On 09/15/2015 08:16 PM, Simo Sorce wrote: > On Tue, 2015-09-15 at 19:59 +0200, Florian Weimer wrote: >> On 09/15/2015 03:58 PM, Simo Sorce wrote: >> >>>> I'm not sure how difficult this would be because I'm not sure how many >>>> symbols rely upon indirect dependencies. I think it would be a worthwhile >>>> cleanup to turn on something like you suggest, and attempt to bootstrap >>>> the OS using Fedora Bootstrap [1]. >>> >>> Symbol interposition is used a lot for very useful features, blocking >>> interposition would break a lot of stuff. >> >> Such as run-time patching of BIND 9 on RHEL 3 to remove a remote crasher >> bug? >> >> I don't know. There is the malloc use case (which could easily be >> supported by marking these functions as interposable), but beyond that? > > Look at what we do with https://cwrap.org/ for example, we use this > stuff in multiple projects now to be able to do testing w/o having to > create complex networking setups, or have to reconfigure systems and > give real root to applications in testing. For any of this to work we > relying on LD_PRELOAD and symbols interposition. LD_PRELOAD is an explicit mechanism. The question is more like—do we have to support *linking* (via DT_NEEDED) to libcwrap before libc, and that would override those functions everywhere in the process? Strictly speaking, the answer is no, we don't support it today, even with LD_PRELOAD. The set of libc symbols you can safely interpose to get a desired effect is very, very small. You might well end up with infinite recursion and missed intercepts because libc-internal calls do not go through the PLT (except malloc functions, so that they can be interposed). cwrap can live with that (like fakeroot) because it is not really an end user mechanism, and you can patch things if they break, or pull the wrapping interface further out. But again, I would really like to see DT_NEEDED-based use cases for symbol interposition. -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct