Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 20 Jun 2014 17:08:32 +0000 (UTC)
From:      Jonathan Anderson <jonathan@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r267678 - head/libexec/rtld-elf
Message-ID:  <201406201708.s5KH8WVP017030@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jonathan
Date: Fri Jun 20 17:08:32 2014
New Revision: 267678
URL: http://svnweb.freebsd.org/changeset/base/267678

Log:
  Add the LD_LIBRARY_PATH_FDS environmental variable.
  
  This variable allows the loading of shared libraries via directory descriptors
  rather than via library paths.  If LD_LIBRARY_PATH_FDS=3:4:12, the directories
  represented by file descriptors 3, 4 and 12 will searched for shared libraries
  before the normal path-based mechanisms are used.  This allows us to execute
  unprivileged binaries from within a Capsicum sandbox even if they require
  shared libraries.
  
  Approved by:	rwatson (mentor)
  Reviewed by:	kib
  MFC after:	3 weeks
  Sponsored by:	DARPA/AFRL

Modified:
  head/libexec/rtld-elf/rtld.1
  head/libexec/rtld-elf/rtld.c
  head/libexec/rtld-elf/rtld_printf.c
  head/libexec/rtld-elf/rtld_printf.h

Modified: head/libexec/rtld-elf/rtld.1
==============================================================================
--- head/libexec/rtld-elf/rtld.1	Fri Jun 20 15:43:58 2014	(r267677)
+++ head/libexec/rtld-elf/rtld.1	Fri Jun 20 17:08:32 2014	(r267678)
@@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 28, 2012
+.Dd June 20, 2014
 .Dt RTLD 1
 .Os
 .Sh NAME
@@ -192,6 +192,13 @@ the directories specified by
 will be searched first
 followed by the set of built-in standard directories.
 This variable is unset for set-user-ID and set-group-ID programs.
+.Ev LD_LIBRARY_PATH_FDS
+A colon separated list of file descriptor numbers for library directories.
+This is intended for use within
+.Xr capsicum 4
+sandboxes, when global namespaces such as the filesystem are unavailable.
+It is consulted just after LD_LIBRARY_PATH.
+This variable is unset for set-user-ID and set-group-ID programs.
 .It Ev LD_BIND_NOW
 When set to a nonempty string, causes
 .Nm
@@ -283,6 +290,7 @@ The libmap configuration file for 32-bit
 .Sh SEE ALSO
 .Xr ld 1 ,
 .Xr ldd 1 ,
+.Xr capsicum 4 ,
 .Xr elf 5 ,
 .Xr libmap.conf 5 ,
 .Xr ldconfig 8

Modified: head/libexec/rtld-elf/rtld.c
==============================================================================
--- head/libexec/rtld-elf/rtld.c	Fri Jun 20 15:43:58 2014	(r267677)
+++ head/libexec/rtld-elf/rtld.c	Fri Jun 20 17:08:32 2014	(r267678)
@@ -94,7 +94,7 @@ static bool donelist_check(DoneList *, c
 static void errmsg_restore(char *);
 static char *errmsg_save(void);
 static void *fill_search_info(const char *, size_t, void *);
-static char *find_library(const char *, const Obj_Entry *);
+static char *find_library(const char *, const Obj_Entry *, int *);
 static const char *gethints(bool);
 static void init_dag(Obj_Entry *);
 static void init_pagesizes(Elf_Auxinfo **aux_info);
@@ -119,6 +119,7 @@ static void objlist_push_head(Objlist *,
 static void objlist_push_tail(Objlist *, Obj_Entry *);
 static void objlist_put_after(Objlist *, Obj_Entry *, Obj_Entry *);
 static void objlist_remove(Objlist *, Obj_Entry *);
+static int parse_libdir(const char *);
 static void *path_enumerate(const char *, path_enum_proc, void *);
 static int relocate_object_dag(Obj_Entry *root, bool bind_now,
     Obj_Entry *rtldobj, int flags, RtldLockState *lockstate);
@@ -133,6 +134,7 @@ static int rtld_dirname_abs(const char *
 static void *rtld_dlopen(const char *name, int fd, int mode);
 static void rtld_exit(void);
 static char *search_library_path(const char *, const char *);
+static char *search_library_pathfds(const char *, const char *, int *);
 static const void **get_program_var_addr(const char *, RtldLockState *);
 static void set_program_var(const char *, const void *);
 static int symlook_default(SymLook *, const Obj_Entry *refobj);
@@ -178,6 +180,7 @@ static bool dangerous_ld_env;	/* True if
 static char *ld_bind_now;	/* Environment variable for immediate binding */
 static char *ld_debug;		/* Environment variable for debugging */
 static char *ld_library_path;	/* Environment variable for search path */
+static char *ld_library_dirs;	/* Environment variable for library descriptors */
 static char *ld_preload;	/* Environment variable for libraries to
 				   load first */
 static char *ld_elf_hints_path;	/* Environment variable for alternative hints path */
@@ -401,7 +404,8 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_
      */
     if (!trust) {
         if (unsetenv(LD_ "PRELOAD") || unsetenv(LD_ "LIBMAP") ||
-	    unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBMAP_DISABLE") ||
+	    unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBRARY_PATH_FDS") ||
+	    unsetenv(LD_ "LIBMAP_DISABLE") ||
 	    unsetenv(LD_ "DEBUG") || unsetenv(LD_ "ELF_HINTS_PATH") ||
 	    unsetenv(LD_ "LOADFLTR") || unsetenv(LD_ "LIBRARY_PATH_RPATH")) {
 		_rtld_error("environment corrupt; aborting");
@@ -412,6 +416,7 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_
     libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL;
     libmap_override = getenv(LD_ "LIBMAP");
     ld_library_path = getenv(LD_ "LIBRARY_PATH");
+    ld_library_dirs = getenv(LD_ "LIBRARY_PATH_FDS");
     ld_preload = getenv(LD_ "PRELOAD");
     ld_elf_hints_path = getenv(LD_ "ELF_HINTS_PATH");
     ld_loadfltr = getenv(LD_ "LOADFLTR") != NULL;
@@ -1417,6 +1422,7 @@ gnu_hash(const char *s)
 	return (h & 0xffffffff);
 }
 
