The tunable privilege levels were a retrofit to try and keep the malloc
tunable environment variables' behavior unchanged across security
boundaries. However, CVE-2023-4911 shows how tricky can be
tunable parsing in a security-sensitive environment.
Not only parsing, but the malloc tunable essentially changes some
semantics on setuid/setgid processes. Although it is not a direct
security issue, allowing users to change setuid/setgid semantics is not
a good security practice, and requires extra code and analysis to check
if each tunable is safe to use on all security boundaries.
It also means that security opt-in features, like aarch64 MTE, would
need to be explicit enabled by an administrator with a wrapper script
or with a possible future system-wide tunable setting.
Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: DJ Delorie <dj@redhat.com>
The first segment in a shared library may be read-only, not executable.
To support LD_PREFER_MAP_32BIT_EXEC on such shared libraries, we also
check MAP_DENYWRITE to decide if MAP_32BIT should be passed to mmap.
Normally the first segment is mapped with MAP_COPY, which is defined
as (MAP_PRIVATE | MAP_DENYWRITE). But if the segment alignment is
greater than the page size, MAP_COPY isn't used to allocate enough
space to ensure that the segment can be properly aligned. Map the
first segment with MAP_COPY in this case to fix BZ #30452.
This makes the prefer_map_32bit_exec tunable no longer Linux-specific.
Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
Message-Id: <20230423215526.346009-4-bugaevc@gmail.com>
Various architectures have files such as sysdeps/<arch>/shlib-versions
whose contents are in fact entirely Linux-specific, relating only to
the symbol / shared library versions for the port to Linux on that
architecture, when any future port to a different OS on that
architecture would use the symbol version of the glibc release it goes
in, as standard for new ports.
This patch moves such files under sysdeps/unix/sysv/linux/, merging in
the contents of sysdeps/<arch>/nptl/shlib-versions in the process.
The only bits not moved are those relating to libgcc_s versions, which
don't appear OS-specific in the same way that glibc's symbol versions
so. It deliberately does not change the regular expressions given for
matching configurations in each file; some match only Linux although
not Linux-specific, or match other OSes although Linux-specific. It
is with a view to at least the following further cleanups:
* Move architecture-specific content from the toplevel shlib-versions
and nptl/shlib-versions into sysdeps shlib-versions files, so
eliminating another difference between ex-ports and non-ex-ports
architectures.
* Likewise, for OS-specific content in shlib-versions files.
* At that point, the first field in shlib-versions files (the regular
expression matching a configuration triplet) should be redundant, so
eliminate that field and leave shlib-versions selection working
purely on a sysdeps basis (with limited use of %ifdef in
shlib-versions files when needed) rather than having its own
separate mechanism to select what configuration information is
relevant.
* Move the build of gnu/lib-names.h to a similar mechanism to that
used for gnu/stubs.h (each library build installing a version of the
header specifically for that build), so we can eliminate the
duplication of soname information in the makefiles and get it purely
from shlib-versions files again.
There may be other cleanups possible as well (in particular, I'm not
sure that all cases where the same "Earliest symbol set" information
is repeated for many different libraries actually should need to
repeat it rather than specifying it just once for DEFAULT for the
given configuration, and separately specifying any non-default choices
of soname).
Tested x86_64 that the installed shared libraries are unchanged by
this patch.
* sysdeps/aarch64/shlib-versions: Move to ...
* sysdeps/unix/sysv/linux/aarch64/shlib-versions: ... here.
* sysdeps/alpha/shlib-versions: Move to ...
* sysdeps/unix/sysv/linux/alpha/shlib-versions: ... here.
* sysdeps/arm/shlib-versions: Move to ...
* sysdeps/unix/sysv/linux/arm/shlib-versions: ... here.
* sysdeps/hppa/shlib-versions: Move all contents except for
libgcc_s entry to ...
* sysdeps/unix/sysv/linux/hppa/shlib-versions: ... here. Merge in
entry from ...
* sysdeps/hppa/nptl/shlib-versions: ... here. Remove file.
* sysdeps/ia64/shlib-versions: Move to ...
* sysdeps/unix/sysv/linux/ia64/shlib-versions: ... here. Merge in
entry from ...
* sysdeps/ia64/nptl/shlib-versions: ... here. Remove file.
* sysdeps/m68k/coldfire/shlib-versions: Move to ...
* sysdeps/unix/sysv/linux/m68k/coldfire/shlib-versions: ... here.
* sysdeps/microblaze/shlib-versions: Move to ...
* sysdeps/unix/sysv/linux/microblaze/shlib-versions: ... here.
* sysdeps/mips/shlib-versions: Move to ...
* sysdeps/unix/sysv/linux/mips/shlib-versions: ... here. Merge in
entry from ...
* sysdeps/mips/nptl/shlib-versions: ... here. Remove file.
* sysdeps/tile/shlib-versions: Move to ...
* sysdeps/unix/sysv/linux/tile/shlib-versions: ... here.
* sysdeps/unix/sysv/linux/x86_64/64/shlib-versions: Merge in entry
from ...
* sysdeps/x86_64/64/shlib-versions: ... here. Remove file.
* sysdeps/unix/sysv/linux/x86_64/x32/shlib-versions: Merge in
entry from ...
* sysdeps/x86_64/x32/shlib-versions: ... here. Remove file.
