This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] [PR libc/18801] PIE binary with STT_GNU_IFUNC symbol and TEXTREL segfaults on x86_64
- From: Paul Pluzhnikov <ppluzhnikov at google dot com>
- To: "H.J. Lu" <hjl dot tools at gmail dot com>
- Cc: Sriraman Tallam <tmsriram at google dot com>, GLIBC Devel <libc-alpha at sourceware dot org>, Ian Lance Taylor <iant at google dot com>, David Li <davidxl at google dot com>
- Date: Tue, 11 Aug 2015 15:19:12 -0700
- Subject: Re: [PATCH] [PR libc/18801] PIE binary with STT_GNU_IFUNC symbol and TEXTREL segfaults on x86_64
- Authentication-results: sourceware.org; auth=none
- References: <CAAs8Hmy32PV1z0D7So6TEzFosCyJNUB_yco_6SYi=tKHUpBMQg at mail dot gmail dot com> <CALoOobNX0PaUHjydC1rCr8qeRbmVZj76mZnC6DdbOLwGPnhAGQ at mail dot gmail dot com> <CAMe9rOp6EaE-sM7AV5TcUUZPC_qnnmLE6yDVtTyFazXnAHU7fw at mail dot gmail dot com>
On Tue, Aug 11, 2015 at 3:01 PM, H.J. Lu <firstname.lastname@example.org> wrote:
> On Tue, Aug 11, 2015 at 2:39 PM, Paul Pluzhnikov <email@example.com> wrote:
>> It's either
>> - make TEXTREL binary not run under SELinux, or
>> - make them run, but crash mysteriously if they have a called IFUNC
>> resolver in them (or are linked with '-z,now').
> How about
> 1. Change ld to disallow TEXTREL with IFUNC and without "-z now'".
That would still fail under SELinux, wouldn't it?
Are you proposing also changing SELinux policy to allow "W+E" if
DF_BIND_NOW is set?
That would be too permissive, I think -- we need that while doing the
relocation, but not after transferring control to a.out. But I don't
know if that's possible to encode into the policy.