETE signals the link_map should be sealed. It also makes dlopen objects with the flag sealed as well. The sealing is controlled by a new tunable, glibc.rtld.seal, with three different states: 0. Disabled where no sealing is done. This is the default. 1. Enabled, where the loader will issue the mseal syscall on the memory mappings but any failure will be ignored. This is the default. 2. Enforce, similar to Enabled but any failure from the mseal will terminate the process. Checked on x86_64-linux-gnu and aarch64-linux-gnu. --- elf/dl-load.c | 2 + elf/dl-mseal-mode.h | 29 ++ elf/dl-open.c | 4 + elf/dl-reloc.c | 49 ++++ elf/dl-support.c | 7 + elf/dl-tunables.list | 6 + elf/rtld.c | 10 +- elf/setup-vdso.h | 3 + elf/tst-rtld-list-tunables.exp | 1 + include/link.h | 6 + manual/tunables.texi | 35 +++ string/strerrorname_np.c | 1 + sysdeps/generic/dl-mseal.h | 25 ++ sysdeps/generic/ldsodefs.h | 6 + sysdeps/unix/sysv/linux/Makefile | 45 +++ sysdeps/unix/sysv/linux/dl-mseal.c | 51 ++++ sysdeps/unix/sysv/linux/dl-mseal.h | 29 ++ sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c | 19 ++ sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-2.c | 19 ++ sysdeps/unix/sysv/linux/tst-dl_mseal-static.c | 2 + sysdeps/unix/sysv/linux/tst-dl_mseal.c | 267 ++++++++++++++++++ 25 files changed, 689 insertions(+), 3 deletions(-) create mode 100644 elf/dl-mseal-mode.h create mode 100644 sysdeps/generic/dl-mseal.h create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.c create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.h create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-static.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal.c diff --git a/elf/dl-load.c b/elf/dl-load.c index 8a89b71016..4c2371ec46 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -1431,6 +1431,8 @@ cannot enable executable stack as shared object requires"); /* Assign the next available module ID. */ _dl_assign_tls_modid (l); + l->l_seal = mode & RTLD_NODELETE ? lt_seal_toseal : lt_seal_dont; + #ifdef DL_AFTER_LOAD DL_AFTER_LOAD (l); #endif diff --git a/elf/dl-mseal-mode.h b/elf/dl-mseal-mode.h new file mode 100644 index 0000000000..7f9ede4db7 --- /dev/null +++ b/elf/dl-mseal-mode.h @@ -0,0 +1,29 @@ +/* Memory sealing. Generic definitions. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#ifndef _DL_SEAL_MODE_H +#define _DL_SEAL_MODE_H + +enum dl_seal_mode +{ + DL_SEAL_DISABLE = 0, + DL_SEAL_ENABLE = 1, + DL_SEAL_ENFORCE = 2, +}; + +#endif diff --git a/elf/dl-open.c b/elf/dl-open.c index c378da16c0..7bd90ef069 100644 --- a/elf/dl-open.c +++ b/elf/dl-open.c @@ -837,6 +837,10 @@ dl_open_worker (void *a) if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_FILES)) _dl_debug_printf ("opening file=%s [%lu]; direct_opencount=%u\n\n", new->l_name, new->l_ns, new->l_direct_opencount); + + /* The seal flag is set only for NEW, however its dependencies could not be + unloaded and thus can also be sealed. */ + _dl_mseal_map (new, true); } void * diff --git a/elf/dl-reloc.c b/elf/dl-reloc.c index 4bf7aec88b..01f88e9003 100644 --- a/elf/dl-reloc.c +++ b/elf/dl-reloc.c @@ -28,6 +28,7 @@ #include <_itoa.h> #include #include "dynamic-link.h" +#include /* Statistics function. */ #ifdef SHARED @@ -347,6 +348,11 @@ _dl_relocate_object (struct link_map *l, struct r_scope_elem *scope[], done, do it. */ if (l->l_relro_size != 0) _dl_protect_relro (l); + + /* Seal the memory mapping after RELRO setup, we can use the PT_LOAD + segments because even if relro splits the the original RW VMA, + mseal works with multiple VMAs with different flags. */ + _dl_mseal_map (l, false); } @@ -369,6 +375,49 @@ cannot apply additional memory protection after relocation"); } } +static void +_dl_mseal_map_1 (struct link_map *l) +{ + if (l->l_seal == lt_seal_sealed) + return; + + int r = -1; + if (l->l_contiguous) + r = _dl_mseal ((void *) l->l_map_start, l->l_map_end - l->l_map_start); + else + { + const ElfW(Phdr) *ph; + for (ph = l->l_phdr; ph < &l->l_phdr[l->l_phnum]; ++ph) + switch (ph->p_type) + { + case PT_LOAD: + { + ElfW(Addr) mapstart = l->l_addr + + (ph->p_vaddr & ~(GLRO(dl_pagesize) - 1)); + ElfW(Addr) allocend = l->l_addr + ph->p_vaddr + ph->p_memsz; + r = _dl_mseal ((void *) mapstart, allocend - mapstart); + } + break; + } + } + + if (r == 0) + l->l_seal = lt_seal_sealed; +} + +void +_dl_mseal_map (struct link_map *l, bool dep) +{ + if (l->l_seal == lt_seal_dont || l->l_nodelete_pending) + return; + + if (l->l_searchlist.r_list == NULL || !dep) + _dl_mseal_map_1 (l); + else + for (unsigned int i = 0; i < l->l_searchlist.r_nlist; ++i) + _dl_mseal_map_1 (l->l_searchlist.r_list[i]); +} + void __attribute_noinline__ _dl_reloc_bad_type (struct link_map *map, unsigned int type, int plt) diff --git a/elf/dl-support.c b/elf/dl-support.c index 451932dd03..8290a380f3 100644 --- a/elf/dl-support.c +++ b/elf/dl-support.c @@ -45,6 +45,7 @@ #include #include #include +#include extern char *__progname; char **_dl_argv = &__progname; /* This is checked for some error messages. */ @@ -99,6 +100,7 @@ static struct link_map _dl_main_map = .l_used = 1, .l_tls_offset = NO_TLS_OFFSET, .l_serial = 1, + .l_seal = SUPPORT_MSEAL, }; /* Namespace information. */ @@ -340,6 +342,11 @@ _dl_non_dynamic_init (void) /* Setup relro on the binary itself. */ if (_dl_main_map.l_relro_size != 0) _dl_protect_relro (&_dl_main_map); + + /* Seal the memory mapping after RELRO setup, we can use the PT_LOAD + segments because even if relro splits the the original RW VMA, + mseal works with multiple VMAs with different flags. */ + _dl_mseal_map (&_dl_main_map, false); } #ifdef DL_SYSINFO_IMPLEMENTATION diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index 1186272c81..bf71f648e1 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -142,6 +142,12 @@ glibc { maxval: 1 default: 0 } + seal { + type: INT_32 + minval: 0 + maxval: 2 + default: 1 + } } mem { diff --git a/elf/rtld.c b/elf/rtld.c index e9525ea987..174389e205 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -53,6 +53,7 @@ #include #include #include +#include #include @@ -477,6 +478,7 @@ _dl_start_final (void *arg, struct dl_start_final_info *info) GL(dl_rtld_map).l_real = &GL(dl_rtld_map); GL(dl_rtld_map).l_map_start = (ElfW(Addr)) &__ehdr_start; GL(dl_rtld_map).l_map_end = (ElfW(Addr)) _end; + GL(dl_rtld_map).l_seal = 1; /* Copy the TLS related data if necessary. */ #ifndef DONT_USE_BOOTSTRAP_MAP # if NO_TLS_OFFSET != 0 @@ -809,7 +811,8 @@ do_preload (const char *fname, struct link_map *main_map, const char *where) args.str = fname; args.loader = main_map; - args.mode = __RTLD_SECURE; + /* RTLD_NODELETE enables sealing. */ + args.mode = __RTLD_SECURE | RTLD_NODELETE; unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded; @@ -1123,6 +1126,7 @@ rtld_setup_main_map (struct link_map *main_map) /* And it was opened directly. */ ++main_map->l_direct_opencount; main_map->l_contiguous = 1; + main_map->l_seal = 1; /* A PT_LOAD segment at an unexpected address will clear the l_contiguous flag. The ELF specification says that PT_LOAD @@ -1636,7 +1640,7 @@ dl_main (const ElfW(Phdr) *phdr, /* Create a link_map for the executable itself. This will be what dlopen on "" returns. */ main_map = _dl_new_object ((char *) "", "", lt_executable, NULL, - __RTLD_OPENEXEC, LM_ID_BASE); + __RTLD_OPENEXEC | RTLD_NODELETE, LM_ID_BASE); assert (main_map != NULL); main_map->l_phdr = phdr; main_map->l_phnum = phnum; @@ -1964,7 +1968,7 @@ dl_main (const ElfW(Phdr) *phdr, RTLD_TIMING_VAR (start); rtld_timer_start (&start); _dl_map_object_deps (main_map, preloads, npreloads, - state.mode == rtld_mode_trace, 0); + state.mode == rtld_mode_trace, RTLD_NODELETE); rtld_timer_accum (&load_time, start); } diff --git a/elf/setup-vdso.h b/elf/setup-vdso.h index 888e1e4897..f8d9c36453 100644 --- a/elf/setup-vdso.h +++ b/elf/setup-vdso.h @@ -66,6 +66,7 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), /* The vDSO is always used. */ l->l_used = 1; + l->l_seal = lt_seal_toseal; /* Initialize l_local_scope to contain just this map. This allows the use of dl_lookup_symbol_x to resolve symbols within the vdso. @@ -104,6 +105,8 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), if (GLRO(dl_sysinfo) == DL_SYSINFO_DEFAULT) GLRO(dl_sysinfo) = GLRO(dl_sysinfo_dso)->e_entry + l->l_addr; # endif + + _dl_mseal ((void *) l->l_map_start, l->l_map_end - l->l_map_start); } #endif } diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp index db0e1c86e9..d40a478dd7 100644 --- a/elf/tst-rtld-list-tunables.exp +++ b/elf/tst-rtld-list-tunables.exp @@ -15,3 +15,4 @@ glibc.rtld.dynamic_sort: 2 (min: 1, max: 2) glibc.rtld.enable_secure: 0 (min: 0, max: 1) glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10) glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+) +glibc.rtld.seal: 1 (min: 0, max: 2) diff --git a/include/link.h b/include/link.h index cb0d7d8e2f..fd8e7f25bf 100644 --- a/include/link.h +++ b/include/link.h @@ -212,6 +212,12 @@ struct link_map unsigned int l_find_object_processed:1; /* Zero if _dl_find_object_update needs to process this lt_library map. */ + enum /* Memory sealing status. */ + { + lt_seal_dont, /* Do not seal the object. */ + lt_seal_toseal, /* The library is marked to be sealed. */ + lt_seal_sealed /* The library is sealed. */ + } l_seal:2; /* NODELETE status of the map. Only valid for maps of type