From 7f1b88ca14ffeced6b641edc8eb2ad6bb33d3a47 Mon Sep 17 00:00:00 2001
From: Xin Li <d@delphij.net>
Date: Fri, 9 Dec 2011 13:18:44 -0800
Subject: [PATCH 2/2] Add a wrapper around dynamic linker's dlopen which is
 for libc internal use, and create a flag in libc so
 that application can request for it to stop
 dlopen()'ing anything.

Add a wrapper around chroot(2) to stop loading shared objects automatically.

Thanks for kib@'s comments on style, etc.
---
 include/unistd.h                |    1 +
 lib/libc/gen/Makefile.inc       |    1 +
 lib/libc/gen/Symbol.map         |    4 ++
 lib/libc/gen/libc_dlopen.c      |   61 +++++++++++++++++++++++++++++++++++++++
 lib/libc/iconv/citrus_module.c  |    3 +-
 lib/libc/include/libc_private.h |   11 +++++++
 lib/libc/net/nsdispatch.c       |    4 +-
 lib/libc/sys/Makefile.inc       |    4 ++
 lib/libc/sys/chroot.2           |    8 ++++-
 lib/libc/sys/chroot.c           |   48 ++++++++++++++++++++++++++++++
 10 files changed, 141 insertions(+), 4 deletions(-)
 create mode 100644 lib/libc/gen/libc_dlopen.c
 create mode 100644 lib/libc/sys/chroot.c

diff --git a/include/unistd.h b/include/unistd.h
index f073f8d..90694ed 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -511,6 +511,7 @@ int	 initgroups(const char *, gid_t);
 int	 iruserok(unsigned long, int, const char *, const char *);
 int	 iruserok_sa(const void *, int, int, const char *, const char *);
 int	 issetugid(void);
+void	__FreeBSD_libc_enter_restricted_mode(void);
 long	 lpathconf(const char *, int);
 #ifndef _MKDTEMP_DECLARED
 char	*mkdtemp(char *);
diff --git a/lib/libc/gen/Makefile.inc b/lib/libc/gen/Makefile.inc
index d3ccf0a..1e068a5 100644
--- a/lib/libc/gen/Makefile.inc
+++ b/lib/libc/gen/Makefile.inc
@@ -20,6 +20,7 @@ SRCS+=  __getosreldate.c __xuname.c \
 	getpeereid.c getprogname.c getpwent.c getttyent.c \
 	getusershell.c getutxent.c getvfsbyname.c glob.c \
 	initgroups.c isatty.c isinf.c isnan.c jrand48.c lcong48.c \
+	libc_dlopen.c \
 	lockf.c lrand48.c mrand48.c nftw.c nice.c \
 	nlist.c nrand48.c opendir.c \
 	pause.c pmadvise.c popen.c posix_spawn.c \
diff --git a/lib/libc/gen/Symbol.map b/lib/libc/gen/Symbol.map
index c62e016..adc5964 100644
--- a/lib/libc/gen/Symbol.map
+++ b/lib/libc/gen/Symbol.map
@@ -381,6 +381,10 @@ FBSD_1.2 {
 	setutxent;
 };
 
+FBSD_1.3 {
+	__FreeBSD_libc_enter_restricted_mode;
+};
+
 FBSDprivate_1.0 {
 	/* needed by thread libraries */
 	__thr_jtable;
diff --git a/lib/libc/gen/libc_dlopen.c b/lib/libc/gen/libc_dlopen.c
new file mode 100644
index 0000000..8564ae8
--- /dev/null
+++ b/lib/libc/gen/libc_dlopen.c
@@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 2011 Xin Li <delphij@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <dlfcn.h>
+#include <stddef.h>
+
+#include "libc_private.h"
+
+/*
+ * Whether we want to restrict dlopen()s.
+ */
+static int __libc_restricted_mode = 0;
+static const char sorry[] = "Service unavailable -- libc in restricted mode";
+
+void *
+libc_dlopen(const char *path, int mode)
+{
+
+	if (__libc_restricted_mode) {
+		_rtld_error(sorry);
+		return (NULL);
+	} else
+		return (dlopen(path, mode));
+}
+
+void
+__FreeBSD_libc_enter_restricted_mode(void)
+{
+
+	__libc_restricted_mode = 1;
+	return;
+}
+
diff --git a/lib/libc/iconv/citrus_module.c b/lib/libc/iconv/citrus_module.c
index aa96aba..32b7e6e 100644
--- a/lib/libc/iconv/citrus_module.c
+++ b/lib/libc/iconv/citrus_module.c
@@ -109,6 +109,7 @@
 #include "citrus_namespace.h"
 #include "citrus_bcs.h"
 #include "citrus_module.h"
+#include "libc_private.h"
 
