Re: [PATCH] ld.so.8: Document LD_AUDIT

Re: [PATCH] ld.so.8: Document LD_AUDIT

[Michael Kerrisk]

[Was: Re: [PATCH] ld.so.8: Document LD_AUDIT and LD_POINTER_GUARD]

Hi Petr,

On Sun, Dec 7, 2008 at 1:28 PM, Petr Baudis <pasky-AlSwsSmVLrQ@public.gmane.org> wrote:
> I was using existing comments, mailing list posts, and mainly the glibc
> source code as a reference. I'm not sure if LD_AUDIT is 100% compatible
> with Solaris but aside of the header names, it appears to be, based on
> quick comparison.

Yes, it looks very close to me as well -- though there are certainly
seem to be some differences, such as the absence of la_objfilter() for
glibc, and the addition of LA_SYMB_STRUCTCALL).  I've done a little
playing around with the API, and things seem to work as expected from
reading the Solaris docs.

> Signed-off-by: Petr Baudis <pasky-AlSwsSmVLrQ@public.gmane.org>
>
> diff --git a/man8/ld.so.8 b/man8/ld.so.8
> index 6ca9a8c..69827f9 100644
> --- a/man8/ld.so.8
> +++ b/man8/ld.so.8
> @@ -1,5 +1,9 @@
>  .\" This is in the public domain
> -.TH LD.SO 8 2008-10-27 "GNU" "Linux Programmer's Manual"
> +.\"
> +.\" 2008-12-07 Petr Baudis <pasky-AlSwsSmVLrQ@public.gmane.org>
> +.\"    Document LD_AUDIT and LD_POINTER_GUARD
> +.\"
> +.TH LD.SO 8 2008-12-07 "GNU" "Linux Programmer's Manual"
>  .SH NAME
>  ld.so, ld-linux.so* \- dynamic linker/loader
>  .SH SYNOPSIS
> @@ -177,13 +181,25 @@ Version of
>  for a.out binaries only.
>  Old versions of ld\-linux.so.1 also supported
>  .BR LD_ELF_PRELOAD .
> -.\" FIXME
> -.\" Document LD_AUDIT ("Install audit libraries for glibc")
> -.\" new in glibc 2.4
> -.\" ignored in set-user-ID and set-group-ID programs
> -.\"
> -.\" For some info, see Solaris Linker and Libraries Guide,
> -.\" "Runtime Linker Auditing Interface"
> +.TP
> +.B LD_AUDIT
> +(glibc since 2.4)
> +A colon-separated list of additional,

Why the word "additional" here?

> user-specified, ELF shared libraries

The word "libraries" is interesting.  The glibc sources imply that
multiple auditing libraries is supported, but a brief play with this
led to crashes for me.  (That could easily be because I'm doing things
wrong.)  Did you try this, or see an example anywhere?

> +to be loaded before all others in a separate linker namespace.
> +.B LD_AUDIT
> +is ignored for set-user-ID/set-group-ID binaries.
> +
> +The dynamic linker will notify the audit
> +libraries at so-called auditing checkpoints, like loading a new library,
> +resolving a symbol or calling a symbol from another shared object, by
> +calling an appropriate function within the audit library (the functions
> +start all with an
> +.B la_
> +prefix and are prototyped in
> +.BR "<link.h> " and " <bits/link.h>").

(.I for filenames, not .B)

> +The auditing interface is compatible with Solaris as described in its
> +.IR "Linker and Libraries Guide" ,
> +chapter Runtime Linker Auditing Interface.
>  .TP
>  .B LD_BIND_NOT
>  (glibc since 2.1.95)

I've tweaked your patch somewhat.  What do you think of the version below?

Cheers,

Michael

--- a/man8/ld.so.8
+++ b/man8/ld.so.8
@@ -177,13 +177,47 @@ Version of
 for a.out binaries only.
 Old versions of ld\-linux.so.1 also supported
 .BR LD_ELF_PRELOAD .
-.\" FIXME
-.\" Document LD_AUDIT ("Install audit libraries for glibc")
-.\" new in glibc 2.4
-.\" ignored in set-user-ID and set-group-ID programs
-.\"
-.\" For some info, see Solaris Linker and Libraries Guide,
-.\" "Runtime Linker Auditing Interface"
+.TP
+.B LD_AUDIT
+(glibc since 2.4)
+A colon-separated list of user-specified, ELF shared libraries
+to be loaded before all others in a separate linker namespace
+(i.e., one that does not intrude upon the normal symbol bindings that
+would occur in the process).
+These libraries can be used to audit the operation of the dynamic linker.
+.B LD_AUDIT
+is ignored for set-user-ID/set-group-ID binaries.
+
+The dynamic linker will notify the audit
+libraries at so-called auditing checkpoints\(emfor example,
+loading a new library, resolving a symbol,
+or calling a symbol from another shared object\(emby
+calling an appropriate function within the audit library.
+The following functions may be supplied in the audit library:
+.IR la_version (),
+.IR la_activity (),
+.IR la_objsearch (),
+.IR la_objopen (),
+.IR la_preinit (),
+.IR la_symbind32 (),
+.IR la_symbind64 (),
+.IR la_objclose (),
+.IR la_<platform>_pltenter ()
+(e.g.,
+.IR la_i86_gnu_pltenter ()),
+and
+.IR la_<platform>_pltexit ()
+(e.g.,
+.IR la_i86_gnu_pltexit ()).
+These functions are prototyped in
+.IR <link.h>
+and
+.IR <bits/link.h> .
+The auditing interface is largely compatible with that provided on Solaris,
+as described in its
+.IR "Linker and Libraries Guide" ,
+in the chapter
+.IR "Runtime Linker Auditing Interface" .
 .TP
 .B LD_BIND_NOT
 (glibc since 2.1.95)
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ld.so.8: Document LD_AUDIT

[Petr Baudis]

Hi!