lt_loaded. Lazy binding sets l_nodelete_active directly, diff --git a/manual/tunables.texi b/manual/tunables.texi index 8dd02d8149..26fba6641d 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -356,6 +356,41 @@ tests for @code{AT_SECURE} programs and not meant to be a security feature. The default value of this tunable is @samp{0}. @end deftp +@deftp Tunable glibc.rtld.seal +Sets whether to enable memory sealing during program execution. The sealed +memory prevents further changes to the maped memory region, such as shrinking +or expanding, mapping another segment over a pre-existing region, or change +the memory protection flags (check the @code{mseal} for more information). +The sealing is done in multiple places where the memory is supposed to be +immuatable over program execution: + +@itemize @bullet +@item +All shared library dependencies from the binary, including the read-only segments +after @code{PT_GNU_RELRO} setup. + +@item +The binary itself, including dynamic and static linked. In both cases it is up +either to binary or the loader to setup the sealing. + +@item +The vDSO vma provided by the kernel (if existent). + +@item +Any preload libraries. + +@item +Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag. +@end itemize + +The tunable accepts three diferent values: @samp{0} where sealing is disabled, +@samp{1} where sealing is enabled, and @samp{2} where sealing is enforced. For +the enforced mode, if the memory can not be sealed the process terminates the +execution. + +The default value of this tunable is @samp{1}. +@end deftp + @node Elision Tunables @section Elision Tunables @cindex elision tunables diff --git a/string/strerrorname_np.c b/string/strerrorname_np.c index 042cea381c..e0e22fa79e 100644 --- a/string/strerrorname_np.c +++ b/string/strerrorname_np.c @@ -17,6 +17,7 @@ . */ #include +#include const char * strerrorname_np (int errnum) diff --git a/sysdeps/generic/dl-mseal.h b/sysdeps/generic/dl-mseal.h new file mode 100644 index 0000000000..d542fcac75 --- /dev/null +++ b/sysdeps/generic/dl-mseal.h @@ -0,0 +1,25 @@ +/* Memory sealing. Generic version. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +static inline int +_dl_mseal (void *addr, size_t len) +{ + return 0; +} + +#define SUPPORT_MSEAL lt_seal_dont diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h index 50f58a60e3..e0d46e9177 100644 --- a/sysdeps/generic/ldsodefs.h +++ b/sysdeps/generic/ldsodefs.h @@ -1017,6 +1017,12 @@ extern void _dl_relocate_object (struct link_map *map, /* Protect PT_GNU_RELRO area. */ extern void _dl_protect_relro (struct link_map *map) attribute_hidden; +/* Protect MAP with mseal. If MAP is contiguous the while region is + sealed, otherwise iterate over the phdr to seal each PT_LOAD. The DEP + specify whether to seal the dependencies as well. */ +extern void _dl_mseal_map (struct link_map *map, bool dep) + attribute_hidden; + /* Call _dl_signal_error with a message about an unhandled reloc type. TYPE is the result of ELFW(R_TYPE) (r_info), i.e. an R__* value. PLT is nonzero if this was a PLT reloc; it just affects the message. */ diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile index 82d523e588..922511b4a1 100644 --- a/sysdeps/unix/sysv/linux/Makefile +++ b/sysdeps/unix/sysv/linux/Makefile @@ -625,6 +625,10 @@ sysdep-rtld-routines += \ dl-sbrk \ # sysdep-rtld-routines +dl-routines += \ + dl-mseal \ + # dl-routines + others += \ pldd \ # others @@ -634,6 +638,47 @@ install-bin += \ # install-bin $(objpfx)pldd: $(objpfx)xmalloc.o + +tests-static += \ + tst-dl_mseal-static \ + # tests-static + +tests += \ + $(tests-static) \ + tst-dl_mseal \ + # tests + +modules-names += \ + lib-tst-dl_mseal-1 \ + lib-tst-dl_mseal-2 \ + lib-tst-dl_mseal-dlopen-1 \ + lib-tst-dl_mseal-dlopen-1-1 \ + lib-tst-dl_mseal-dlopen-2 \ + lib-tst-dl_mseal-dlopen-2-1 \ + lib-tst-dl_mseal-preload \ + # modules-names + +$(objpfx)tst-dl_mseal.out: \ + $(objpfx)lib-tst-dl_mseal-preload.so \ + $(objpfx)lib-tst-dl_mseal-1.so \ + $(objpfx)lib-tst-dl_mseal-2.so \ + $(objpfx)lib-tst-dl_mseal-dlopen-1.so \ + $(objpfx)lib-tst-dl_mseal-dlopen-1-1.so \ + $(objpfx)lib-tst-dl_mseal-dlopen-2.so \ + $(objpfx)lib-tst-dl_mseal-dlopen-2-1.so + +tst-dl_mseal-ARGS = -- $(host-test-program-cmd) +$(objpfx)tst-dl_mseal: $(objpfx)lib-tst-dl_mseal-1.so +$(objpfx)lib-tst-dl_mseal-1.so: $(objpfx)lib-tst-dl_mseal-2.so + +$(objpfx)lib-tst-dl_mseal-dlopen-1.so: $(objpfx)lib-tst-dl_mseal-dlopen-1-1.so +$(objpfx)lib-tst-dl_mseal-dlopen-2.so: $(objpfx)lib-tst-dl_mseal-dlopen-2-1.so +LDFLAGS-lib-tst-dl_mseal-dlopen-1.so = \ + -Wl,-soname,lib-tst-dl_mseal-dlopen-1.so +LDFLAGS-lib-tst-dl_mseal-dlopen-2.so = \ + -Wl,-soname,lib-tst-dl_mseal-dlopen-2.so + +tst-dl_mseal-static-ARGS = -- $(host-test-program-cmd) endif ifeq ($(subdir),rt) diff --git a/sysdeps/unix/sysv/linux/dl-mseal.c b/sysdeps/unix/sysv/linux/dl-mseal.c new file mode 100644 index 0000000000..69124b34af --- /dev/null +++ b/sysdeps/unix/sysv/linux/dl-mseal.c @@ -0,0 +1,51 @@ +/* Memory sealing. Linux version. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include + +int +_dl_mseal (void *addr, size_t len) +{ + int32_t mode = TUNABLE_GET (glibc, rtld, seal, int32_t, NULL); + if (mode == DL_SEAL_DISABLE) + return 0; + + int r; +#if __ASSUME_MSEAL + r = INTERNAL_SYSCALL_CALL (mseal, addr, len, 0); +#else + r = -ENOSYS; + static int mseal_supported = true; + if (atomic_load_relaxed (&mseal_supported)) + { + r = INTERNAL_SYSCALL_CALL (mseal, addr, len, 0); + if (r == -ENOSYS) + atomic_store_relaxed (&mseal_supported, false); + } +#endif + if (mode == DL_SEAL_ENFORCE && r != 0) + _dl_fatal_printf ("Fatal error: sealing is enforced and an error " + "ocurred for the 0x%lx-0x%lx range\n", + (long unsigned int) addr, + (long unsigned int) addr + len); + return r; +} diff --git a/sysdeps/unix/sysv/linux/dl-mseal.h b/sysdeps/unix/sysv/linux/dl-mseal.h new file mode 100644 index 0000000000..89b19e33c4 --- /dev/null +++ b/sysdeps/unix/sysv/linux/dl-mseal.h @@ -0,0 +1,29 @@ +/* Memory sealing. Linux version. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* Seal the ADDR or size LEN to protect against modifications, such as + changes on the permission flags (through mprotect), remap (through + mmap and/or remap), shrink, destruction changes (madvise with + MADV_DONTNEED), or change its size. The input has the same constraints + as the mseal syscall. + + Return 0 in case of success or a negative value otherwise (a negative + errno). */ +int _dl_mseal (void *addr, size_t len) attribute_hidden; + +#define SUPPORT_MSEAL lt_seal_toseal diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c new file mode 100644 index 0000000000..3bd188efe8 --- /dev/null +++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c @@ -0,0 +1,19 @@ +/* Additional module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +int foo1 (void) { return 42; } diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c new file mode 100644 index 0000000000..636e9777af --- /dev/null +++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c @@ -0,0 +1,19 @@ +/* Additional module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +int bar1 (void) { return 42; } diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c new file mode 100644 index 0000000000..ef1372f47e --- /dev/null +++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c @@ -0,0 +1,19 @@ +/* Additional module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +int foo2_1 (void) { return 42; } diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c new file mode 100644 index 0000000000..3c2cbe6035 --- /dev/null +++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c @@ -0,0 +1,19 @@ +/* Additional module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +int foo2 (void) { return 42; } diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c new file mode 100644 index 0000000000..0cd647de46 --- /dev/null +++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c @@ -0,0 +1,19 @@ +/* Additional module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +int bar2_1 (void) { return 42; } diff --git a/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c new file mode 100644 index 0000000000..f719dd3cba --- /dev/null +++ b/sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c @@ -0,0 +1,19 @@ +/* Additional module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +int bar2 (void) { return 42; } diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-static.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-static.c new file mode 100644 index 0000000000..7f26713b35 --- /dev/null +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-static.c @@ -0,0 +1,2 @@ +#define TEST_STATIC +#include "tst-dl_mseal.c" diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c new file mode 100644 index 0000000000..72a33d04c7 --- /dev/null +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c @@ -0,0 +1,267 @@ +/* Basic tests for sealing. