Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set NODEFLIB in user app to prevent use of target system libs #138

Merged
merged 4 commits into from
Jul 19, 2020
Merged

Set NODEFLIB in user app to prevent use of target system libs #138

merged 4 commits into from
Jul 19, 2020

Conversation

JonathonReinhart
Copy link
Owner

This will hopefully avoid an entire class of problems where libraries from the target environment are inadvertently loaded.

This works not only for NEEDED libraries, but also calls to dlopen().

Closes #137

@JonathonReinhart JonathonReinhart force-pushed the 137-nodeflib branch 2 times, most recently from 3adb7b1 to 3d98bfe Compare July 19, 2020 20:51
@JonathonReinhart
staticx: Set nodeflib
bed96a6 
Leverage patchelf --no-default-lib to set DF_1_NODEFLIB, when tells ld.so
to ignore the default library search path. This will prevent any libraries
from the "target" environment from being loaded; only libraries with
absolute paths or those from RPATH will be allowed.

Closes #137
@JonathonReinhart
staticx: Work around patchelf --no-default-lib bug
82b9564
@JonathonReinhart
test: Add no-default-lib
a6c4eff 
This test verifies that the NODEFLIB flag works and that staticx apps
won't accidentally load non-bundled libraries from the target environment.
@JonathonReinhart
Update change log for nodeflib
0b1f2f7
@JonathonReinhart JonathonReinhart merged commit 0b4ab1e into master Jul 19, 2020
@JonathonReinhart JonathonReinhart deleted the 137-nodeflib branch July 19, 2020 21:38
This was referenced Jul 28, 2020
Closed
Closed
Closed
@JonathonReinhart JonathonReinhart mentioned this pull request Oct 16, 2020
Closed
@JonathonReinhart
Copy link
Owner Author

JonathonReinhart commented Oct 19, 2020
edited
Loading

This was too good to be true. It turns out NODEFLIB only applies to the object whose dependencies are being resolved; not dependencies of those dependencies.

Evidence:

  • ld(1) man page says:

    nodefaultlib
    Specify that the dynamic loader search for dependencies of this object should ignore any default library search paths.

  • GLIBC source code is confusing as hell. I don't know what l and loader are
  • freebsd rtld very clearly stores z_nodefaultlib per-object and always evaluates it in such a context.
  • I wrote a test (TODO: post a Gist) where app calls dlopen("./libfoo.so") which depends on libcrypt.so, and I set -z nodefaultlib on app. The flag woks, because I needed to set RPATH=$ORIGIN and copy libc.so and libdl.so to even try to run app (as expected). But libcrypt from the system paths was loaded ☹️ 
    [app:main] Started
[app:main] my dir: /home/jreinhart/quicktests/nodeflib
[app:main] libfoo path: /home/jreinhart/quicktests/nodeflib/libfoo.so
     10531: find library=libcrypt.so.1 [0]; searching
     10531:  search cache=/etc/ld.so.cache 
     10531:   trying file=/lib/x86_64-linux-gnu/libcrypt.so.1

@JonathonReinhart JonathonReinhart mentioned this pull request Feb 6, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Forbid use of target system library paths
1 participant
@JonathonReinhart