Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux LD_PRELOAD/LD_AUDIT library: Resolve stability workarounds #29

Open
noproto opened this issue Oct 13, 2021 · 5 comments
Open

Linux LD_PRELOAD/LD_AUDIT library: Resolve stability workarounds #29

noproto opened this issue Oct 13, 2021 · 5 comments
Labels
bug Something isn't working

Comments

@noproto
Copy link
Collaborator

noproto commented Oct 13, 2021

The following code block should be deleted by troubleshooting inconsistent behavior or glibc's linker profiling mode:

// FIXME: Stability exceptions
match symbol_str {
"dlopen" => {
if let Ok(exe) = std::env::current_exe() {
if let Ok(exe_string) = exe.into_os_string().into_string() {
if exe_string.starts_with("/usr/bin/python") ||
exe_string == String::from("/usr/sbin/rsyslogd") ||
exe_string == String::from("/usr/bin/perl") { return (*(sym)).st_value as usize; }
}
}
if calling_library_basename_str == "libpam.so.0" {
return (*(sym)).st_value as usize;
}
},
"execvp" => {
if let Ok(exe) = std::env::current_exe() {
if let Ok(exe_string) = exe.into_os_string().into_string() {
if exe_string.starts_with("/usr/bin/apt") { return (*(sym)).st_value as usize; }
}
}
},
"fopen64" => {
if calling_library_basename_str == "libcrypto.so.1.1" {
return (*(sym)).st_value as usize;
}
}
_ => ()
};

This issue can be broken down into three hooks:

  1. dlopen: (as called from PAM's libpam.so.0 library during pam_authenticate, Python 3, Perl, and rsyslogd)
  2. execvp: (as called from the apt package manager during apt install)
  3. fopen64: (as called from OpenSSL's libcrypto.so.1.1 library during openssl_fopen, e.g. curl 1.1.1.1)
@noproto noproto added the bug Something isn't working label Oct 13, 2021
@noproto noproto changed the title Resolve stability exceptions Linux LD_PRELOAD/LD_AUDIT library: Resolve stability exceptions Oct 13, 2021
@noproto noproto changed the title Linux LD_PRELOAD/LD_AUDIT library: Resolve stability exceptions Linux LD_PRELOAD/LD_AUDIT library: Resolve stability workarounds Oct 14, 2021
@noproto
Copy link
Collaborator Author

noproto commented Oct 21, 2021

Notes:

  • apt cannot install packages when the execvp (6), dlopen (9), fopen (15), fopen64 (16), and __open64_2 (46) hooks are enabled (test case: apt -y install sl && apt -y remove sl), which the above stability conditions presently cover
  • The issue in the __open64_2 hook is triggered by Perl: calls __openat64_2(3, "urandom", 524288), where 3 is an fd to /dev and 524288 is O_RDONLY|O_CLOEXEC (also covered by the above stability conditions)

@noproto
Copy link
Collaborator Author

noproto commented Aug 28, 2022

All dlopen exceptions are deleted. execvp exception narrowed to /usr/bin/apt.

@noproto
Copy link
Collaborator Author

noproto commented Oct 16, 2022

The execvp issue may be identified. Environment set in Perl are not being passed to executed programs:

$ LD_PRELOAD=/path/to/libwhitebeam.so LD_AUDIT=/path/to/libwhitebeam.so LD_BIND_NOT=1 /usr/bin/perl -we 'local $ENV{EXAMPLE_ENV}="SET";exec "/usr/bin/printenv", "EXAMPLE_ENV";'
$ /usr/bin/perl -we 'local $ENV{EXAMPLE_ENV}="SET";exec "/usr/bin/printenv", "EXAMPLE_ENV";'
SET

execvp disabled, issue not present:

$ echo 'UPDATE Hook SET enabled=0 WHERE symbol="execvp";' | whitebeam --load -
WhiteBeam: Loading SQL from standard input
$ LD_PRELOAD=/path/to/libwhitebeam.so LD_AUDIT=/path/to/libwhitebeam.so LD_BIND_NOT=1 /usr/bin/perl -we 'local $ENV{EXAMPLE_ENV}="SET";exec "/usr/bin/printenv", "EXAMPLE_ENV";'
SET

@noproto
Copy link
Collaborator Author

noproto commented Oct 16, 2022

Reproducible outside of Perl:

$ LD_PRELOAD=/path/to/libwhitebeam.so LD_AUDIT=/path/to/libwhitebeam.so LD_BIND_NOT=1 /usr/bin/python3 -c 'import os;os.environ["EXAMPLE_ENV"]="SET";os.execvp("/usr/bin/printenv",["/usr/bin/printenv","EXAMPLE_ENV"]);'
$ /usr/bin/python3 -c 'import os;os.environ["EXAMPLE_ENV"]="SET";os.execvp("/usr/bin/printenv",["/usr/bin/printenv","EXAMPLE_ENV"]);'
SET

@noproto
Copy link
Collaborator Author

noproto commented Oct 16, 2022

execvp workaround removed in a84a612 (fixed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant