From e012eedd727a38bd18c9a540b92b95aa880d2b42 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 1 Oct 2024 16:44:18 +0200 Subject: [PATCH] tree-wide: always do dlopen() with RTLD_NOW + RTLD_NODELETE Let's systematically use RTL_NOW|RLTD_NODELETE as flags passed to dlopen(), across our codebase. Various distros build with "-z now" anyway, hence it's weird to specify RTLD_LAZY trying to override that (which it doesn't). Hence, let's follow suit, and just do what everybody else does. Also set RTLD_NODELETE, which is apparently what distros will probably end up implying sooner or later anyway. Given that for pretty much all our dlopen() calls we never call dlclose() anyway, let's just set this everywhere too, to make things systematic. This way, the flags we use by default match what distros such as fedora do, there are no surprises, and read-only relocations can be a thing. Fixes: #34537 (cherry picked from commit bd4beaa2ebfbbec0a1263a7091a91e528ce8cf13) --- src/basic/dlfcn-util.c | 2 +- src/shared/bpf-dlopen.c | 4 ++-- src/shared/idn-util.c | 5 ++--- src/shared/tpm2-util.c | 2 +- src/shared/userdb.c | 2 +- src/test/test-dlopen.c | 2 +- src/test/test-nss-hosts.c | 2 +- src/test/test-nss-users.c | 2 +- 8 files changed, 10 insertions(+), 11 deletions(-) diff --git a/src/basic/dlfcn-util.c b/src/basic/dlfcn-util.c index 8022f552943..2ebb1463c20 100644 --- a/src/basic/dlfcn-util.c +++ b/src/basic/dlfcn-util.c @@ -44,7 +44,7 @@ int dlopen_many_sym_or_warn_sentinel(void **dlp, const char *filename, int log_l if (*dlp) return 0; /* Already loaded */ - dl = dlopen(filename, RTLD_LAZY); + dl = dlopen(filename, RTLD_NOW|RTLD_NODELETE); if (!dl) return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "%s is not installed: %s", filename, dlerror()); diff --git a/src/shared/bpf-dlopen.c b/src/shared/bpf-dlopen.c index 50491fc6aa5..45a4ee8b0ce 100644 --- a/src/shared/bpf-dlopen.c +++ b/src/shared/bpf-dlopen.c @@ -83,13 +83,13 @@ int dlopen_bpf(void) { DISABLE_WARNING_DEPRECATED_DECLARATIONS; - dl = dlopen("libbpf.so.1", RTLD_LAZY); + dl = dlopen("libbpf.so.1", RTLD_NOW|RTLD_NODELETE); if (!dl) { /* libbpf < 1.0.0 (we rely on 0.1.0+) provide most symbols we care about, but * unfortunately not all until 0.7.0. See bpf-compat.h for more details. * Once we consider we can assume 0.7+ is present we can just use the same symbol * list for both files, and when we assume 1.0+ is present we can remove this dlopen */ - dl = dlopen("libbpf.so.0", RTLD_LAZY); + dl = dlopen("libbpf.so.0", RTLD_NOW|RTLD_NODELETE); if (!dl) return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "neither libbpf.so.1 nor libbpf.so.0 are installed: %s", dlerror()); diff --git a/src/shared/idn-util.c b/src/shared/idn-util.c index aa88e112217..ff585ede4ba 100644 --- a/src/shared/idn-util.c +++ b/src/shared/idn-util.c @@ -52,11 +52,11 @@ int dlopen_idn(void) { if (idn_dl) return 0; /* Already loaded */ - dl = dlopen("libidn.so.12", RTLD_LAZY); + dl = dlopen("libidn.so.12", RTLD_NOW|RTLD_NODELETE); if (!dl) { /* libidn broke ABI in 1.34, but not in a way we care about (a new field got added to an * open-coded struct we do not use), hence support both versions. */ - dl = dlopen("libidn.so.11", RTLD_LAZY); + dl = dlopen("libidn.so.11", RTLD_NOW|RTLD_NODELETE); if (!dl) return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "libidn support is not installed: %s", dlerror()); @@ -64,7 +64,6 @@ int dlopen_idn(void) { } else log_debug("Loaded 'libidn.so.12' via dlopen()"); - r = dlsym_many_or_warn( dl, LOG_DEBUG, diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 9603f1837ed..495789024b2 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -688,7 +688,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) { if (!filename_is_valid(fn)) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver); - context->tcti_dl = dlopen(fn, RTLD_NOW); + context->tcti_dl = dlopen(fn, RTLD_NOW|RTLD_NODELETE); if (!context->tcti_dl) return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG), "Failed to load %s: %s", fn, dlerror()); diff --git a/src/shared/userdb.c b/src/shared/userdb.c index 75dece34429..d6c7f8a74e8 100644 --- a/src/shared/userdb.c +++ b/src/shared/userdb.c @@ -1448,7 +1448,7 @@ int userdb_block_nss_systemd(int b) { /* Note that we might be called from libnss_systemd.so.2 itself, but that should be fine, really. */ - dl = dlopen(LIBDIR "/libnss_systemd.so.2", RTLD_LAZY|RTLD_NODELETE); + dl = dlopen(LIBDIR "/libnss_systemd.so.2", RTLD_NOW|RTLD_NODELETE); if (!dl) { /* If the file isn't installed, don't complain loudly */ log_debug("Failed to dlopen(libnss_systemd.so.2), ignoring: %s", dlerror()); diff --git a/src/test/test-dlopen.c b/src/test/test-dlopen.c index 9c315373b4f..6704e936e7b 100644 --- a/src/test/test-dlopen.c +++ b/src/test/test-dlopen.c @@ -10,7 +10,7 @@ int main(int argc, char **argv) { int i; for (i = 0; i < argc - 1; i++) - assert_se(handles[i] = dlopen(argv[i + 1], RTLD_NOW)); + assert_se(handles[i] = dlopen(argv[i + 1], RTLD_NOW|RTLD_NODELETE)); for (i--; i >= 0; i--) assert_se(dlclose(handles[i]) == 0); diff --git a/src/test/test-nss-hosts.c b/src/test/test-nss-hosts.c index 2f1810d93be..1b5985a3156 100644 --- a/src/test/test-nss-hosts.c +++ b/src/test/test-nss-hosts.c @@ -380,7 +380,7 @@ static int test_one_module(const char *dir, log_info("======== %s ========", module); - _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_LAZY|RTLD_NODELETE); + _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_NOW|RTLD_NODELETE); if (!handle) return -EINVAL; diff --git a/src/test/test-nss-users.c b/src/test/test-nss-users.c index 5178779d54a..cba0f823b92 100644 --- a/src/test/test-nss-users.c +++ b/src/test/test-nss-users.c @@ -166,7 +166,7 @@ static int test_one_module(const char *dir, log_info("======== %s ========", module); - _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_LAZY|RTLD_NODELETE); + _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_NOW|RTLD_NODELETE); if (!handle) return -EINVAL;