Date: Fri, 20 Jun 2014 17:08:32 +0000 (UTC) From: Jonathan Anderson <jonathan@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r267678 - head/libexec/rtld-elf Message-ID: <201406201708.s5KH8WVP017030@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jonathan Date: Fri Jun 20 17:08:32 2014 New Revision: 267678 URL: http://svnweb.freebsd.org/changeset/base/267678 Log: Add the LD_LIBRARY_PATH_FDS environmental variable. This variable allows the loading of shared libraries via directory descriptors rather than via library paths. If LD_LIBRARY_PATH_FDS=3:4:12, the directories represented by file descriptors 3, 4 and 12 will searched for shared libraries before the normal path-based mechanisms are used. This allows us to execute unprivileged binaries from within a Capsicum sandbox even if they require shared libraries. Approved by: rwatson (mentor) Reviewed by: kib MFC after: 3 weeks Sponsored by: DARPA/AFRL Modified: head/libexec/rtld-elf/rtld.1 head/libexec/rtld-elf/rtld.c head/libexec/rtld-elf/rtld_printf.c head/libexec/rtld-elf/rtld_printf.h Modified: head/libexec/rtld-elf/rtld.1 ============================================================================== --- head/libexec/rtld-elf/rtld.1 Fri Jun 20 15:43:58 2014 (r267677) +++ head/libexec/rtld-elf/rtld.1 Fri Jun 20 17:08:32 2014 (r267678) @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 28, 2012 +.Dd June 20, 2014 .Dt RTLD 1 .Os .Sh NAME @@ -192,6 +192,13 @@ the directories specified by will be searched first followed by the set of built-in standard directories. This variable is unset for set-user-ID and set-group-ID programs. +.Ev LD_LIBRARY_PATH_FDS +A colon separated list of file descriptor numbers for library directories. +This is intended for use within +.Xr capsicum 4 +sandboxes, when global namespaces such as the filesystem are unavailable. +It is consulted just after LD_LIBRARY_PATH. +This variable is unset for set-user-ID and set-group-ID programs. .It Ev LD_BIND_NOW When set to a nonempty string, causes .Nm @@ -283,6 +290,7 @@ The libmap configuration file for 32-bit .Sh SEE ALSO .Xr ld 1 , .Xr ldd 1 , +.Xr capsicum 4 , .Xr elf 5 , .Xr libmap.conf 5 , .Xr ldconfig 8 Modified: head/libexec/rtld-elf/rtld.c ============================================================================== --- head/libexec/rtld-elf/rtld.c Fri Jun 20 15:43:58 2014 (r267677) +++ head/libexec/rtld-elf/rtld.c Fri Jun 20 17:08:32 2014 (r267678) @@ -94,7 +94,7 @@ static bool donelist_check(DoneList *, c static void errmsg_restore(char *); static char *errmsg_save(void); static void *fill_search_info(const char *, size_t, void *); -static char *find_library(const char *, const Obj_Entry *); +static char *find_library(const char *, const Obj_Entry *, int *); static const char *gethints(bool); static void init_dag(Obj_Entry *); static void init_pagesizes(Elf_Auxinfo **aux_info); @@ -119,6 +119,7 @@ static void objlist_push_head(Objlist *, static void objlist_push_tail(Objlist *, Obj_Entry *); static void objlist_put_after(Objlist *, Obj_Entry *, Obj_Entry *); static void objlist_remove(Objlist *, Obj_Entry *); +static int parse_libdir(const char *); static void *path_enumerate(const char *, path_enum_proc, void *); static int relocate_object_dag(Obj_Entry *root, bool bind_now, Obj_Entry *rtldobj, int flags, RtldLockState *lockstate); @@ -133,6 +134,7 @@ static int rtld_dirname_abs(const char * static void *rtld_dlopen(const char *name, int fd, int mode); static void rtld_exit(void); static char *search_library_path(const char *, const char *); +static char *search_library_pathfds(const char *, const char *, int *); static const void **get_program_var_addr(const char *, RtldLockState *); static void set_program_var(const char *, const void *); static int symlook_default(SymLook *, const Obj_Entry *refobj); @@ -178,6 +180,7 @@ static bool dangerous_ld_env; /* True if static char *ld_bind_now; /* Environment variable for immediate binding */ static char *ld_debug; /* Environment variable for debugging */ static char *ld_library_path; /* Environment variable