Ubiquitous compartmentalisation #2012
Conversation
|
@brooksdavis Commit 8bb8e5d removes a number of |
The point of those is so that, when building the various c18n libraries, duplicate config etc files are not installed. Given you still have separate c18n and non-c18n libc builds I don't know why you're removing the ifdefs? The definitions come from lib/libc_c18n etc. |
|
Can you please be more descriptive in your commit messages? I strongly suspect you are the only one to whom they have a precise meaning; to the rest of us it's not at all clear what specific things you're trying to achieve with each. We understand the high-level overview of what the goal is, but not the details for how that is being done. |
|
@jrtc27 This PR is ready for review now. Thanks! |
dpgao
changed the title
|
@jrtc27 I've adapted The man page also needs to be updated. |
dpgao
changed the title
|
|
| @@ -45,16 +45,22 @@ | |||
| #endif | |||
| #endif | |||
|
|
|||
| #ifndef _RTLD_C18N_FILE_SUFFIX | |||
There was a problem hiding this comment.
My comment for all of these:
What is the intended set of files used by each linker in the various different scenarios? I foresee issues with ld-elf being both c18n and non-c18n when it comes to ldconfig, since you need the c18n libc+libthr for c18n but the non-c18n one for non-c18n, yet it's the same rtld. What's making sure the right one gets used? Similarly what's making sure the files are configured correctly by /etc/rc.d/ldconfig? Note that these days it asks rtld itself for the system lib path, which may give different output based on what the default c18n configuration is, which sounds like something that you don't want.
There was a problem hiding this comment.
I have general concerns about the policy file format and the related data structures, but I don't think they matter much for this release as long as we have a migration path that includes the possibility of significant changes. In particular, I think there would be a lot of value in something existing tools can manipulate (e.g., JSON or UCL) since I expect policies to be large and machine generated.
libexec/rtld-elf/rtld_c18n.c
Outdated
| struct string_base *symbols; | ||
| char buf[C18N_POLICY_IDENT_MAX]; | ||
|
|
||
| if (!eat_token(&cur, "Version 1\n")) |
There was a problem hiding this comment.
I fear the tabs are going to lead to a great deal of frustration.
@brooksdavis How do I test if we are building on CHERI and Morello? Something like |
That would work. To centralize things, you could conceivably only define PROC_CHERI_C18N_CTL/STATUS on morello using the second expression and then key off their presence elsewhere. |
|
@jrtc27 I agree with your thoughts about With this in mind, can we merge this PR as-is so that people can start experimenting with the feature first? In a future PR, I will make the breaking changes of:
|
dpgao
force-pushed
the
c18n-ubiq
branch
6 times, most recently
from
e54a477
to
ba3a9f1
Compare
| */ | ||
| extern bool ld_compartment_enable; | ||
|
|
||
| #define C18N_ENABLED ld_compartment_enable |
There was a problem hiding this comment.
I would move the extern Obj_Entry obj_rtld here.
There was a problem hiding this comment.
Hmmm, if I do that, then an error will appear in reloc.c:reloc_non_plt because one of its arguments also has the name obj_rtld...
There was a problem hiding this comment.
Hmm, reading rtld, it seems to be quite careful to avoid exporting obj_rtld. Maybe pass it as an argument to c18n_init instead of using it as a global? Then you can leave it static in rtld.c.
There was a problem hiding this comment.
I've added an XXX to the extern Obj_Entry obj_rtld. It turns out that I don't need obj_rtld to be global after interrupt-safety is implemented. So this change is only a temporary hack.
There was a problem hiding this comment.
Hmm, reading rtld, it seems to be quite careful to avoid exporting
obj_rtld. Maybe pass it as an argument toc18n_initinstead of using it as a global? Then you can leave it static in rtld.c.
I hadn't refreshed my page to see your last comment when I posted mine. Yes, passing obj_rtld as an argument is a better idea. Fix now pushed.
dpgao
force-pushed
the
c18n-ubiq
branch
2 times, most recently
from
bd12598
to
c8ccdd4
Compare
libexec/rtld-elf/rtld_c18n.c
Outdated
| { | ||
| extern Obj_Entry obj_rtld; |
There was a problem hiding this comment.
Don't you no longer need the extern if you are passing it in now? (Presumably this won't compile?)
libexec/rtld-elf/rtld_c18n.c
Outdated
| return (tframe->pc); | ||
| _rtld_sighandler = tramp_intern(NULL, &(struct tramp_data) { | ||
| .target = _rtld_sighandler_unsafe, | ||
| .defobj = &obj_rtld, |
There was a problem hiding this comment.
| .defobj = &obj_rtld, | |
| .defobj = obj_rtld, |
Would seem to be needed now as well (and below)?
Undefined weak symbols are represented by a dummy sym_zero definition in RTLD. Correctly handle this special case when creating a trampoline.