+
 /*
  * Find the library with the given name, and return its full pathname.
  * The returned string is dynamically allocated.  Generates an error
@@ -1425,6 +1431,10 @@ gnu_hash(const char *s)
  * If the second argument is non-NULL, then it refers to an already-
  * loaded shared object, whose library search path will be searched.
  *
+ * If a library is successfully located via LD_LIBRARY_PATH_FDS, its
+ * descriptor (which is close-on-exec) will be passed out via the third
+ * argument.
+ *
  * The search order is:
  *   DT_RPATH in the referencing file _unless_ DT_RUNPATH is present (1)
  *   DT_RPATH of the main object if DSO without defined DT_RUNPATH (1)
@@ -1437,7 +1447,7 @@ gnu_hash(const char *s)
  * (1) Handled in digest_dynamic2 - rpath left NULL if runpath defined.
  */
 static char *
-find_library(const char *xname, const Obj_Entry *refobj)
+find_library(const char *xname, const Obj_Entry *refobj, int *fdp)
 {
     char *pathname;
     char *name;
@@ -1474,6 +1484,7 @@ find_library(const char *xname, const Ob
 	if ((pathname = search_library_path(name, ld_library_path)) != NULL ||
 	  (refobj != NULL &&
 	  (pathname = search_library_path(name, refobj->rpath)) != NULL) ||
+	  (pathname = search_library_pathfds(name, ld_library_dirs, fdp)) != NULL ||
           (pathname = search_library_path(name, gethints(false))) != NULL ||
 	  (pathname = search_library_path(name, STANDARD_LIBRARY_PATH)) != NULL)
 	    return (pathname);
@@ -1486,6 +1497,7 @@ find_library(const char *xname, const Ob
 	  (pathname = search_library_path(name, ld_library_path)) != NULL ||
 	  (objgiven &&
 	  (pathname = search_library_path(name, refobj->runpath)) != NULL) ||
+	  (pathname = search_library_pathfds(name, ld_library_dirs, fdp)) != NULL ||
 	  (pathname = search_library_path(name, gethints(nodeflib))) != NULL ||
 	  (objgiven && !nodeflib &&
 	  (pathname = search_library_path(name, STANDARD_LIBRARY_PATH)) != NULL))
@@ -2085,29 +2097,34 @@ load_object(const char *name, int fd_u, 
     struct stat sb;
     char *path;
 
+    fd = -1;
     if (name != NULL) {
 	for (obj = obj_list->next;  obj != NULL;  obj = obj->next) {
 	    if (object_match_name(obj, name))
 		return (obj);
 	}
 
-	path = find_library(name, refobj);
+	path = find_library(name, refobj, &fd);
 	if (path == NULL)
 	    return (NULL);
     } else
 	path = NULL;
 
-    /*
-     * If we didn't find a match by pathname, or the name is not
-     * supplied, open the file and check again by device and inode.
-     * This avoids false mismatches caused by multiple links or ".."
-     * in pathnames.
-     *
-     * To avoid a race, we open the file and use fstat() rather than
-     * using stat().
-     */
-    fd = -1;
-    if (fd_u == -1) {
+    if (fd >= 0) {
+	/*
+	 * search_library_pathfds() opens a fresh file descriptor for the
+	 * library, so there is no need to dup().
+	 */
+    } else if (fd_u == -1) {
+	/*
+	 * If we didn't find a match by pathname, or the name is not
+	 * supplied, open the file and check again by device and inode.
+	 * This avoids false mismatches caused by multiple links or ".."
+	 * in pathnames.
+	 *
+	 * To avoid a race, we open the file and use fstat() rather than
+	 * using stat().
+	 */
 	if ((fd = open(path, O_RDONLY | O_CLOEXEC)) == -1) {
 	    _rtld_error("Cannot open \"%s\"", path);
 	    free(path);
@@ -2745,6 +2762,69 @@ search_library_path(const char *name, co
     return (p);
 }
 
