Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: Aurelien Jarno <aurelien@aurel32.net>, 963508@bugs.debian.org
Subject: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 23 Jun 2020 12:00:05 +0100
Message-id: <[🔎] 20200623110005.GM17201@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 963508@bugs.debian.org
In-reply-to: <[🔎] 24305.56738.393752.772285@chiark.greenend.org.uk>
References: <[🔎] 159284881159.3577.15577493642137212642.reportbug@zealot.relativity.greenend.org.uk> <[🔎] 20200622211851.GA8215@aurel32.net> <[🔎] 24305.56738.393752.772285@chiark.greenend.org.uk> <[🔎] 159284881159.3577.15577493642137212642.reportbug@zealot.relativity.greenend.org.uk>

On Tue, Jun 23, 2020 at 11:46:58AM +0100, Ian Jackson wrote:
> Aurelien Jarno writes ("Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename"):
> > You probably have apparmor installed and enabled on your system.
> > Binaries that are run with an apparmor profile get AT_SECURE enabled,
> > which disables many features that have an impact on security, including
> > preloading libraries.
[...]
> I notice that during startup it does this
>   access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or
> but none of my man-db binaries are setuid (I have double-checked).

The name is a slight misnomer, presumably because it predates other
reasons why ld.so might be in secure-execution mode.

> I also notice that something in the invocation stack (presumably
> something in man-db) is changing the LD_PRELOAD value from
>   LD_PRELOAD=libgtk3-nocsd.so.0 libeatmydata.so
> to
>   LD_PRELOAD=libgtk3-nocsd.so.0:libeatmydata.so
> and I didn't even know spaces were allowed!  But this doesn't seem
> relevant.

man-db never sets LD_PRELOAD.

> If this were apparmor I would expect to see an EACCES or EPERM or
> something.

I believe Aurelien's contention is not that AppArmor is denying the
request as such (which would indeed produce some kind of errno along
these lines), but rather that the fact that there's an AppArmor policy
defined for /usr/bin/man puts ld.so into secure-execution mode when
executing that binary.

> > > Colin Watson (CC'd) reports that sid works.
> > 
> > I have tested on sid and on experimental, I do not find a different
> > behaviour.

Apologies for the misdirection here: I was only testing in a sid chroot,
and hadn't considered the possible AppArmor issue.

In general, I don't regret my decision to add various confinement
tactics to man as a defence against possible vulnerabilities in the
rendering pipeline for manual pages.  However, it is clearly
inconvenient in the sort of case that Ian brings up.  I wonder if I need
to provide a separate utility for linting manual pages that doesn't
involve secure-execution mode in any way, in order that it can be used
by build systems without needing to worry about all this stuff.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

References:
- Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
  - From: Aurelien Jarno <aurelien@aurel32.net>
- Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
Next by Date: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
Previous by thread: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
Next by thread: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
Index(es):
- Date
- Thread