for search path */ +static char *ld_library_dirs; /* Environment variable for library descriptors */ static char *ld_preload; /* Environment variable for libraries to load first */ static char *ld_elf_hints_path; /* Environment variable for alternative hints path */ @@ -401,7 +404,8 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_ */ if (!trust) { if (unsetenv(LD_ "PRELOAD") || unsetenv(LD_ "LIBMAP") || - unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBMAP_DISABLE") || + unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBRARY_PATH_FDS") || + unsetenv(LD_ "LIBMAP_DISABLE") || unsetenv(LD_ "DEBUG") || unsetenv(LD_ "ELF_HINTS_PATH") || unsetenv(LD_ "LOADFLTR") || unsetenv(LD_ "LIBRARY_PATH_RPATH")) { _rtld_error("environment corrupt; aborting"); @@ -412,6 +416,7 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_ libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL; libmap_override = getenv(LD_ "LIBMAP"); ld_library_path = getenv(LD_ "LIBRARY_PATH"); + ld_library_dirs = getenv(LD_ "LIBRARY_PATH_FDS"); ld_preload = getenv(LD_ "PRELOAD"); ld_elf_hints_path = getenv(LD_ "ELF_HINTS_PATH"); ld_loadfltr = getenv(LD_ "LOADFLTR") != NULL; @@ -1417,6 +1422,7 @@ gnu_hash(const char *s) return (h & 0xffffffff); } + /* * Find the library with the given name, and return its full pathname. * The returned string is dynamically allocated. Generates an error @@ -1425,6 +1431,10 @@ gnu_hash(const char *s) * If the second argument is non-NULL, then it refers to an already- * loaded shared object, whose library search path will be searched. * + * If a library is successfully located via LD_LIBRARY_PATH_FDS, its + * descriptor (which is close-on-exec) will be passed out via the third + * argument. + * * The search order is: * DT_RPATH in the referencing file _unless_ DT_RUNPATH is present (1) * DT_RPATH of the main object if DSO without defined DT_RUNPATH (1) @@ -1437,7 +1447,7 @@ gnu_hash(const char *s) * (1) Handled in digest_dynamic2 - rpath left NULL if runpath defined. */ static char * -find_library(const char *xname, const Obj_Entry *refobj) +find_library(const char *xname, const Obj_Entry *refobj, int *fdp) { char *pathname; char *name; @@ -1474,6 +1484,7 @@ find_library(const char *xname, const Ob if ((pathname = search_library_path(name, ld_library_path)) != NULL || (refobj != NULL && (pathname = search_library_path(name, refobj->rpath)) != NULL) || + (pathname = search_library_pathfds(name, ld_library_dirs, fdp)) != NULL || (pathname = search_library_path(name, gethints(false))) != NULL || (pathname = search_library_path(name, STANDARD_LIBRARY_PATH)) != NULL) return (pathname); @@ -1486,6 +1497,7 @@ find_library(const char *xname, const Ob (pathname = search_library_path(name, ld_library_path)) != NULL || (objgiven && (pathname = search_library_path(name, refobj->runpath)) != NULL) || + (pathname = search_library_pathfds(name, ld_library_dirs, fdp)) != NULL || (pathname = search_library_path(name, gethints(nodeflib))) != NULL || (objgiven && !nodeflib && (pathname = search_library_path(name, STANDARD_LIBRARY_PATH)) != NULL)) @@ -2085,29 +2097,34 @@ load_object(const char *name, int fd_u, struct stat sb; char *path; + fd = -1; if (name != NULL) { for (obj = obj_list->next; obj != NULL; obj = obj->next) { if (object_match_name(obj, name)) return (obj); } - path = find_library(name, refobj); + path = find_library(name, refobj, &fd); if (path == NULL) return (NULL); } else path = NULL; - /* - * If we didn't find a match by pathname, or the name is not - * supplied, open the file and check again by device and inode. - * This avoids false mismatches caused by multiple links or ".." - * in pathnames. - * - * To avoid a race, we open the file and use fstat() rather than - * using stat(). - */ - fd = -1; - if (fd_u == -1) { + if (fd >= 0) { + /* + * search_library_pathfds() opens a fresh file descriptor for the + * library, so there is no need to dup(). + */ + } else if (fd_u == -1) { + /* + * If we didn't find a match by pathname, or the name is not + * supplied, open the file and