Re: [Libguestfs] alternatives for hooking dlopen() without LD_LIBRARY_PATH or LD_AUDIT?

On 2/17/20 9:12 AM, Florian Weimer wrote: Another followup: nbdkit-vddk-plugin.so is now using a re-exec setup [1], for several reasons: 1. all our other ideas tried so far (such as a dlopen() interposition in the main nbdkit binary) touched more files and required more exported APIs; we managed to get re-exec working with changes limited to just the plugin (other than a minor change to nbdkit to quit messing with argv[] so that /proc/self/cmdline would stay stable - but that did not require a new API). 2. it turns out that overriding dlopen() was insufficient to work around VDDK's setup [2]. It _did_ solve the initial dlopen() performed by VDDK, but that library in turn had DT_NEEDED entries for bare library names, which dlopen() does NOT affect but which la_objsearch() should. 3. for nbdkit, we want to minimize the number of binary files shipped; the re-exec solution works with just the nbdkit binary and the nbdkit-vddk-plugin.so. Any solution that requires a third file to be shipped (be that a shared library providing dlopen, or a LD_AUDIT library, or otherwise) is less palatable than the 2-binary solution that our re-exec solution provides. [1] https://github.com/libguestfs/nbdkit/commit/0c7ac4e655b [2] https://www.redhat.com/archives/libguestfs/2020-February/msg00184.html So with that said, here's a question I just thought of: If your patch for glibc support for DT_AUDIT is incorporated, is it possible to mark a shared library as its own audit library via DT_AUDIT? That is, if nbdkit-vddk-plugin.so can provide entry points for _both_ the nbdkit interface (which satisfies dlopen() from the nbdkit binary) and la_version/la_objsearch() (which satisfy the requirements for use from the audit code in ld.so), _and_ during the compilation of nbdkit-vddk-plugin.so, we marked the library as its own DT_AUDIT entry, would the mere act of dlopen("nbdkit-vddk-plugin.so") from nbdkit be sufficient to trigger audit actions such as la_objsearch() on all subsequent shared loads (whether by dlopen() or DT_NEEDED) performed by nbdkit-vddk-plugin.so and its descendant loaded libraries? Because if so, we would have a use case where a single binary, set up to act as its own audit library, might be sufficient to hook the shared object search path without needing any of environment variable modification, a process re-exec, or a third shipping binary - in which case that would indeed be a nicer solution than the current re-exec solution we committed today (of course, nbdkit would not be able to rely on that solution except on systems with new enough glibc to support DT_AUDIT). I guess even without DT_AUDIT support, I could at least answer the question of whether a single .so can be used to satisfy both dlopen() and LD_AUDIT interfaces at once by setting LD_AUDIT (where the only remaining gap is figuring out when glibc can let DT_AUDIT have the same effect). During my earlier attempts to get a working dlopen() override, I didn't consider any solution that required setting LD_AUDIT, but now that I proved dlopen() override alone was not enough for the case at hand, having to re-exec to set LD_AUDIT is no worse than having to re-exec to set LD_LIBRARY_PATH as a fallback to systems where glibc does not support DT_AUDIT. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org