Add a rustix::runtime::linux_secure function (#864)

This function tests for "secure execution" mode which isn't as
comprehensive as it first sounds, but it is something that libc
implementations are expected to check in a few places, so add it
to the "runtime" module for c-scape to use.

src/backend/linux_raw/param/auxv.rs

@@ -15,14 +15,18 @@ use crate::utils::{as_ptr, check_raw_pointer};
 use alloc::vec::Vec;
 use core::mem::size_of;
 use core::ptr::{null_mut, read_unaligned, NonNull};
+#[cfg(feature = "runtime")]
+use core::sync::atomic::AtomicU8;
 use core::sync::atomic::Ordering::Relaxed;
 use core::sync::atomic::{AtomicPtr, AtomicUsize};
 use linux_raw_sys::elf::*;
 use linux_raw_sys::general::{
     AT_BASE, AT_CLKTCK, AT_EXECFN, AT_HWCAP, AT_HWCAP2, AT_NULL, AT_PAGESZ, AT_SYSINFO_EHDR,
 };
 #[cfg(feature = "runtime")]
-use linux_raw_sys::general::{AT_ENTRY, AT_PHDR, AT_PHENT, AT_PHNUM};
+use linux_raw_sys::general::{
+    AT_EGID, AT_ENTRY, AT_EUID, AT_GID, AT_PHDR, AT_PHENT, AT_PHNUM, AT_SECURE, AT_UID,
+};
 
 #[cfg(feature = "param")]
 #[inline]
@@ -80,6 +84,23 @@ pub(crate) fn linux_execfn() -> &'static CStr {
     unsafe { CStr::from_ptr(execfn.cast()) }
 }
 
+#[cfg(feature = "runtime")]
+#[inline]
+pub(crate) fn linux_secure() -> bool {
+    let mut secure = SECURE.load(Relaxed);
+
+    // 0 means not initialized yet.
+    if secure == 0 {
+        init_auxv();
+        secure = SECURE.load(Relaxed);
+    }
+
+    // 0 means not present. Libc `getauxval(AT_SECURE)` would return 0.
+    // 1 means not in secure mode.
+    // 2 means in secure mode.
+    secure > 1
+}
+
 #[cfg(feature = "runtime")]
 #[inline]
 pub(crate) fn exe_phdrs() -> (*const c::c_void, usize, usize) {
@@ -131,6 +152,8 @@ static HWCAP2: AtomicUsize = AtomicUsize::new(0);
 static EXECFN: AtomicPtr<c::c_char> = AtomicPtr::new(null_mut());
 static SYSINFO_EHDR: AtomicPtr<Elf_Ehdr> = AtomicPtr::new(null_mut());
 #[cfg(feature = "runtime")]
+static SECURE: AtomicU8 = AtomicU8::new(0);
+#[cfg(feature = "runtime")]
 static PHDR: AtomicPtr<Elf_Phdr> = AtomicPtr::new(null_mut());
 #[cfg(feature = "runtime")]
 static PHENT: AtomicUsize = AtomicUsize::new(0);
@@ -256,13 +279,23 @@ unsafe fn init_from_aux_iter(aux_iter: impl Iterator<Item = Elf_auxv_t>) -> Opti
     let mut execfn = null_mut();
     let mut sysinfo_ehdr = null_mut();
     #[cfg(feature = "runtime")]
+    let mut secure = 0;
+    #[cfg(feature = "runtime")]
     let mut phdr = null_mut();
     #[cfg(feature = "runtime")]
     let mut phnum = 0;
     #[cfg(feature = "runtime")]
     let mut phent = 0;
     #[cfg(feature = "runtime")]
     let mut entry = 0;
+    #[cfg(feature = "runtime")]
+    let mut uid = None;
+    #[cfg(feature = "runtime")]
+    let mut euid = None;
+    #[cfg(feature = "runtime")]
+    let mut gid = None;
+    #[cfg(feature = "runtime")]
+    let mut egid = None;
 
     for Elf_auxv_t { a_type, a_val } in aux_iter {
         match a_type as _ {
@@ -277,6 +310,16 @@ unsafe fn init_from_aux_iter(aux_iter: impl Iterator<Item = Elf_auxv_t>) -> Opti
                 let _ = check_elf_base(a_val.cast())?;
             }
 
+            #[cfg(feature = "runtime")]
+            AT_SECURE => secure = (a_val as usize != 0) as u8 + 1,
+            #[cfg(feature = "runtime")]
+            AT_UID => uid = Some(a_val),
+            #[cfg(feature = "runtime")]
+            AT_EUID => euid = Some(a_val),
+            #[cfg(feature = "runtime")]
+            AT_GID => gid = Some(a_val),
+            #[cfg(feature = "runtime")]
+            AT_EGID => egid = Some(a_val),
             #[cfg(feature = "runtime")]
             AT_PHDR => phdr = check_raw_pointer::<Elf_Phdr>(a_val as *mut _)?.as_ptr(),
             #[cfg(feature = "runtime")]
@@ -294,15 +337,25 @@ unsafe fn init_from_aux_iter(aux_iter: impl Iterator<Item = Elf_auxv_t>) -> Opti
     #[cfg(feature = "runtime")]
     assert_eq!(phent, size_of::<Elf_Phdr>());
 