check again by device and inode. + * This avoids false mismatches caused by multiple links or ".." + * in pathnames. + * + * To avoid a race, we open the file and use fstat() rather than + * using stat(). + */ if ((fd = open(path, O_RDONLY | O_CLOEXEC)) == -1) { _rtld_error("Cannot open \"%s\"", path); free(path); @@ -2745,6 +2762,69 @@ search_library_path(const char *name, co return (p); } + +/* + * Finds the library with the given name using the directory descriptors + * listed in the LD_LIBRARY_PATH_FDS environment variable. + * + * Returns a freshly-opened close-on-exec file descriptor for the library, + * or -1 if the library cannot be found. + */ +static char * +search_library_pathfds(const char *name, const char *path, int *fdp) +{ + char *envcopy, *fdstr, *found, *last_token; + size_t len; + int dirfd, fd; + + dbg("%s('%s', '%s', fdp)\n", __func__, name, path); + + /* Don't load from user-specified libdirs into setuid binaries. */ + if (!trust) + return (NULL); + + /* We can't do anything if LD_LIBRARY_PATH_FDS isn't set. */ + if (path == NULL) + return (NULL); + + /* LD_LIBRARY_PATH_FDS only works with relative paths. */ + if (name[0] == '/') { + dbg("Absolute path (%s) passed to %s", name, __func__); + return (NULL); + } + + /* + * Use strtok_r() to walk the FD:FD:FD list. This requires a local + * copy of the path, as strtok_r rewrites separator tokens + * with '\0'. + */ + found = NULL; + envcopy = xstrdup(path); + for (fdstr = strtok_r(envcopy, ":", &last_token); fdstr != NULL; + fdstr = strtok_r(NULL, ":", &last_token)) { + dirfd = parse_libdir(fdstr); + if (dirfd < 0) + break; + fd = openat(dirfd, name, O_RDONLY | O_CLOEXEC); + if (fd >= 0) { + *fdp = fd; + len = strlen(fdstr) + strlen(name) + 3; + found = xmalloc(len); + if (rtld_snprintf(found, len, "#%d/%s", dirfd, name) < 0) { + _rtld_error("error generating '%d/%s'", + dirfd, name); + die(); + } + dbg("open('%s') => %d", found, fd); + break; + } + } + free(envcopy); + + return (found); +} + + int dlclose(void *handle) { @@ -4835,6 +4915,36 @@ symlook_init_from_req(SymLook *dst, cons dst->lockstate = src->lockstate; } + +/* + * Parse a file descriptor number without pulling in more of libc (e.g. atoi). + */ +static int +parse_libdir(const char *str) +{ + static const int RADIX = 10; /* XXXJA: possibly support hex? */ + const char *orig; + int fd; + char c; + + orig = str; + fd = 0; + for (c = *str; c != '\0'; c = *++str) { + if (c < '0' || c > '9') + return (-1); + + fd *= RADIX; + fd += c - '0'; + } + + /* Make sure we actually parsed something. */ + if (str == orig) { + _rtld_error("failed to parse directory FD from '%s'", str); + return (-1); + } + return (fd); +} + /* * Overrides for libc_pic-provided functions. */ Modified: head/libexec/rtld-elf/rtld_printf.c ============================================================================== --- head/libexec/rtld-elf/rtld_printf.c Fri Jun 20 15:43:58 2014 (r267677) +++ head/libexec/rtld-elf/rtld_printf.c Fri Jun 20 17:08:32 2014 (r267678) @@ -429,6 +429,18 @@ number: } int +rtld_snprintf(char *buf, size_t bufsize, const char *fmt, ...) +{ + va_list ap; + int retval; + + va_start(ap, fmt); + retval = rtld_vsnprintf(buf, bufsize, fmt, ap); + va_end(ap); + return (retval); +} + +int rtld_vsnprintf(char *buf, size_t bufsize, const char *fmt, va_list ap) { struct snprintf_arg info; Modified: head/libexec/rtld-elf/rtld_printf.h ============================================================================== --- head/libexec/rtld-elf/rtld_printf.h Fri Jun 20 15:43:58 2014 (r267677) +++ head/libexec/rtld-elf/rtld_printf.h Fri Jun 20 17:08:32 2014 (r267678) @@ -31,6 +31,8 @@ #include <sys/cdefs.h> #include <unistd.h> +int rtld_snprintf(char *buf, size_t bufsize, const char *fmt, ...) + __printflike(3, 4); int rtld_vsnprintf(char *buf, size_t bufsize, const char *fmt, va_list ap); int rtld_vfdprintf(int fd, const char *fmt, va_list ap); int rtld_fdprintf(int fd, const char *fmt, ...) __printflike(2, 3);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201406201708.s5KH8WVP017030>