Make Dynamic ELF binary loader settable.
serge.hallyn at ubuntu.com
Wed Aug 6 04:09:53 UTC 2014
Quoting Peter Dolding (oiaohm at gmail.com):
> Containers as used in docker give some application portability.
> There is a universal headache in the room. Dynamic ELF binaries
> have a build into binary interpreter string. Bad part is the dynamic
> binary interpreter is part of the libc so you must have the right libc
> and interpreter together or bad things can happen.
> Ok patchelf is a option but its not a good one when you wake up that
> you can no longer checksum your binary. So you cannot do signed
> So the problem comes how to create a solution that will work and will
> not cause a security mess. What has come my mind is extended file
> attributes(xattr) exist lets not make use of them.
> I can get so far to creating a patch to fix this issue then I run into
> a road block.
> Yes I can find where the interpreter is read from the executable simple enough
> In 2.16 Linux
> fs/binfmt_elf.c line 655 as elf_interpreter
> fs/binfmt_elf_fdpic.c line 216 as interpreter_name
> Problem is I cannot find the other half I want. How to lookup a
> xattr in kernel space on the elf binary so allowing the interpreter to
> be assigned from a xattr value if no xattr value do exactly what it
> use to. A small static binary for installers can set xattr option no
> issues. Its so annoying to be so close but so far from being able to
> make a proto patch any clues about xattr look up.
> This removes script wrapping and allows use of compatibility options.
> Now if we can make this work. This will allow kernel tools including
> the ones to control containers to ship as distribution independent
> binaries with bundled libc.
> I can see debugging advantages. Remember you cannot mix particular
> licenses into a single binary either. Yes that they can dynamic link
> does not mean you can legally make a static binary of them.
> If I can workout how to make kernel loader to xattr value the next
> will be make ld-linux.so accept xattr options. Like the orgin
> problem with RPATH and LD_PRELOAD issue on Suid bit binaries heck
> these days there are a lot of dbus using binaries where environmental
> overrides of interpreter should fail since they are not directly
> connected to the file.
> Please pardon me posting this here. I could not find a mailing list
> that directly relates to messing with the loaders.
> Peter Dolding
> Containers mailing list
> Containers at lists.linux-foundation.org
More information about the Containers