Date: Fri, 7 Feb 2025 05:07:59 +0200 From: Konstantin Belousov <kostikbel@gmail.com> To: =?utf-8?B?Vmluw61jaXVz?= dos Santos Oliveira <vini.ipsmaker@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: Capsicum and weak libc symbols Message-ID: <Z6V5D6mn6XbBt1n7@kib.kiev.ua> In-Reply-To: <CAK9Rve%2BftgxgbgHmVe=dDF_9kASDsqP=0Lxnj%2BEsOquZXtFcaw@mail.gmail.com> References: <CAK9Rve%2BftgxgbgHmVe=dDF_9kASDsqP=0Lxnj%2BEsOquZXtFcaw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 06, 2025 at 10:40:52PM -0300, VinÃcius dos Santos Oliveira wrote: > Static builds for libc have many symbols declared as weak so other > projects can override them not only in dynamic builds by just defining > the same name. In a project of mine, I need more functions from libc > to be declared this way. > > For context, Capsicum disables access to ambient authority and forces > users to come up with capability-aware versions of old functions. > Libcasper is a library found in FreeBSD that offers capability-aware > versions of the most used functions in Capsicum sandboxes (e.g. > cap_getaddrinfo). However libcasper doesn't override functions from > libc and one has to rewrite old code just to inject an extra parameter > (cap_channel_t) that in the end could just act as a global variable > anyway. > > Some projects such as Val Packett's Capsicumizer[1][2] interpose > functions from libc so old code can keep working in Capsicum > sandboxes. It's not really very useful to use Capsicum + libc > interposition to virtualize access to OS resources. If the intention > is just to run something akin to containers, one is better off using > jails. However it's still useful to interpose certain functions from > libc to make strategic use of existing libraries. > > I developed an easy-to-use Lua library that allows one to implement > policies for libc functions that are interposed by my project[3][4]. I > intend to use this library to implement IM clients (e.g. Telegram[6], > nostr) that run media parsers and user-downloaded extensions within > sandboxes. Eventually I want to run even torrent clients making use of > Capsicum sandboxes, but I'm still far from this milestone. While I was > exploring this approach, I missed weak attributes for the following > functions from libc that I'd like to interpose: > > * remove() > * stat() > * lstat() > * opendir() > * getaddrinfo() > > I'll also need symbol aliases (e.g. __sys_getaddrinfo) that point to > the original definition of these functions so I can refer to them from > my interposers. What is the process within FreeBSD to decide which > libc functions are targets for interposition (hence will have an alias > + weak attribute on static builds)? I'd like to request a change in > libc so the above functions are defined as weak in static builds + > aliases become available. I've been interposing these functions in > Linux already with little to no problem[7][8]. I'm also trying to > unify sandbox creation for Linux/FreeBSD so Linux developers can > create sandboxing-employing apps that work on FreeBSD with no changes. > > [1] https://github.com/valpackett/capsicumizer > [2] https://val.packett.cool/blog/use-openat/ > [3] https://gitlab.com/emilua/emilua/-/blob/dc2b50e1f68d1c1e1696a5d150f23a7b88cc8efd/test/libc_service_getaddrinfo.lua > [4] https://gitlab.com/emilua/emilua/-/blob/dc2b50e1f68d1c1e1696a5d150f23a7b88cc8efd/test/libc_service_cat.lua > [5] https://gitlab.com/emilua/emilua/-/blob/v0.11.0/src/freebsd/libc_service.cpp > [6] https://github.com/tdlib/td > [7] https://gitlab.com/emilua/emilua/-/blob/v0.11.0/src/linux/glibc/libc_service.cpp > [8] https://gitlab.com/emilua/emilua/-/blob/emilua-0.11.x/test/libc_service_lstat1.lua The purpose of the weak attribute is to allow the weak symbol to be undefined. It is not about the order of resolution (by default our rtld indeed prefers non-weak over weak, but it is a bug, and there is knob to turn this behavior off). If you need to interpose symbol, just link the interposing object before the object that supplies the symbol to be preempted by your definition.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Z6V5D6mn6XbBt1n7>