To compartmentalize the dynamic linker (#629) we need to insert callgates around calls into and out ld.so. Given that we dlopen compartmentalized libraries on start up and require -Wl,-znow this does not include symbol binding via calls to the PLT stubs so we only need to consider functions shown by running nm -D on ld.so as shown below. We should categorize these and determine which we need to create wrappers for.
# Need callgate
## runs when creating a new thread
_dl_allocate_tls
## runs on certain TLS accesses
__tls_get_addr
## needs LD_DEBUG env var
_dl_debug_state
# Should not need callgate
## called before _start
_dl_allocate_tls_init
_dl_catch_exception
## called before main (_start appears in bt)
_dl_audit_preinit
# TODO: categorize these
_dl_audit_symbind_alt
_dl_deallocate_tls
_dl_exception_create
_dl_exception_create_format
_dl_exception_free
_dl_fatal_printf
_dl_find_dso_for_object
_dl_get_tls_static_info
_dl_mcount
_dl_rtld_di_serinfo
_dl_signal_error
_dl_signal_exception
_dl_x86_get_cpu_features
__rtld_version_placeholder
__tunable_get_val
__tunable_is_initialized
Functions that run before main or _start (not sure the distinction matters) should not need callgates since compartments aren't set up at that point.
We should also consider if a process should end in the untrusted compartment or whichever compartment the dynamic linker is in. In #628 I removed the exit callgate and reworked the main wrapper to end in the dynamic linker's compartment since this simplifies the calls to ia2_compartment_destructor_N when the process is terminating. I'm not sure if ending in the untrusted compartment is feasible so we should decide whether to implement this properly and if it should be a configurable option for when the dynamic linker is not compartmentalized.
To compartmentalize the dynamic linker (#629) we need to insert callgates around calls into and out ld.so. Given that we
dlopencompartmentalized libraries on start up and require-Wl,-znowthis does not include symbol binding via calls to the PLT stubs so we only need to consider functions shown by runningnm -Don ld.so as shown below. We should categorize these and determine which we need to create wrappers for.Functions that run before
mainor_start(not sure the distinction matters) should not need callgates since compartments aren't set up at that point.We should also consider if a process should end in the untrusted compartment or whichever compartment the dynamic linker is in. In #628 I removed the
exitcallgate and reworked the main wrapper to end in the dynamic linker's compartment since this simplifies the calls toia2_compartment_destructor_Nwhen the process is terminating. I'm not sure if ending in the untrusted compartment is feasible so we should decide whether to implement this properly and if it should be a configurable option for when the dynamic linker is not compartmentalized.