Add the LD_LIBRARY_PATH_FDS environmental variable.
This variable allows the loading of shared libraries via directory descriptors rather than via library paths. If LD_LIBRARY_PATH_FDS=3:4:12, the directories represented by file descriptors 3, 4 and 12 will searched for shared libraries before the normal path-based mechanisms are used. This allows us to execute unprivileged binaries from within a Capsicum sandbox even if they require shared libraries. Approved by: rwatson (mentor) Reviewed by: kib MFC after: 3 weeks Sponsored by: DARPA/AFRL
This commit is contained in:
parent
eb0fb866de
commit
02d3b38e0a
@ -28,7 +28,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd June 28, 2012
|
||||
.Dd June 20, 2014
|
||||
.Dt RTLD 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -192,6 +192,13 @@ the directories specified by
|
||||
will be searched first
|
||||
followed by the set of built-in standard directories.
|
||||
This variable is unset for set-user-ID and set-group-ID programs.
|
||||
.Ev LD_LIBRARY_PATH_FDS
|
||||
A colon separated list of file descriptor numbers for library directories.
|
||||
This is intended for use within
|
||||
.Xr capsicum 4
|
||||
sandboxes, when global namespaces such as the filesystem are unavailable.
|
||||
It is consulted just after LD_LIBRARY_PATH.
|
||||
This variable is unset for set-user-ID and set-group-ID programs.
|
||||
.It Ev LD_BIND_NOW
|
||||
When set to a nonempty string, causes
|
||||
.Nm
|
||||
@ -283,6 +290,7 @@ The libmap configuration file for 32-bit binaries on 64-bit system.
|
||||
.Sh SEE ALSO
|
||||
.Xr ld 1 ,
|
||||
.Xr ldd 1 ,
|
||||
.Xr capsicum 4 ,
|
||||
.Xr elf 5 ,
|
||||
.Xr libmap.conf 5 ,
|
||||
.Xr ldconfig 8
|
||||
|
@ -94,7 +94,7 @@ static bool donelist_check(DoneList *, const Obj_Entry *);
|
||||
static void errmsg_restore(char *);
|
||||
static char *errmsg_save(void);
|
||||
static void *fill_search_info(const char *, size_t, void *);
|
||||
static char *find_library(const char *, const Obj_Entry *);
|
||||
static char *find_library(const char *, const Obj_Entry *, int *);
|
||||
static const char *gethints(bool);
|
||||
static void init_dag(Obj_Entry *);
|
||||
static void init_pagesizes(Elf_Auxinfo **aux_info);
|
||||
@ -119,6 +119,7 @@ static void objlist_push_head(Objlist *, Obj_Entry *);
|
||||
static void objlist_push_tail(Objlist *, Obj_Entry *);
|
||||
static void objlist_put_after(Objlist *, Obj_Entry *, Obj_Entry *);
|
||||
static void objlist_remove(Objlist *, Obj_Entry *);
|
||||
static int parse_libdir(const char *);
|
||||
static void *path_enumerate(const char *, path_enum_proc, void *);
|
||||
static int relocate_object_dag(Obj_Entry *root, bool bind_now,
|
||||
Obj_Entry *rtldobj, int flags, RtldLockState *lockstate);
|
||||
@ -133,6 +134,7 @@ static int rtld_dirname_abs(const char *, char *);
|
||||
static void *rtld_dlopen(const char *name, int fd, int mode);
|
||||
static void rtld_exit(void);
|
||||
static char *search_library_path(const char *, const char *);
|
||||
static char *search_library_pathfds(const char *, const char *, int *);
|
||||
static const void **get_program_var_addr(const char *, RtldLockState *);
|
||||
static void set_program_var(const char *, const void *);
|
||||
static int symlook_default(SymLook *, const Obj_Entry *refobj);
|
||||
@ -178,6 +180,7 @@ static bool dangerous_ld_env; /* True if environment variables have been
|
||||
static char *ld_bind_now; /* Environment variable for immediate binding */
|
||||
static char *ld_debug; /* Environment variable for debugging */
|
||||
static char *ld_library_path; /* Environment variable for search path */
|
||||
static char *ld_library_dirs; /* Environment variable for library descriptors */
|
||||
static char *ld_preload; /* Environment variable for libraries to
|
||||
load first */
|
||||
static char *ld_elf_hints_path; /* Environment variable for alternative hints path */
|
||||
@ -401,7 +404,8 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entry **objp)
|
||||
*/
|
||||
if (!trust) {
|
||||
if (unsetenv(LD_ "PRELOAD") || unsetenv(LD_ "LIBMAP") ||
|
||||
unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBMAP_DISABLE") ||
|
||||
unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBRARY_PATH_FDS") ||
|
||||
unsetenv(LD_ "LIBMAP_DISABLE") ||
|
||||
unsetenv(LD_ "DEBUG") || unsetenv(LD_ "ELF_HINTS_PATH") ||
|
||||
unsetenv(LD_ "LOADFLTR") || unsetenv(LD_ "LIBRARY_PATH_RPATH")) {
|
||||
_rtld_error("environment corrupt; aborting");
|
||||
@ -412,6 +416,7 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entry **objp)
|
||||
libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL;
|
||||
libmap_override = getenv(LD_ "LIBMAP");
|
||||
ld_library_path = getenv(LD_ "LIBRARY_PATH");
|
||||
ld_library_dirs = getenv(LD_ "LIBRARY_PATH_FDS");
|
||||
ld_preload = getenv(LD_ "PRELOAD");
|
||||
ld_elf_hints_path = getenv(LD_ "ELF_HINTS_PATH");
|
||||
ld_loadfltr = getenv(LD_ "LOADFLTR") != NULL;
|
||||
@ -1417,6 +1422,7 @@ gnu_hash(const char *s)
|
||||
return (h & 0xffffffff);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Find the library with the given name, and return its full pathname.
