glibc/elf/dl-tunables.list
Adhemerval Zanella 9c96c87d60 elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
The tunable privilege levels were a retrofit to try and keep the malloc
tunable environment variables' behavior unchanged across security
boundaries.  However, CVE-2023-4911 shows how tricky can be
tunable parsing in a security-sensitive environment.

Not only parsing, but the malloc tunable essentially changes some
semantics on setuid/setgid processes.  Although it is not a direct
security issue, allowing users to change setuid/setgid semantics is not
a good security practice, and requires extra code and analysis to check
if each tunable is safe to use on all security boundaries.

It also means that security opt-in features, like aarch64 MTE, would
need to be explicit enabled by an administrator with a wrapper script
or with a possible future system-wide tunable setting.

Co-authored-by: Siddhesh Poyarekar  <siddhesh@sourceware.org>
Reviewed-by: DJ Delorie <dj@redhat.com>
2023-11-21 16:15:42 -03:00

175 lines
3.2 KiB
Plaintext

# Copyright (C) 2016-2023 Free Software Foundation, Inc.
# This file is part of the GNU C Library.
# The GNU C Library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
# The GNU C Library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public
# License along with the GNU C Library; if not, see
# <https://www.gnu.org/licenses/>.
# Allowed attributes for tunables:
#
# type: Defaults to STRING
# minval: Optional minimum acceptable value
# maxval: Optional maximum acceptable value
# env_alias: An alias environment variable
glibc {
malloc {
check {
type: INT_32
minval: 0
maxval: 3
env_alias: MALLOC_CHECK_
}
top_pad {
type: SIZE_T
env_alias: MALLOC_TOP_PAD_
default: 131072
}
perturb {
type: INT_32
minval: 0
maxval: 0xff
env_alias: MALLOC_PERTURB_
}
mmap_threshold {
type: SIZE_T
env_alias: MALLOC_MMAP_THRESHOLD_
}
trim_threshold {
type: SIZE_T
env_alias: MALLOC_TRIM_THRESHOLD_
}
mmap_max {
type: INT_32
env_alias: MALLOC_MMAP_MAX_
minval: 0
}
arena_max {
type: SIZE_T
env_alias: MALLOC_ARENA_MAX
minval: 1
}
arena_test {
type: SIZE_T
env_alias: MALLOC_ARENA_TEST
minval: 1
}
tcache_max {
type: SIZE_T
}
tcache_count {
type: SIZE_T
}
tcache_unsorted_limit {
type: SIZE_T
}
mxfast {
type: SIZE_T
minval: 0
}
hugetlb {
type: SIZE_T
minval: 0
}
}
cpu {
hwcap_mask {
type: UINT_64
env_alias: LD_HWCAP_MASK
default: HWCAP_IMPORTANT
}
}
elision {
enable {
type: INT_32
minval: 0
maxval: 1
}
skip_lock_busy {
type: INT_32
default: 3
minval: 0
}
skip_lock_internal_abort {
type: INT_32
default: 3
minval: 0
}
skip_lock_after_retries {
type: INT_32
default: 3
minval: 0
}
tries {
type: INT_32
default: 3
minval: 0
}
skip_trylock_internal_abort {
type: INT_32
default: 3
minval: 0
}
}
rtld {
nns {
type: SIZE_T
minval: 1
maxval: 16
default: 4
}
optional_static_tls {
type: SIZE_T
minval: 0
default: 512
}
}
mem {
tagging {
type: INT_32
minval: 0
maxval: 255
}
decorate_maps {
type: INT_32
minval: 0
maxval: 1
}
}
rtld {
dynamic_sort {
type: INT_32
minval: 1
maxval: 2
default: 2
}
}
gmon {
minarcs {
type: INT_32
minval: 50
default: 50
}
maxarcs {
type: INT_32
minval: 50
default: 1048576
}
}
}