Non-PLT functions must have a canonical address so that different libraries see the same address for the same function. Previously, some but not all non-PLT functions are wrapped in trampolines, breaking function pointer equality. For example, relative relocations of function pointers are not wrapped in trampolines at all. This commit completely disables trampolines for non-PLT relocations until a complete solution for wrapping all function pointers is implemented.
Otherwise this causes cheribsdtest's 'initial value of restricted stack capability' test to fail with the default RTLD when ubiquitous compartmentalisation is implemented.
Compartmentalisation can be enabled on the ld-elf.so.1 linker by setting the environment variable LD_COMPARTMENT_ENABLE (unless LD_COMPARTMENT_DISABLE also set, which prevails). The existing ld-elf*-c18n.so.1 linkers are removed.
This reverts commit c56fe83 now that the default RTLD supports compartmentalisation.
And teach readelf about it.
This makes functions such as dladdr work even when given a trampoline.
Some software like bmake calls sigaction after calling vfork which corrupts RTLD's signal dispatch table. Securely supporting vfork under c18n has proven a difficult task and this commit redirects vfork to fork when c18n is enabled. rfork may be used when the user intentionally wants vfork-like memory sharing behaviour. Thus, only calling it with flags deemed to be 'safe' is allowed under c18n, unless the call is made from libc (as part of the implementation for posix_spawn). This commit also partially reverts 50865cd by removing the execve(2) family of functions from the list of trusted symbols. Also redirect _thr_exit and __sys_thr_exit to _rtld_thr_exit.
|
Seems like CI had a bogus failure earlier. Have now rebased to latest dev and will merge once CI passes. |
New features: CTSRD-CHERI#1941 uudecode filter: support file name and file mode in raw mode CTSRD-CHERI#1943 7-zip reader: translate Windows permissions into UNIX permissions CTSRD-CHERI#1962 zstd filter now supports the "long" write option CTSRD-CHERI#2012 add trailing letter b to bsdtar(1) substitute pattern CTSRD-CHERI#2031 PCRE2 support CTSRD-CHERI#2054 add support for long options "--group" and "--owner" to tar(1) Security fixes: CTSRD-CHERI#2101 Fix possible vulnerability in tar error reporting introduced in f27c173 Important bugfixes: CTSRD-CHERI#1974 ISO9660: preserve the natural order of links CTSRD-CHERI#2105 rar5: fix infinite loop if during rar5 decompression the last block produced no data CTSRD-CHERI#2027 xz filter: fix incorrect eof at the end of an lzip member CTSRD-CHERI#2043 zip: fix end-of-data marker processing when decompressing zip archives Obtained from: libarchive Libarchive commit: 4fcc02d906cca4b9e21a78a833f1142a2689ec52
Libarchive 3.7.3 New features: CTSRD-CHERI#1941 uudecode filter: support file name and file mode in raw mode CTSRD-CHERI#1943 7-zip reader: translate Windows permissions into UNIX permissions CTSRD-CHERI#1962 zstd filter now supports the "long" write option CTSRD-CHERI#2012 add trailing letter b to bsdtar(1) substitute pattern CTSRD-CHERI#2031 PCRE2 support CTSRD-CHERI#2054 add support for long options "--group" and "--owner" to tar(1) Security fixes: CTSRD-CHERI#2101 Fix possible vulnerability in tar error reporting introduced in f27c173 Important bugfixes: CTSRD-CHERI#1974 ISO9660: preserve the natural order of links CTSRD-CHERI#2105 rar5: fix infinite loop if during rar5 decompression the last block produced no data CTSRD-CHERI#2027 xz filter: fix incorrect eof at the end of an lzip member CTSRD-CHERI#2043 zip: fix end-of-data marker processing when decompressing zip archives PR: 278315 (exp-run) MFC after: 1 week
Libarchive 3.7.3 New features: CTSRD-CHERI#1941 uudecode filter: support file name and file mode in raw mode CTSRD-CHERI#1943 7-zip reader: translate Windows permissions into UNIX permissions CTSRD-CHERI#1962 zstd filter now supports the "long" write option CTSRD-CHERI#2012 add trailing letter b to bsdtar(1) substitute pattern CTSRD-CHERI#2031 PCRE2 support CTSRD-CHERI#2054 add support for long options "--group" and "--owner" to tar(1) Security fixes: CTSRD-CHERI#2101 Fix possible vulnerability in tar error reporting introduced in f27c173 Important bugfixes: CTSRD-CHERI#1974 ISO9660: preserve the natural order of links CTSRD-CHERI#2105 rar5: fix infinite loop if during rar5 decompression the last block produced no data CTSRD-CHERI#2027 xz filter: fix incorrect eof at the end of an lzip member CTSRD-CHERI#2043 zip: fix end-of-data marker processing when decompressing zip archives PR: 278315 (exp-run) MFC after: 1 week
The default RTLD is modified to allow you to turn compartmentalisation on by setting the environment variable
LD_COMPARTMENT_ENABLE.Without setting the environment variable, RTLD behaves exactly as before.