|
||||
* The returned string is dynamically allocated. Generates an error
|
||||
@ -1425,6 +1431,10 @@ gnu_hash(const char *s)
|
||||
* If the second argument is non-NULL, then it refers to an already-
|
||||
* loaded shared object, whose library search path will be searched.
|
||||
*
|
||||
* If a library is successfully located via LD_LIBRARY_PATH_FDS, its
|
||||
* descriptor (which is close-on-exec) will be passed out via the third
|
||||
* argument.
|
||||
*
|
||||
* The search order is:
|
||||
* DT_RPATH in the referencing file _unless_ DT_RUNPATH is present (1)
|
||||
* DT_RPATH of the main object if DSO without defined DT_RUNPATH (1)
|
||||
@ -1437,7 +1447,7 @@ gnu_hash(const char *s)
|
||||
* (1) Handled in digest_dynamic2 - rpath left NULL if runpath defined.
|
||||
*/
|
||||
static char *
|
||||
find_library(const char *xname, const Obj_Entry *refobj)
|
||||
find_library(const char *xname, const Obj_Entry *refobj, int *fdp)
|
||||
{
|
||||
char *pathname;
|
||||
char *name;
|
||||
@ -1474,6 +1484,7 @@ find_library(const char *xname, const Obj_Entry *refobj)
|
||||
if ((pathname = search_library_path(name, ld_library_path)) != NULL ||
|
||||
(refobj != NULL &&
|
||||
(pathname = search_library_path(name, refobj->rpath)) != NULL) ||
|
||||
(pathname = search_library_pathfds(name, ld_library_dirs, fdp)) != NULL ||
|
||||
(pathname = search_library_path(name, gethints(false))) != NULL ||
|
||||
(pathname = search_library_path(name, STANDARD_LIBRARY_PATH)) != NULL)
|
||||
return (pathname);
|
||||
@ -1486,6 +1497,7 @@ find_library(const char *xname, const Obj_Entry *refobj)
|
||||
(pathname = search_library_path(name, ld_library_path)) != NULL ||
|
||||
(objgiven &&
|
||||
(pathname = search_library_path(name, refobj->runpath)) != NULL) ||
|
||||
(pathname = search_library_pathfds(name, ld_library_dirs, fdp)) != NULL ||
|
||||
(pathname = search_library_path(name, gethints(nodeflib))) != NULL ||
|
||||
(objgiven && !nodeflib &&
|
||||
(pathname = search_library_path(name, STANDARD_LIBRARY_PATH)) != NULL))
|
||||
@ -2085,18 +2097,25 @@ load_object(const char *name, int fd_u, const Obj_Entry *refobj, int flags)
|
||||
struct stat sb;
|
||||
char *path;
|
||||
|
||||
fd = -1;
|
||||
if (name != NULL) {
|
||||
for (obj = obj_list->next; obj != NULL; obj = obj->next) {
|
||||
if (object_match_name(obj, name))
|
||||
return (obj);
|
||||
}
|
||||
|
||||
path = find_library(name, refobj);
|
||||
path = find_library(name, refobj, &fd);
|
||||
if (path == NULL)
|
||||
return (NULL);
|
||||
} else
|
||||
path = NULL;
|
||||
|
||||
if (fd >= 0) {
|
||||
/*
|
||||
* search_library_pathfds() opens a fresh file descriptor for the
|
||||
* library, so there is no need to dup().
|
||||
*/
|
||||
} else if (fd_u == -1) {
|
||||
/*
|
||||
* If we didn't find a match by pathname, or the name is not
|
||||
* supplied, open the file and check again by device and inode.
|
||||
@ -2106,8 +2125,6 @@ load_object(const char *name, int fd_u, const Obj_Entry *refobj, int flags)
|
||||
* To avoid a race, we open the file and use fstat() rather than
|
||||
* using stat().
|
||||
*/
|
||||
fd = -1;
|
||||
if (fd_u == -1) {
|
||||
if ((fd = open(path, O_RDONLY | O_CLOEXEC)) == -1) {
|
||||
_rtld_error("Cannot open \"%s\"", path);
|
||||
free(path);
|
||||
@ -2745,6 +2762,69 @@ search_library_path(const char *name, const char *path)
|
||||
return (p);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Finds the library with the given name using the directory descriptors
|
||||
* listed in the LD_LIBRARY_PATH_FDS environment variable.
