[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: Audit external function called indirectly via GOT

On 03/17/2018 02:31 PM, H.J. Lu wrote:

Auditing of external function calls and their return values relies on
lazy binding with PLT.  When external functions are called indirectly
via GOT without using PLT, auditing stops working.

Here is a proposal to support auditing of external function called
indirectly via GOT:

1. Add optional dynamic tags:

  #define DT_GNU_PLT     0x6ffffef4  /* Address of PLT section  */
  #define DT_GNU_PLTSZ   0x6ffffdf1  /* Size of PLT section  */
  #define DT_GNU_PLTENT  0x6ffffdf2  /* Size of one PLT entry  */
  #define DT_GNU_PLT0SZ  0x6ffffdf3  /* Size of the first PLT entry  */
  #define DT_GNU_PLTGOTSZ 0x6ffffdf4 /* Size of PLTGOT section  */

and update DT_FLAGS_1 with:

  #define DF_1_JMPRELIGN 0x10000000  /* DT_JMPREL can be ignored  */
2. Linker creates PLT entries for auditing external function calls via
GOT and sets DT_GNU_PLT, DT_GNU_PLTSZ, DT_GNU_PLTENT, DT_GNU_PLT0SZ and
DT_GNU_PLTGOTSZ.  If PLT isn't required for lazy binding, set the
DF_1_JMPRELIGN bit in DT_FLAGS_1.
Could we ship a template for the PLT entries in ld.so instead? And if needed, map it from the file together with an address array, like this? 

  Data page with pointer
  PLT template from ld.so (loading pointers from the previous page)
This process can get be repeated, to obtain as many PLT stubs as needed. It's not a real JIT, so SELinux will still be happy.
The data page would probably contain two pointers per PLT entry, not just one, so that the reserved PLT entries aren't necessary. 


3. When auditing is enabled at run-time, dynamic linker resolves GLOB_DAT
relocation to its corresponding PLT entry by finding JUMP_SLOT relocation
against the same function and use its PLT slot as the function address.


This step would stay the same.
I wonder if this would make it possible to restore audit support for existing binaries which lack PLT entries today. 

Thanks,
Florian