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#define LIB_PRELOAD "lib-tst-dl_mseal-preload.so" + +#define LIB_NEEDED_1 "lib-tst-dl_mseal-1.so" +#define LIB_NEEDED_2 "lib-tst-dl_mseal-2.so" + +#define LIB_DLOPEN_DEFAULT "lib-tst-dl_mseal-dlopen-1.so" +#define LIB_DLOPEN_DEFAULT_DEP "lib-tst-dl_mseal-dlopen-1-1.so" +#define LIB_DLOPEN_NODELETE "lib-tst-dl_mseal-dlopen-2.so" +#define LIB_DLOPEN_NODELETE_DEP "lib-tst-dl_mseal-dlopen-2-1.so" + +static int +new_flags (const char flags[4]) +{ + bool read_flag = flags[0] == 'r'; + bool write_flag = flags[1] == 'w'; + bool exec_flag = flags[2] == 'x'; + + write_flag = !write_flag; + + return (read_flag ? PROT_READ : 0) + | (write_flag ? PROT_WRITE : 0) + | (exec_flag ? PROT_EXEC : 0); +} + +/* Expected libraries that loader will seal. */ +static const char *expected_sealed_libs[] = +{ +#ifdef TEST_STATIC + "tst-dl_mseal-static", +#else + "libc.so", + "ld.so", + "tst-dl_mseal", + LIB_PRELOAD, + LIB_NEEDED_1, + LIB_NEEDED_2, + LIB_DLOPEN_NODELETE, + LIB_DLOPEN_NODELETE_DEP, +#endif + "[vdso]", +}; + +/* Libraries/VMA that could not be sealed. */ +static const char *non_sealed_vmas[] = +{ + ".", /* basename value for empty string anonymous + mappings. */ + "[heap]", + "[vsyscall]", + "[vvar]", + "[stack]", + "zero", /* /dev/zero */ +#ifndef TEST_STATIC + "tst-dl_mseal-mod-2.so", + LIB_DLOPEN_DEFAULT, + LIB_DLOPEN_DEFAULT_DEP +#endif +}; + +static int +is_in_string_list (const char *s, const char *const list[], size_t len) +{ + for (size_t i = 0; i != len; i++) + if (strcmp (s, list[i]) == 0) + return i; + return -1; +} + +static int +handle_restart (void) +{ +#ifndef TEST_STATIC + xdlopen (LIB_DLOPEN_NODELETE, RTLD_NOW | RTLD_NODELETE); + xdlopen (LIB_DLOPEN_DEFAULT, RTLD_NOW); +#endif + + FILE *fp = xfopen ("/proc/self/maps", "r"); + char *line = NULL; + size_t linesiz = 0; + + unsigned long pagesize = getpagesize (); + + bool found_expected[array_length(expected_sealed_libs)] = { false }; + while (xgetline (&line, &linesiz, fp) > 0) + { + uintptr_t start; + uintptr_t end; + char flags[5] = { 0 }; + char name[256] = { 0 }; + int idx; + + /* The line is in the form: + start-end flags offset dev inode pathname */ + int r = sscanf (line, + "%" SCNxPTR "-%" SCNxPTR " %4s %*s %*s %*s %256s", + &start, + &end, + flags, + name); + TEST_VERIFY_EXIT (r == 3 || r == 4); + + int found = false; + + const char *libname = basename (name); + if ((idx = is_in_string_list (libname, expected_sealed_libs, + array_length (expected_sealed_libs))) + != -1) + { + /* Check if we can change the protection flags of the segment. */ + int new_prot = new_flags (flags); + TEST_VERIFY_EXIT (mprotect ((void *) start, end - start, + new_prot) == -1); + TEST_VERIFY_EXIT (errno == EPERM); + + /* Also checks trying to map over the sealed libraries. */ + { + char *p = mmap ((void *) start, pagesize, new_prot, + MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + TEST_VERIFY_EXIT (p == MAP_FAILED); + TEST_VERIFY_EXIT (errno == EPERM); + } + + /* And if remap is also blocked. */ + { + char *p = mremap ((void *) start, end - start, end - start, 0); + TEST_VERIFY_EXIT (p == MAP_FAILED); + TEST_VERIFY_EXIT (errno == EPERM); + } + + printf ("sealed: vma: %#" PRIxPTR "-%#" PRIxPTR " %s %s\n", + start, + end, + flags, + name); + + found_expected[idx] = true; + found = true; + } + + if (!found) + { + if (is_in_string_list (libname, non_sealed_vmas, + array_length (non_sealed_vmas)) != -1) + printf ("not-sealed: vma: %#" PRIxPTR "-%#" PRIxPTR " %s %s\n", + start, + end, + flags, + name); + else + FAIL_EXIT1 ("unexpected vma: %#" PRIxPTR "-%#" PRIxPTR " %s %s\n", + start, + end, + flags, + name); + } + } + xfclose (fp); + + printf ("\n"); + + /* Also check if all the expected sealed maps were found. */ + for (int i = 0; i < array_length (expected_sealed_libs); i++) + if (!found_expected[i]) + FAIL_EXIT1 ("expected VMA %s not sealed\n", expected_sealed_libs[i]); + + return 0; +} + +static int restart; +#define CMDLINE_OPTIONS \ + { "restart", no_argument, &restart, 1 }, + +static int +do_test (int argc, char *argv[]) +{ + /* We must have either: + - One or four parameters left if called initially: + + path to ld.so optional + + "--library-path" optional + + the library path optional + + the application name */ + if (restart) + return handle_restart (); + + /* Check the test requirements. */ + { + int r = mseal (NULL, 0, 0); + if (r == -1 && errno == ENOSYS) + FAIL_UNSUPPORTED ("mseal is not supported by the kernel"); + else + TEST_VERIFY_EXIT (r == 0); + } + support_need_proc ("Reads /proc/self/maps to get stack names."); + + char *spargv[9]; + int i = 0; + for (; i < argc - 1; i++) + spargv[i] = argv[i + 1]; + spargv[i++] = (char *) "--direct"; + spargv[i++] = (char *) "--restart"; + spargv[i] = NULL; + + char *envvarss[3]; + envvarss[0] = (char *) "GLIBC_TUNABLES=glibc.rtld.seal=2"; +#ifndef TEST_STATIC + envvarss[1] = (char *) "LD_PRELOAD=" LIB_PRELOAD; + envvarss[2] = NULL; +#else + envvarss[1] = NULL; +#endif + + struct support_capture_subprocess result = + support_capture_subprogram (spargv[0], spargv, envvarss); + support_capture_subprocess_check (&result, "tst-dl_mseal", 0, + sc_allow_stdout); + + { + FILE *out = fmemopen (result.out.buffer, result.out.length, "r"); + TEST_VERIFY (out != NULL); + char *line = NULL; + size_t linesz = 0; + while (xgetline (&line, &linesz, out)) + printf ("%s", line); + fclose (out); + } + + support_capture_subprocess_free (&result); + + return 0; +} + +#define TEST_FUNCTION_ARGV do_test +#include From patchwork Tue Jun 11 15:27:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1946406 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=iCdMvUNU; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzCQ92bYsz20Tk for ; Wed, 12 Jun 2024 01:34:09 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 804A5385842C for ; Tue, 11 Jun 2024 15:34:07 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by sourceware.org (Postfix) with ESMTPS id D2D7A385DDE5 for ; Tue, 11 Jun 2024 15:32:39 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D2D7A385DDE5 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D2D7A385DDE5 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::435 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119962; cv=none; b=wJhtbpTPXDt2MNqOET2Mrj4VQjFREbiXIVPwfeKCiLnekRiRXx9l+xFn2YxgpGp8F7NILawx9gDTATmCofCr7lVCxGzzkKexPcnQr8kd7Sa56PmdARdT7EIMxonSJFveHZcvO+zzh12nuPgwSjzzWR8/Aplx97p3QaOCSBafhYM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119962; c=relaxed/simple; bh=DfbxejrHFnW0UR7Qxn/DyvdFw8uu83lTIIi6oBEtmPs=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=Q/X6ixvknF+XsRf8jzdDEms6Yz1/hljo5P2Y+qsWOLujKZ0tE9FnLpMf8SmM6Hd+5+r5FxHCa0oLd1XFBdTlFxeCXwJOIp3ysFQZAx/+4UBhIHpX92HGQF+E/ZRc/wZrOcnmUFeOQOKmX7HciLM7gVNy7/JqCxZ+EdWlKhOiSCk= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-70436ac8882so1143704b3a.2 for ; Tue, 11 Jun 2024 08:32:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718119958; x=1718724758; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=d7OwYwsoI1uYihWPd3RXq9N6NWQFWWHaUyyCVwn96ak=; b=iCdMvUNUNeFmmr37dRKwrzOlGJGnkrncJu+b0D/9yBnCPCKCppzfzqtcH5reKiu6fc WQc7itXKYWgxOwkhWMLBPWwvfzILKHYB3GnemjXTpNHuo3Vadvx4jj8uk74KmmG4JQuw g0lFeG4gZ6/89FjKgq7QxnMFdkuAQZEXR0R8oceg+X0nYsQ3ITjXbQUcUo/OuPZX6IkG WLNZkMe7wPPCgGuGLWzx9TmbgYLqW8hLM3hQeZ4PZNBXIHQ4LupsafR6JG0gc7UiB1ap U7Zvwrs/3O2muQU8vcbb66GO5zWI5NCzOl8rG2rfY1R9aBSnZgkzalUP/pP3GU8tOT+I kt4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718119958; x=1718724758; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d7OwYwsoI1uYihWPd3RXq9N6NWQFWWHaUyyCVwn96ak=; b=CGhWWSCIVtQEGERTeN4avPuFYXLW+KCdYdMZVziFtoz1oPbUEzcFXGudOvqmijXKTP G+6dlH0qprCNFRcaos6Vp1BGLwwt4sjfJiCNiZOHoClJWa0z3RpSq/KUM0IQoKjDf2+O C/VfHm0ne6ATharI8xDxlobHwy8pMVNsv/3MYYIj9kqHRiwJSHo3gKsVsSSKSUFbAn4i b6Rt20W80vA1TMR0joK5/8YBLjeYeHiVaU6DyLZ2m3UBvTe++dmrLh20ij0BD/z7T8gF 3he2o1ISMs9I1xD934/ib4JmTxjb/A6uKUrpD43jBrQCB9TWUZ256Xl2+UOnRy8oXySd LAzg== X-Gm-Message-State: AOJu0YyX34XlF6R5sIxh26mvpSyPMOA75e4gkquVtdXu3R86kRFVyYQH Yl0ojtrF5YZ82I/bpRWNN5XxfbsPkGx0u7j8GmyZKkdDYT8zuf1a6szC/gNNK3nFIEOGXmQ2Lpz 7 X-Google-Smtp-Source: AGHT+IHAa19gLiN928e7T2hOpu9sdrrrAyjC+LPMwSSnRNURQm6TTRbh8v+8j89YOt19ZAP7OlaO2A== X-Received: by 2002:a05:6a20:9755:b0:1af:f8bd:1e4e with SMTP id adf61e73a8af0-1b2f9dcc579mr9879024637.62.1718119958148; Tue, 11 Jun 2024 08:32:38 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c0:c5fb:1cf6:d480:34ef:aedf]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70422c977dasm6023811b3a.62.2024.06.11.08.32.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 08:32:37 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Stephen Roettger , jeffxu@chromium.org, Carlos O'Donell , Florian Weimer Subject: [RFC 4/5] elf: Enable RTLD_NODELETE on __libc_unwind_link_get Date: Tue, 11 Jun 2024 12:27:07 -0300 Message-ID: <20240611153220.165430-5-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240611153220.165430-1-adhemerval.zanella@linaro.org> References: <20240611153220.165430-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org The libgcc_s.so can also be sealed. The library is loaded once and not unloaded during process execution (only for memory debug with __libc_unwind_link_freeres). Checked on x86_64-linux-gnu and aarch64-linux-gnu. --- include/dlfcn.h | 2 ++ manual/tunables.texi | 4 ++++ misc/unwind-link.c | 5 +++-- sysdeps/unix/sysv/linux/tst-dl_mseal.c | 13 +++++++++++++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/include/dlfcn.h b/include/dlfcn.h index f49ee1b0c9..06e2ecbdd2 100644 --- a/include/dlfcn.h +++ b/include/dlfcn.h @@ -50,6 +50,8 @@ extern char **__libc_argv attribute_hidden; better error handling semantics for the library. */ #define __libc_dlopen(name) \ __libc_dlopen_mode (name, RTLD_NOW | __RTLD_DLOPEN) +#define __libc_dlopen_nodelete(name) \ + __libc_dlopen_mode (name, RTLD_NODELETE | RTLD_NOW | __RTLD_DLOPEN) extern void *__libc_dlopen_mode (const char *__name, int __mode) attribute_hidden; extern void *__libc_dlsym (void *__map, const char *__name) diff --git a/manual/tunables.texi b/manual/tunables.texi index 26fba6641d..be36d52cf9 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -381,6 +381,10 @@ Any preload libraries. @item Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag. + +@item +Any runtime library used for process unwind (such as required by @code{backtrace} +or @code{pthread_exit}). @end itemize The tunable accepts three diferent values: @samp{0} where sealing is disabled, diff --git a/misc/unwind-link.c b/misc/unwind-link.c index 213a0162a4..7267ecbec3 100644 --- a/misc/unwind-link.c +++ b/misc/unwind-link.c @@ -48,7 +48,7 @@ __libc_unwind_link_get (void) /* Initialize a copy of the data, so that we do not need about unlocking in case the dynamic loader somehow triggers unwinding. */ - void *local_libgcc_handle = __libc_dlopen (LIBGCC_S_SO); + void *local_libgcc_handle = __libc_dlopen_nodelete (LIBGCC_S_SO); if (local_libgcc_handle == NULL) { __libc_lock_unlock (lock); @@ -100,7 +100,8 @@ __libc_unwind_link_get (void) __libc_lock_lock (lock); if (atomic_load_relaxed (&global_libgcc_handle) != NULL) - /* This thread lost the race. Clean up. */ + /* This thread lost the race. Drop the l_direct_opencount and issue + the debug log. */ __libc_dlclose (local_libgcc_handle); else { diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c index 72a33d04c7..da1a3ebe5a 100644 --- a/sysdeps/unix/sysv/linux/tst-dl_mseal.c +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include @@ -31,6 +32,7 @@ #include #include #include +#include #define LIB_PRELOAD "lib-tst-dl_mseal-preload.so" @@ -70,6 +72,7 @@ static const char *expected_sealed_libs[] = LIB_NEEDED_2, LIB_DLOPEN_NODELETE, LIB_DLOPEN_NODELETE_DEP, + LIBGCC_S_SO, #endif "[vdso]", }; @@ -100,6 +103,13 @@ is_in_string_list (const char *s, const char *const list[], size_t len) return -1; } +static void * +tf (void *closure) +{ + pthread_exit (NULL); + return NULL; +} + static int handle_restart (void) { @@ -108,6 +118,9 @@ handle_restart (void) xdlopen (LIB_DLOPEN_DEFAULT, RTLD_NOW); #endif + /* pthread_exit will load LIBGCC_S_SO. */ + xpthread_join (xpthread_create (NULL, tf, NULL)); + FILE *fp = xfopen ("/proc/self/maps", "r"); char *line = NULL; size_t linesiz = 0; From patchwork Tue Jun 11 15:27:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1946405 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=aFHIJLDQ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzCPW5Rtbz20Py for ; Wed, 12 Jun 2024 01:33:35 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 11C4D385DDFB for ; Tue, 11 Jun 2024 15:33:34 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by sourceware.org (Postfix) with ESMTPS id CC43E385DDE6 for ; Tue, 11 Jun 2024 15:32:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CC43E385DDE6 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org CC43E385DDE6 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42c ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119965; cv=none; b=IVhr4IUevXb7QhW83QOV62cmVlg6BzClX1LR/VORaM9EYB3PXa0YZqnr0GUdedbiDac6i18F3FVuoquRZmR7DM92zT7L2Namjfce1JURxUzqHecVT6aww4O5aEAnfAutwCWsHm834k7iChmCbDEzqn1tO9xkA9mfKDmKWwqUDWI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119965; c=relaxed/simple; bh=FhBU3T+zdv3Xj88T1ncqfgOT2bZ06o7xH3vFHAKYFeQ=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=J3TdC8otBqqIyMsR/ZaEGruGmoDdGelt81NEnYxbIAipvuV/gonmOr2YG/8KazzlOiaHITc3Y5j9UDwPqL8zdX8RJX1aKxfHeoKjQU9xSGuc3ry6w1G0U0OuMsZ1fiMaezaoG5BeTmwgCaEMj2F8H33vN/8u38r2dc5WFUNEntU= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-70109d34a16so5390920b3a.2 for ; Tue, 11 Jun 2024 08:32:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718119961; x=1718724761; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Xmphwhr+iTAJGwS9wSN4vGADMl6gfC25KCNXJlSglXU=; b=aFHIJLDQvoQb/aHA2k9RhLw05xCyoersQenvYNGaG4o8a42rfVsTumigqOfuX+xC7c Bim7pSRLWx7gVLPjoee3e+hxty/iSTbdjSk81KbS7d0yYy+13QetFfTP7Dsid/fsstwp 7hkXB6VLSS9KFymFdN9vD/AJ1rqr+6bQS75rujRmRGIRMxikmI8PA+uP3vcw/5sxh9gD d0BTBrOiOnkUOfUj2Emge83mdbz6HJnKNjVda6Y/f580BQf+U8W+fROmOkGIkyawrrxh +slqcaMd5DThAhlncmUUGw0WyGVrWn5Pj5ni971pFkeFrI/PBfkNFXlBXAfz4EfHuFSy M13Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718119961; x=1718724761; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xmphwhr+iTAJGwS9wSN4vGADMl6gfC25KCNXJlSglXU=; b=sXXWOhi2Vmr50LiJnNw2RaGozVziMh0pHQGTX+QCMUZzUp8dgNAbFY7Akg47qLUjDM