+
+/*
+ * Finds the library with the given name using the directory descriptors
+ * listed in the LD_LIBRARY_PATH_FDS environment variable.
+ *
+ * Returns a freshly-opened close-on-exec file descriptor for the library,
+ * or -1 if the library cannot be found.
+ */
+static char *
+search_library_pathfds(const char *name, const char *path, int *fdp)
+{
+	char *envcopy, *fdstr, *found, *last_token;
+	size_t len;
+	int dirfd, fd;
+
+	dbg("%s('%s', '%s', fdp)\n", __func__, name, path);
+
+	/* Don't load from user-specified libdirs into setuid binaries. */
+	if (!trust)
+		return (NULL);
+
+	/* We can't do anything if LD_LIBRARY_PATH_FDS isn't set. */
+	if (path == NULL)
+		return (NULL);
+
+	/* LD_LIBRARY_PATH_FDS only works with relative paths. */
+	if (name[0] == '/') {
+		dbg("Absolute path (%s) passed to %s", name, __func__);
+		return (NULL);
+	}
+
+	/*
+	 * Use strtok_r() to walk the FD:FD:FD list.  This requires a local
+	 * copy of the path, as strtok_r rewrites separator tokens
+	 * with '\0'.
+	 */
+	found = NULL;
+	envcopy = xstrdup(path);
+	for (fdstr = strtok_r(envcopy, ":", &last_token); fdstr != NULL;
+	    fdstr = strtok_r(NULL, ":", &last_token)) {
+		dirfd = parse_libdir(fdstr);
+		if (dirfd < 0)
+			break;
+		fd = openat(dirfd, name, O_RDONLY | O_CLOEXEC);
+		if (fd >= 0) {
+			*fdp = fd;
+			len = strlen(fdstr) + strlen(name) + 3;
+			found = xmalloc(len);
+			if (rtld_snprintf(found, len, "#%d/%s", dirfd, name) < 0) {
+				_rtld_error("error generating '%d/%s'",
+				    dirfd, name);
+				die();
+			}
+			dbg("open('%s') => %d", found, fd);
+			break;
+		}
+	}
+	free(envcopy);
+
+	return (found);
+}
+
+
 int
 dlclose(void *handle)
 {
@@ -4835,6 +4915,36 @@ symlook_init_from_req(SymLook *dst, cons
 	dst->lockstate = src->lockstate;
 }
 
+
+/*
+ * Parse a file descriptor number without pulling in more of libc (e.g. atoi).
+ */
+static int
+parse_libdir(const char *str)
+{
+	static const int RADIX = 10;  /* XXXJA: possibly support hex? */
+	const char *orig;
+	int fd;
+	char c;
+
+	orig = str;
+	fd = 0;
+	for (c = *str; c != '\0'; c = *++str) {
+		if (c < '0' || c > '9')
+			return (-1);
+
+		fd *= RADIX;
+		fd += c - '0';
+	}
+
+	/* Make sure we actually parsed something. */
+	if (str == orig) {
+		_rtld_error("failed to parse directory FD from '%s'", str);
+		return (-1);
+	}
+	return (fd);
+}
+
 /*
  * Overrides for libc_pic-provided functions.
  */

Modified: head/libexec/rtld-elf/rtld_printf.c
==============================================================================
--- head/libexec/rtld-elf/rtld_printf.c	Fri Jun 20 15:43:58 2014	(r267677)
+++ head/libexec/rtld-elf/rtld_printf.c	Fri Jun 20 17:08:32 2014	(r267678)
@@ -429,6 +429,18 @@ number:
 }
 
 int
+rtld_snprintf(char *buf, size_t bufsize, const char *fmt, ...)
+{
+	va_list ap;
+	int retval;
+
+	va_start(ap, fmt);
+	retval = rtld_vsnprintf(buf, bufsize, fmt, ap);
+	va_end(ap);
+	return (retval);
+}
+
+int
 rtld_vsnprintf(char *buf, size_t bufsize, const char *fmt, va_list ap)
 {
 	struct snprintf_arg info;

Modified: head/libexec/rtld-elf/rtld_printf.h
==============================================================================
--- head/libexec/rtld-elf/rtld_printf.h	Fri Jun 20 15:43:58 2014	(r267677)
+++ head/libexec/rtld-elf/rtld_printf.h	Fri Jun 20 17:08:32 2014	(r267678)
@@ -31,6 +31,8 @@
 #include <sys/cdefs.h>
 #include <unistd.h>
 
+int rtld_snprintf(char *buf, size_t bufsize, const char *fmt, ...)
+    __printflike(3, 4);
 int rtld_vsnprintf(char *buf, size_t bufsize, const char *fmt, va_list ap);
 int rtld_vfdprintf(int fd, const char *fmt, va_list ap);
 int rtld_fdprintf(int fd, const char *fmt, ...) __printflike(2, 3);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201406201708.s5KH8WVP017030>