On Fri, Dec 19, 2008 at 04:20:31PM -0500, Michael Kerrisk wrote:
> On Sun, Dec 7, 2008 at 1:28 PM, Petr Baudis <pasky-AlSwsSmVLrQ@public.gmane.org> wrote:
> > +.TP
> > +.B LD_AUDIT
> > +(glibc since 2.4)
> > +A colon-separated list of additional,
> 
> Why the word "additional" here?

Copy'n'paste oversight, sorry.

> > user-specified, ELF shared libraries
> 
> The word "libraries" is interesting.  The glibc sources imply that
> multiple auditing libraries is supported, but a brief play with this
> led to crashes for me.  (That could easily be because I'm doing things
> wrong.)  Did you try this, or see an example anywhere?

I have not tested this, just assumed from the code. Maybe 'shared
objects' would be more appropriate, too?

> --- a/man8/ld.so.8
> +++ b/man8/ld.so.8
> @@ -177,13 +177,47 @@ Version of
>  for a.out binaries only.
>  Old versions of ld\-linux.so.1 also supported
>  .BR LD_ELF_PRELOAD .
> -.\" FIXME
> -.\" Document LD_AUDIT ("Install audit libraries for glibc")
> -.\" new in glibc 2.4
> -.\" ignored in set-user-ID and set-group-ID programs
> -.\"
> -.\" For some info, see Solaris Linker and Libraries Guide,
> -.\" "Runtime Linker Auditing Interface"
> +.TP
> +.B LD_AUDIT
> +(glibc since 2.4)
> +A colon-separated list of user-specified, ELF shared libraries
> +to be loaded before all others in a separate linker namespace
> +(i.e., one that does not intrude upon the normal symbol bindings that
> +would occur in the process).
> +These libraries can be used to audit the operation of the dynamic linker.
> +.B LD_AUDIT
> +is ignored for set-user-ID/set-group-ID binaries.
> +
> +The dynamic linker will notify the audit
> +libraries at so-called auditing checkpoints\(emfor example,
> +loading a new library, resolving a symbol,
> +or calling a symbol from another shared object\(emby
> +calling an appropriate function within the audit library.
> +The following functions may be supplied in the audit library:
> +.IR la_version (),
> +.IR la_activity (),
> +.IR la_objsearch (),
> +.IR la_objopen (),
> +.IR la_preinit (),
> +.IR la_symbind32 (),
> +.IR la_symbind64 (),
> +.IR la_objclose (),
> +.IR la_<platform>_pltenter ()
> +(e.g.,
> +.IR la_i86_gnu_pltenter ()),
> +and
> +.IR la_<platform>_pltexit ()
> +(e.g.,
> +.IR la_i86_gnu_pltexit ()).
> +These functions are prototyped in
> +.IR <link.h>
> +and
> +.IR <bits/link.h> .
> +The auditing interface is largely compatible with that provided on Solaris,
> +as described in its
> +.IR "Linker and Libraries Guide" ,
> +in the chapter
> +.IR "Runtime Linker Auditing Interface" .
>  .TP
>  .B LD_BIND_NOT
>  (glibc since 2.1.95)

Acked-by: Petr Baudis <pasky-AlSwsSmVLrQ@public.gmane.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ld.so.8: Document LD_AUDIT

[Michael Kerrisk]

Hi Petr,

On Thu, Jan 8, 2009 at 7:25 AM, Petr Baudis <pasky-AlSwsSmVLrQ@public.gmane.org> wrote:
> Hi!
>
> On Fri, Dec 19, 2008 at 04:20:31PM -0500, Michael Kerrisk wrote:
>> On Sun, Dec 7, 2008 at 1:28 PM, Petr Baudis <pasky-AlSwsSmVLrQ@public.gmane.org> wrote:
>> > +.TP
>> > +.B LD_AUDIT
>> > +(glibc since 2.4)
>> > +A colon-separated list of additional,
>>
>> Why the word "additional" here?
>
> Copy'n'paste oversight, sorry.

No problem.\

>> > user-specified, ELF shared libraries
>>
>> The word "libraries" is interesting.  The glibc sources imply that
>> multiple auditing libraries is supported, but a brief play with this
>> led to crashes for me.  (That could easily be because I'm doing things
>> wrong.)  Did you try this, or see an example anywhere?
>
> I have not tested this, just assumed from the code.

I did some testing on Solaris, which did what I would have expected.
But GNU's API fails for th same situation.  I filed
http://sources.redhat.com/bugzilla/show_bug.cgi?id=9733

> Maybe 'shared
> objects' would be more appropriate, too?

Changed.

As you will have seen already,  I wrote an rtld-audit(7) page
describing the API, so I've trimmed this patch somewhat (basically I
removed the list of functions in the API, replacing it with a pointer
to the new page).

[...]

> Acked-by: Petr Baudis <pasky-AlSwsSmVLrQ@public.gmane.org>

Thanks.

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
git://git.kernel.org/pub/scm/docs/man-pages/man-pages.git
man-pages online: http://www.kernel.org/doc/man-pages/online_pages.html
Found a bug? http://www.kernel.org/doc/man-pages/reporting_bugs.html
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html