Linux LD_PRELOAD/LD_AUDIT library: Resolve stability workarounds

WhiteBeamSec / WhiteBeam

WhiteBeam: Transparent endpoint security

Other

95 stars 13 forks source link

Linux LD_PRELOAD/LD_AUDIT library: Resolve stability workarounds #29

Open noproto opened 2 years ago

noproto commented 2 years ago

The following code block should be deleted by troubleshooting inconsistent behavior or glibc's linker profiling mode: https://github.com/WhiteBeamSec/WhiteBeam/blob/93d956c68fdc711c7813e58a28d68171d45bcfcf/src/library/platforms/linux/mod.rs#L273-L300

This issue can be broken down into three hooks:

dlopen: (as called from PAM's libpam.so.0 library during pam_authenticate, Python 3, Perl, and rsyslogd)
execvp: (as called from the apt package manager during apt install)
fopen64: (as called from OpenSSL's libcrypto.so.1.1 library during openssl_fopen, e.g. curl 1.1.1.1)

noproto commented 2 years ago

Notes:

apt cannot install packages when the execvp (6), dlopen (9), fopen (15), fopen64 (16), and __open64_2 (46) hooks are enabled (test case: apt -y install sl && apt -y remove sl), which the above stability conditions presently cover
The issue in the __open64_2 hook is triggered by Perl: calls __openat64_2(3, "urandom", 524288), where 3 is an fd to /dev and 524288 is O_RDONLY|O_CLOEXEC (also covered by the above stability conditions)

noproto commented 2 years ago

All dlopen exceptions are deleted. execvp exception narrowed to /usr/bin/apt.

noproto commented 1 year ago

The execvp issue may be identified. Environment set in Perl are not being passed to executed programs:

$ LD_PRELOAD=/path/to/libwhitebeam.so LD_AUDIT=/path/to/libwhitebeam.so LD_BIND_NOT=1 /usr/bin/perl -we 'local $ENV{EXAMPLE_ENV}="SET";exec "/usr/bin/printenv", "EXAMPLE_ENV";'
$ /usr/bin/perl -we 'local $ENV{EXAMPLE_ENV}="SET";exec "/usr/bin/printenv", "EXAMPLE_ENV";'
SET

execvp disabled, issue not present:

$ echo 'UPDATE Hook SET enabled=0 WHERE symbol="execvp";' | whitebeam --load -
WhiteBeam: Loading SQL from standard input
$ LD_PRELOAD=/path/to/libwhitebeam.so LD_AUDIT=/path/to/libwhitebeam.so LD_BIND_NOT=1 /usr/bin/perl -we 'local $ENV{EXAMPLE_ENV}="SET";exec "/usr/bin/printenv", "EXAMPLE_ENV";'
SET

noproto commented 1 year ago

Reproducible outside of Perl:

$ LD_PRELOAD=/path/to/libwhitebeam.so LD_AUDIT=/path/to/libwhitebeam.so LD_BIND_NOT=1 /usr/bin/python3 -c 'import os;os.environ["EXAMPLE_ENV"]="SET";os.execvp("/usr/bin/printenv",["/usr/bin/printenv","EXAMPLE_ENV"]);'
$ /usr/bin/python3 -c 'import os;os.environ["EXAMPLE_ENV"]="SET";os.execvp("/usr/bin/printenv",["/usr/bin/printenv","EXAMPLE_ENV"]);'
SET

noproto commented 1 year ago

execvp workaround removed in a84a612 (fixed).