From 4a133885a7c8ae7ebe34e36fcdb353f8e94c810f Mon Sep 17 00:00:00 2001
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Mon, 6 Nov 2023 17:25:45 -0300
Subject: elf: Ignore LD_PROFILE for setuid binaries

Loader does not ignore LD_PROFILE in secure-execution mode (different
than man-page states [1]), rather it uses a different path
(/var/profile) and ignore LD_PROFILE_OUTPUT.

Allowing secure-execution profiling is already a non good security
boundary, since it enables different code paths and extra OS access by
the process.  But by ignoring LD_PROFILE_OUTPUT, the resulting profile
file might also be acceded in a racy manner since the file name does not
use any process-specific information (such as pid, timing, etc.).

Another side-effect is it forces lazy binding even on libraries that
might be with DF_BIND_NOW.

[1] https://man7.org/linux/man-pages/man8/ld.so.8.html
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
 elf/Makefile | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'elf/Makefile')

diff --git a/elf/Makefile b/elf/Makefile
index 1af8ca4f84..414fdbdec8 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -3002,3 +3002,6 @@ $(objpfx)tst-non-directory-path.out: tst-non-directory-path.sh \
 	$(evaluate-test)
 
 tst-env-setuid-ARGS = -- $(host-test-program-cmd)
+
+# Reuse a module with a SONAME, to specific as the LD_PROFILE.
+$(objpfx)tst-env-setuid: $(objpfx)tst-sonamemove-runmod2.so
-- 
cgit v1.2.3