WF0GuNcljC19vu20IHyzlkPfZIIDXtBYxbSFIhMsWiQROyuWLmupVfi2bzCIiRb9r9iL oZgpbRPqLdgf/bLn+fBjIrbQiZmZeO3/wMwwYk42Ld1t1p5pbtSoG931Z7DOeuZnyNjc zv4rVsSf3jVeZGor8Jn1tNoTSEu4cBwFncLG6ZHYX7xGIL7dI2E5g7Xrjms6COWzmmpE ywB15kc8LSWonntl31WOtzxKLcRtLjn0kFhKgh5/J9cZWEVxos+m4hHmxtcmDrf6Pyln nvVg== X-Gm-Message-State: AOJu0YzyqOqNYZHpcZxqtxSdyST+BQNpiB/mHD8IfqH47BO9qzRzXpM6 Gtr6duny3xqd94151nhJnMkMDJD/A5dDOvf5Y3bZRVhejT2j5xEjgGAq7IpQERNi7gaLEEwhKMY i X-Google-Smtp-Source: AGHT+IFa6qrpFe7kuXrXjJNlGm+7AfXV4Q/iZZuiC9MG82o2i0CilYDpUrRy1vAvPmJDBYYJKzAk2w== X-Received: by 2002:a05:6a00:2e11:b0:704:3491:d753 with SMTP id d2e1a72fcca58-7043491dec3mr8184188b3a.16.1718119961054; Tue, 11 Jun 2024 08:32:41 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c0:c5fb:1cf6:d480:34ef:aedf]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70422c977dasm6023811b3a.62.2024.06.11.08.32.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 08:32:40 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Stephen Roettger , jeffxu@chromium.org, Carlos O'Donell , Florian Weimer Subject: [RFC 5/5] elf: Add support to memory sealing for audit modules Date: Tue, 11 Jun 2024 12:27:08 -0300 Message-ID: <20240611153220.165430-6-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240611153220.165430-1-adhemerval.zanella@linaro.org> References: <20240611153220.165430-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org The memory sealing is done after library loading and sanity check since an inexistent or wrong la_version might unload the library. Checked on x86_64-linux-gnu and aarch64-linux-gnu. --- elf/rtld.c | 4 ++++ manual/tunables.texi | 3 +++ sysdeps/unix/sysv/linux/Makefile | 2 ++ .../unix/sysv/linux/tst-dl_mseal-auditmod.c | 23 +++++++++++++++++++ sysdeps/unix/sysv/linux/tst-dl_mseal.c | 7 ++++-- 5 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c diff --git a/elf/rtld.c b/elf/rtld.c index 174389e205..62ad1272a4 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -1044,6 +1044,10 @@ ERROR: audit interface '%s' requires version %d (maximum supported version %d); /* Mark the DSO as being used for auditing. */ dlmargs.map->l_auditing = 1; + + /* Seal the audit modules and their dependencies. */ + dlmargs.map->l_seal = lt_seal_toseal; + _dl_mseal_map (dlmargs.map, true); } /* Load all audit modules. */ diff --git a/manual/tunables.texi b/manual/tunables.texi index be36d52cf9..63445d74c2 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -385,6 +385,9 @@ Any library loaded with @code{dlopen} with @code{RTLD_NODELETE} flag. @item Any runtime library used for process unwind (such as required by @code{backtrace} or @code{pthread_exit}). + +@item +All audit modules and their dependencies. @end itemize The tunable accepts three diferent values: @samp{0} where sealing is disabled, diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile index 922511b4a1..f11aff84f5 100644 --- a/sysdeps/unix/sysv/linux/Makefile +++ b/sysdeps/unix/sysv/linux/Makefile @@ -656,9 +656,11 @@ modules-names += \ lib-tst-dl_mseal-dlopen-2 \ lib-tst-dl_mseal-dlopen-2-1 \ lib-tst-dl_mseal-preload \ + tst-dl_mseal-auditmod \ # modules-names $(objpfx)tst-dl_mseal.out: \ + $(objpfx)tst-dl_mseal-auditmod.so \ $(objpfx)lib-tst-dl_mseal-preload.so \ $(objpfx)lib-tst-dl_mseal-1.so \ $(objpfx)lib-tst-dl_mseal-2.so \ diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c new file mode 100644 index 0000000000..d909a1561c --- /dev/null +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c @@ -0,0 +1,23 @@ +/* Audit module for tst-dl_mseal test. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +unsigned int +la_version (unsigned int v) +{ + return v; +} diff --git a/sysdeps/unix/sysv/linux/tst-dl_mseal.c b/sysdeps/unix/sysv/linux/tst-dl_mseal.c index da1a3ebe5a..ac60d7342a 100644 --- a/sysdeps/unix/sysv/linux/tst-dl_mseal.c +++ b/sysdeps/unix/sysv/linux/tst-dl_mseal.c @@ -35,6 +35,7 @@ #include #define LIB_PRELOAD "lib-tst-dl_mseal-preload.so" +#define LIB_AUDIT "tst-dl_mseal-auditmod.so" #define LIB_NEEDED_1 "lib-tst-dl_mseal-1.so" #define LIB_NEEDED_2 "lib-tst-dl_mseal-2.so" @@ -68,6 +69,7 @@ static const char *expected_sealed_libs[] = "ld.so", "tst-dl_mseal", LIB_PRELOAD, + LIB_AUDIT, LIB_NEEDED_1, LIB_NEEDED_2, LIB_DLOPEN_NODELETE, @@ -247,11 +249,12 @@ do_test (int argc, char *argv[]) spargv[i++] = (char *) "--restart"; spargv[i] = NULL; - char *envvarss[3]; + char *envvarss[4]; envvarss[0] = (char *) "GLIBC_TUNABLES=glibc.rtld.seal=2"; #ifndef TEST_STATIC envvarss[1] = (char *) "LD_PRELOAD=" LIB_PRELOAD; - envvarss[2] = NULL; + envvarss[2] = (char *) "LD_AUDIT=" LIB_AUDIT, + envvarss[3] = NULL; #else envvarss[1] = NULL; #endif