 static int		 _getdewey(int[], char *);
 static int		 _cmpndewey(int[], int, int[], int);
@@ -294,7 +295,7 @@ _citrus_load_module(_citrus_module_t *rhandle, const char *encname)
 	p = _findshlib(path, &maj, &min);
 	if (!p)
 		return (EINVAL);
-	handle = dlopen(p, RTLD_LAZY);
+	handle = libc_dlopen(p, RTLD_LAZY);
 	if (!handle) {
 		printf("%s", dlerror());
 		return (EINVAL);
diff --git a/lib/libc/include/libc_private.h b/lib/libc/include/libc_private.h
index a4737fe..c7284cc 100644
--- a/lib/libc/include/libc_private.h
+++ b/lib/libc/include/libc_private.h
@@ -44,6 +44,17 @@
 extern int	__isthreaded;
 
 /*
+ * libc should use libc_dlopen internally, which respects a global
+ * flag where loading of new shared objects can be restricted.
+ */
+void *libc_dlopen(const char *, int);
+
+/*
+ * For dynamic linker.
+ */
+void _rtld_error(const char *fmt, ...);
+
+/*
  * File lock contention is difficult to diagnose without knowing
  * where locks were set. Allow a debug library to be built which
  * records the source file and line number of each lock call.
diff --git a/lib/libc/net/nsdispatch.c b/lib/libc/net/nsdispatch.c
index 6b7bd02..f9d787a 100644
--- a/lib/libc/net/nsdispatch.c
+++ b/lib/libc/net/nsdispatch.c
@@ -384,7 +384,7 @@ nss_configure(void)
 	confmod = statbuf.st_mtime;
 
 #ifdef NS_CACHING
-	handle = dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL);
+	handle = libc_dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL);
 	if (handle != NULL) {
 		nss_cache_cycle_prevention_func = dlsym(handle,
 			"_nss_cache_cycle_prevention_function");
@@ -497,7 +497,7 @@ nss_load_module(const char *source, nss_module_register_fn reg_fn)
 		if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name,
 		    NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf))
 			goto fin;
-		mod.handle = dlopen(buf, RTLD_LOCAL|RTLD_LAZY);
+		mod.handle = libc_dlopen(buf, RTLD_LOCAL|RTLD_LAZY);
 		if (mod.handle == NULL) {
 #ifdef _NSS_DEBUG
 			/* This gets pretty annoying since the built-in
diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc
index ea38b51..26c37dd 100644
--- a/lib/libc/sys/Makefile.inc
+++ b/lib/libc/sys/Makefile.inc
@@ -28,6 +28,10 @@ SRCS+= sigwait.c
 NOASM+= sigwait.o
 PSEUDO+= _sigwait.o
 
+SRCS+= chroot.c
+NOASM+= chroot.o
+PSEUDO+= _chroot.o
+
 # Add machine dependent asm sources:
 SRCS+=${MDASM}
 
diff --git a/lib/libc/sys/chroot.2 b/lib/libc/sys/chroot.2
index ecf2eb5..890a188 100644
--- a/lib/libc/sys/chroot.2
+++ b/lib/libc/sys/chroot.2
@@ -28,7 +28,7 @@
 .\"     @(#)chroot.2	8.1 (Berkeley) 6/4/93
 .\" $FreeBSD$
 .\"
-.Dd June 4, 1993
+.Dd December 10, 2011
 .Dt CHROOT 2
 .Os
 .Sh NAME
@@ -98,6 +98,12 @@ Otherwise,
 a value of -1 is returned and
 .Va errno
 is set to indicate an error.
+.Sh IMPLEMENTATION NOTES
+The
+.Nm
+function is implemented as a wrapper around the
+__sys_chroot() system call, which disables all future load of
+shared objects inside libc when the system call was successful.
 .Sh ERRORS
 The
 .Fn chroot
diff --git a/lib/libc/sys/chroot.c b/lib/libc/sys/chroot.c
new file mode 100644
index 0000000..75bf302
--- /dev/null
+++ b/lib/libc/sys/chroot.c
@@ -0,0 +1,48 @@
+/*-
+ * Copyright (c) 2011 Xin LI <delphij@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <unistd.h>
+
+int __sys_chroot(const char *dirname);
+
+__weak_reference(__chroot, chroot);
+
+int
+__chroot(const char *dirname)
+{
+	int rval;
+
+	rval = __sys_chroot(dirname);
+	/* Disable libc loading of shared objects on successful */
+	if (rval == 0)
+		__FreeBSD_libc_enter_restricted_mode();
+	return (rval);
+}
+
-- 
1.7.7.4