|
||||
*
|
||||
* Returns a freshly-opened close-on-exec file descriptor for the library,
|
||||
* or -1 if the library cannot be found.
|
||||
*/
|
||||
static char *
|
||||
search_library_pathfds(const char *name, const char *path, int *fdp)
|
||||
{
|
||||
char *envcopy, *fdstr, *found, *last_token;
|
||||
size_t len;
|
||||
int dirfd, fd;
|
||||
|
||||
dbg("%s('%s', '%s', fdp)\n", __func__, name, path);
|
||||
|
||||
/* Don't load from user-specified libdirs into setuid binaries. */
|
||||
if (!trust)
|
||||
return (NULL);
|
||||
|
||||
/* We can't do anything if LD_LIBRARY_PATH_FDS isn't set. */
|
||||
if (path == NULL)
|
||||
return (NULL);
|
||||
|
||||
/* LD_LIBRARY_PATH_FDS only works with relative paths. */
|
||||
if (name[0] == '/') {
|
||||
dbg("Absolute path (%s) passed to %s", name, __func__);
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* Use strtok_r() to walk the FD:FD:FD list. This requires a local
|
||||
* copy of the path, as strtok_r rewrites separator tokens
|
||||
* with '\0'.
|
||||
*/
|
||||
found = NULL;
|
||||
envcopy = xstrdup(path);
|
||||
for (fdstr = strtok_r(envcopy, ":", &last_token); fdstr != NULL;
|
||||
fdstr = strtok_r(NULL, ":", &last_token)) {
|
||||
dirfd = parse_libdir(fdstr);
|
||||
if (dirfd < 0)
|
||||
break;
|
||||
fd = openat(dirfd, name, O_RDONLY | O_CLOEXEC);
|
||||
if (fd >= 0) {
|
||||
*fdp = fd;
|
||||
len = strlen(fdstr) + strlen(name) + 3;
|
||||
found = xmalloc(len);
|
||||
if (rtld_snprintf(found, len, "#%d/%s", dirfd, name) < 0) {
|
||||
_rtld_error("error generating '%d/%s'",
|
||||
dirfd, name);
|
||||
die();
|
||||
}
|
||||
dbg("open('%s') => %d", found, fd);
|
||||
break;
|
||||
}
|
||||
}
|
||||
free(envcopy);
|
||||
|
||||
return (found);
|
||||
}
|
||||
|
||||
|
||||
int
|
||||
dlclose(void *handle)
|
||||
{
|
||||
@ -4835,6 +4915,36 @@ symlook_init_from_req(SymLook *dst, const SymLook *src)
|
||||
dst->lockstate = src->lockstate;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Parse a file descriptor number without pulling in more of libc (e.g. atoi).
|
||||
*/
|
||||
static int
|
||||
parse_libdir(const char *str)
|
||||
{
|
||||
static const int RADIX = 10; /* XXXJA: possibly support hex? */
|
||||
const char *orig;
|
||||
int fd;
|
||||
char c;
|
||||
|
||||
orig = str;
|
||||
fd = 0;
|
||||
for (c = *str; c != '\0'; c = *++str) {
|
||||
if (c < '0' || c > '9')
|
||||
return (-1);
|
||||
|
||||
fd *= RADIX;
|
||||
fd += c - '0';
|
||||
}
|
||||
|
||||
/* Make sure we actually parsed something. */
|
||||
if (str == orig) {
|
||||
_rtld_error("failed to parse directory FD from '%s'", str);
|
||||
return (-1);
|
||||
}
|
||||
return (fd);
|
||||
}
|
||||
|
||||
/*
|
||||
* Overrides for libc_pic-provided functions.
|
||||
*/
|
||||
|
@ -428,6 +428,18 @@ number:
|
||||
#undef PCHAR
|
||||
}
|
||||
|
||||
int
|
||||
rtld_snprintf(char *buf, size_t bufsize, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
int retval;
|
||||
|
||||
va_start(ap, fmt);
|
||||
retval = rtld_vsnprintf(buf, bufsize, fmt, ap);
|
||||
va_end(ap);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
int
|
||||
rtld_vsnprintf(char *buf, size_t bufsize, const char *fmt, va_list ap)
|
||||
{
|
||||
|
@ -31,6 +31,8 @@
|
||||
#include <sys/cdefs.h>
|
||||
#include <unistd.h>
|
||||
|
||||
int rtld_snprintf(char *buf, size_t bufsize, const char *fmt, ...)
|
||||
__printflike(3, 4);
|
||||
int rtld_vsnprintf(char *buf, size_t bufsize, const char *fmt, va_list ap);
|
||||
int rtld_vfdprintf(int fd, const char *fmt, va_list ap);
|
||||
int rtld_fdprintf(int fd, const char *fmt, ...) __printflike(2, 3);
|
||||
|
Loading…
x
Reference in New Issue
Block a user