Document direct execution mode for ld.so.
ClosedPublic

Authored by kib on May 19 2017, 11:21 PM.

Details

Summary

While there, also fix tokens handling explanation (for separate commit).

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
kib created this revision.May 19 2017, 11:21 PM
kib edited the summary of this revision. (Show Details)May 19 2017, 11:21 PM
emaste added a subscriber: wblock.May 22 2017, 3:49 AM

A few English comments -- perhaps @wblock could refine further.

libexec/rtld-elf/rtld.1
64–67 ↗(On Diff #28587)

This part seems unclear to me, and in fact I wonder if we should just leave it out, or make a note about DF_ORIGIN and/or -z origin under $ORIGIN below.

287–292 ↗(On Diff #28587)

This seems overly long, can we split in two sentences - e.g.

.Nm is typically used implicitly, loaded by the kernel as requested... .

.Fx also supports

294 ↗(On Diff #28587)

maybe "a direct execution mode..."

297 ↗(On Diff #28587)

as an argument

299 ↗(On Diff #28587)

Allows use of a non-standard dynamic...

300 ↗(On Diff #28587)

Perhaps:

the binary.
Execution options may be specified.

318–319 ↗(On Diff #28587)

I think ".Ar fd references the binary to be activated by .Nm ."

I don't follow "must be opened in the process". Maybe "It must already be opened in the process when executing .Nm"?

329 ↗(On Diff #28587)

a relative path

331 ↗(On Diff #28587)

the search path

337 ↗(On Diff #28587)

options. The argument following -- is ...

340 ↗(On Diff #28587)

Maybe "to conform to user expectation" or such? The argument below about not being a security feature is sensible, but the reason it's done is also a nod to POLA.

kib updated this revision to Diff 28657.May 22 2017, 10:44 AM
kib marked 10 inline comments as done.

Handle emaste comments.

emaste added inline comments.May 28 2017, 8:56 PM
libexec/rtld-elf/rtld.1
290 ↗(On Diff #28657)

of the executed

293 ↗(On Diff #28657)

the user

297 ↗(On Diff #28657)

Probably "This mode"

314 ↗(On Diff #28657)

Is it fair to just call it "file descriptor <fd>"? I think usage like "fd 6" is common enough.

322 ↗(On Diff #28657)

provide the argv

kib updated this revision to Diff 28955.May 28 2017, 9:17 PM
kib marked 4 inline comments as done.
kib marked an inline comment as done.

Ed' editings.

jonathan accepted this revision.May 28 2017, 11:40 PM

Some very small nits on which I would happily defer (well, except for the spelling one). Otherwise LGTM.

libexec/rtld-elf/rtld.1
293 ↗(On Diff #28955)

Misspelling: should be "explicitly"

295 ↗(On Diff #28955)

I think there shouldn't be a comma here?

298 ↗(On Diff #28955)

I wonder if this sentence "This mode allows [...]" is necessary at all? You can use the dynamic linker in two ways, I don't think we need to justify either of them in the man page.

324 ↗(On Diff #28955)

And __progname too, right?

This revision is now accepted and ready to land.May 28 2017, 11:40 PM
kib marked 2 inline comments as done.May 29 2017, 12:31 PM
kib added inline comments.
libexec/rtld-elf/rtld.1
298 ↗(On Diff #28955)

Well, formally you are right. But this is a (rare) case when I do some logical implications as a useful hint for user, suggesting some application of the feature that might be interesting but not immediately obvious.

324 ↗(On Diff #28955)

__progname is not documented and I do not want to add a reference there. It cannot be killed, unfortunately.

kib updated this revision to Diff 28978.May 29 2017, 12:33 PM

Two fixes noted by jonathan.

This revision now requires review to proceed.May 29 2017, 12:33 PM
emaste accepted this revision.May 29 2017, 12:52 PM
emaste added inline comments.
libexec/rtld-elf/rtld.1
298 ↗(On Diff #28955)

Ah, on further thought maybe "without changing the installed dynamic linker." to make that even more obvious.

I think there is some value in highlighting this case.

324 ↗(On Diff #28955)

I think this is OK if read as argv[0] implying "the program name."

This revision is now accepted and ready to land.May 29 2017, 12:52 PM
This revision was automatically updated to reflect the committed changes.
jonathan added inline comments.May 29 2017, 1:41 PM
libexec/rtld-elf/rtld.1
298 ↗(On Diff #28955)

"without changing the installed dynamic linker"

Ah, yes, that's a good way to put it.

If we're documenting this use case, could we also say something like, "or the execution of dynamically-linked binaries from within Capsicum capability mode (see -f option)"?

324 ↗(On Diff #28955)

Ok, I guess that's all meant to be "magic" for people writing main() functions. :)

Just for my own understanding: if __progname is handled by crt1.o, why do we also set a variable explicitly in ld-elf.so.1?

kib added inline comments.May 29 2017, 2:32 PM
libexec/rtld-elf/rtld.1
298 ↗(On Diff #28955)

I think yes, it worth note the consumer of -f functionality, but it is still not there ? I mean, add this reference to capsicum after the stuff becomes used.

324 ↗(On Diff #28955)

I do not quite understand your question. First, there is no crt1.o for ld-elf.so.1 itself. so rtld have to maintain the variable to not upset some libc routines linked into ld-elf.so.1. Removing libc usage from rtld is a useful project, but nobody taken it to completion.

Second, __progname in the main binary is indeed magic. It is set by crt1.o but also it is set even earlier by rtld. Look for call to set_program_var() in _rtld(). The crt1.o does it for the sake of statically-linked binaries, which are executed without help from rtld. Rtld sets the variable for the sake of init() functions in dynamic libraries which are called before the control is transferred to the main binary entry point.

wblock added inline comments.Jul 14 2017, 3:25 PM
head/libexec/rtld-elf/rtld.1
312

s/ as follows//

342

s/binary/the binary/

345

This is a somewhat confusing sentence. Attempt to rewrite:

In the direct execution mode,
.Nm
emulates verification of the binary execute permission for the
current user.
This is done to avoid breaking user expectations in naively restricted 
execution environments.
The verification only uses Unix
354

ISWYM by "racy", but I'm not sure it's a clear description. "its" is not needed. So maybe:

and is naturally prone to race conditions.
355

s/The environments/Environments/

356
and breakable on their own.
kib marked 6 inline comments as done.Jul 14 2017, 3:39 PM