diff options
| author | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2023-11-06 17:25:36 -0300 |
|---|---|---|
| committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2023-11-21 16:15:42 -0300 |
| commit | 9c96c87d60eafa4d78406e606e92b42bd4b570ad (patch) | |
| tree | f2b1db62e65cdf8cae4e058bea8e40aae847dc16 /elf/tst-env-setuid-tunables.c | |
| parent | a72a4eb10b2d9aef7a53f9d2facf166a685d85fb (diff) | |
| download | glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.tar.gz glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.tar.xz glibc-9c96c87d60eafa4d78406e606e92b42bd4b570ad.zip | |
elf: Ignore GLIBC_TUNABLES for setuid/setgid binaries
The tunable privilege levels were a retrofit to try and keep the malloc tunable environment variables' behavior unchanged across security boundaries. However, CVE-2023-4911 shows how tricky can be tunable parsing in a security-sensitive environment. Not only parsing, but the malloc tunable essentially changes some semantics on setuid/setgid processes. Although it is not a direct security issue, allowing users to change setuid/setgid semantics is not a good security practice, and requires extra code and analysis to check if each tunable is safe to use on all security boundaries. It also means that security opt-in features, like aarch64 MTE, would need to be explicit enabled by an administrator with a wrapper script or with a possible future system-wide tunable setting. Co-authored-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
Diffstat (limited to 'elf/tst-env-setuid-tunables.c')
| -rw-r--r-- | elf/tst-env-setuid-tunables.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c index 2603007b7b..ca02dbba58 100644 --- a/elf/tst-env-setuid-tunables.c +++ b/elf/tst-env-setuid-tunables.c @@ -15,14 +15,10 @@ License along with the GNU C Library; if not, see <https://www.gnu.org/licenses/>. */ -/* Verify that tunables correctly filter out unsafe tunables like - glibc.malloc.check and glibc.malloc.mmap_threshold but also retain - glibc.malloc.mmap_threshold in an unprivileged child. */ - -#define _LIBC 1 -#include "config.h" -#undef _LIBC +/* Verify that GLIBC_TUNABLES is kept unchanged but no tunable is actually + enabled for AT_SECURE processes. */ +#include <dl-tunables.h> #include <errno.h> #include <fcntl.h> #include <stdlib.h> @@ -40,7 +36,7 @@ #include <support/test-driver.h> #include <support/capture_subprocess.h> -const char *teststrings[] = +static const char *teststrings[] = { "glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096", "glibc.malloc.check=2:glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096", @@ -74,6 +70,23 @@ test_child (int off) ret = 0; fflush (stdout); + /* Also check if the set tunables are effectively unchanged. */ + int32_t check = TUNABLE_GET_FULL (glibc, malloc, check, int32_t, NULL); + size_t mmap_threshold = TUNABLE_GET_FULL (glibc, malloc, mmap_threshold, + size_t, NULL); + int32_t perturb = TUNABLE_GET_FULL (glibc, malloc, perturb, int32_t, NULL); + + printf (" [%d] glibc.malloc.check=%d\n", off, check); + fflush (stdout); + printf (" [%d] glibc.malloc.mmap_threshold=%zu\n", off, mmap_threshold); + fflush (stdout); + printf (" [%d] glibc.malloc.perturb=%d\n", off, perturb); + fflush (stdout); + + ret |= check != 0; + ret |= mmap_threshold != 0; + ret |= perturb != 0; + return ret; } |