53 lines
1.9 KiB
Diff
53 lines
1.9 KiB
Diff
commit 4a133885a7c8ae7ebe34e36fcdb353f8e94c810f
|
|
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
|
Date: Mon Nov 6 17:25:45 2023 -0300
|
|
|
|
elf: Ignore LD_PROFILE for setuid binaries
|
|
|
|
Loader does not ignore LD_PROFILE in secure-execution mode (different
|
|
than man-page states [1]), rather it uses a different path
|
|
(/var/profile) and ignore LD_PROFILE_OUTPUT.
|
|
|
|
Allowing secure-execution profiling is already a non good security
|
|
boundary, since it enables different code paths and extra OS access by
|
|
the process. But by ignoring LD_PROFILE_OUTPUT, the resulting profile
|
|
file might also be acceded in a racy manner since the file name does not
|
|
use any process-specific information (such as pid, timing, etc.).
|
|
|
|
Another side-effect is it forces lazy binding even on libraries that
|
|
might be with DF_BIND_NOW.
|
|
|
|
[1] https://man7.org/linux/man-pages/man8/ld.so.8.html
|
|
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
|
|
|
Conflicts:
|
|
elf/Makefile
|
|
elf/tst-env-setuid.c
|
|
(test does not have LD_PROFILE support downstream)
|
|
|
|
diff --git a/elf/rtld.c b/elf/rtld.c
|
|
index 1fbfc65a38e19110..44546e8e158e7b9c 100644
|
|
--- a/elf/rtld.c
|
|
+++ b/elf/rtld.c
|
|
@@ -2761,10 +2761,6 @@ process_envvars (struct dl_main_state *state)
|
|
char *envline;
|
|
char *debug_output = NULL;
|
|
|
|
- /* This is the default place for profiling data file. */
|
|
- GLRO(dl_profile_output)
|
|
- = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
|
|
-
|
|
while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
|
|
{
|
|
size_t len = 0;
|
|
@@ -2813,7 +2809,8 @@ process_envvars (struct dl_main_state *state)
|
|
}
|
|
|
|
/* Which shared object shall be profiled. */
|
|
- if (memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
|
|
+ if (!__libc_enable_secure
|
|
+ && memcmp (envline, "PROFILE", 7) == 0 && envline[8] != '\0')
|
|
GLRO(dl_profile) = &envline[8];
|
|
break;
|
|
|