-    // The base and sysinfo_ehdr (if present) matches our platform. Accept
-    // the aux values.
+    // If we're running set-uid or set-gid, enable "secure execution" mode,
+    // which doesn't do much, but users may be depending on the things that
+    // it does do.
+    #[cfg(feature = "runtime")]
+    if uid != euid || gid != egid {
+        secure = 2;
+    }
+
+    // The base and sysinfo_ehdr (if present) matches our platform. Accept the
+    // aux values.
     PAGE_SIZE.store(pagesz, Relaxed);
     CLOCK_TICKS_PER_SECOND.store(clktck, Relaxed);
     HWCAP.store(hwcap, Relaxed);
     HWCAP2.store(hwcap2, Relaxed);
     EXECFN.store(execfn, Relaxed);
     SYSINFO_EHDR.store(sysinfo_ehdr, Relaxed);
     #[cfg(feature = "runtime")]
+    SECURE.store(secure, Relaxed);
+    #[cfg(feature = "runtime")]
     PHDR.store(phdr, Relaxed);
     #[cfg(feature = "runtime")]
     PHNUM.store(phnum, Relaxed);

src/backend/linux_raw/param/init.rs

@@ -16,7 +16,7 @@ use linux_raw_sys::general::{
     AT_CLKTCK, AT_EXECFN, AT_HWCAP, AT_HWCAP2, AT_NULL, AT_PAGESZ, AT_SYSINFO_EHDR,
 };
 #[cfg(feature = "runtime")]
-use linux_raw_sys::general::{AT_ENTRY, AT_PHDR, AT_PHENT, AT_PHNUM};
+use linux_raw_sys::general::{AT_ENTRY, AT_PHDR, AT_PHENT, AT_PHNUM, AT_SECURE};
 
 #[cfg(feature = "param")]
 #[inline]
@@ -51,6 +51,12 @@ pub(crate) fn linux_execfn() -> &'static CStr {
     unsafe { CStr::from_ptr(execfn.cast()) }
 }
 
+#[cfg(feature = "runtime")]
+#[inline]
+pub(crate) fn linux_secure() -> bool {
+    unsafe { SECURE.load(Ordering::Relaxed) }
+}
+
 #[cfg(feature = "runtime")]
 #[inline]
 pub(crate) fn exe_phdrs() -> (*const c_void, usize, usize) {
@@ -84,6 +90,8 @@ static mut SYSINFO_EHDR: AtomicPtr<Elf_Ehdr> = AtomicPtr::new(null_mut());
 // Initialize `EXECFN` to a valid `CStr` pointer so that we don't need to check
 // for null on every `execfn` call.
 static mut EXECFN: AtomicPtr<c::c_char> = AtomicPtr::new(b"\0".as_ptr() as _);
+#[cfg(feature = "runtime")]
+static mut SECURE: AtomicBool = AtomicBool::new(false);
 // Use `dangling` so that we can always treat it like an empty slice.
 #[cfg(feature = "runtime")]
 static mut PHDR: AtomicPtr<Elf_Phdr> = AtomicPtr::new(NonNull::dangling().as_ptr());
@@ -132,6 +140,8 @@ unsafe fn init_from_auxp(mut auxp: *const Elf_auxv_t) {
             AT_EXECFN => EXECFN.store(a_val.cast::<c::c_char>(), Ordering::Relaxed),
             AT_SYSINFO_EHDR => SYSINFO_EHDR.store(a_val.cast::<Elf_Ehdr>(), Ordering::Relaxed),
 
+            #[cfg(feature = "runtime")]
+            AT_SECURE => SECURE.store(a_val != 0, Ordering::Relaxed),
             #[cfg(feature = "runtime")]
             AT_PHDR => PHDR.store(a_val.cast::<Elf_Phdr>(), Ordering::Relaxed),
             #[cfg(feature = "runtime")]

src/backend/linux_raw/param/libc_auxv.rs

@@ -34,6 +34,7 @@ const AT_PHNUM: c::c_ulong = 5;
 const AT_ENTRY: c::c_ulong = 9;
 const AT_HWCAP: c::c_ulong = 16;
 const AT_HWCAP2: c::c_ulong = 26;
+const AT_SECURE: c::c_ulong = 23;
 const AT_EXECFN: c::c_ulong = 31;
 const AT_SYSINFO_EHDR: c::c_ulong = 33;
 
@@ -59,6 +60,7 @@ fn test_abi() {
     const_assert_eq!(self::AT_HWCAP, ::libc::AT_HWCAP);
     const_assert_eq!(self::AT_HWCAP2, ::libc::AT_HWCAP2);
     const_assert_eq!(self::AT_EXECFN, ::libc::AT_EXECFN);
+    const_assert_eq!(self::AT_SECURE, ::libc::AT_SECURE);
     const_assert_eq!(self::AT_SYSINFO_EHDR, ::libc::AT_SYSINFO_EHDR);
     #[cfg(feature = "runtime")]
     const_assert_eq!(self::AT_PHDR, ::libc::AT_PHDR);
@@ -120,6 +122,12 @@ pub(crate) fn linux_execfn() -> &'static CStr {
     }
 }
 
+#[cfg(feature = "runtime")]
+#[inline]
+pub(crate) fn linux_secure() -> bool {
+    unsafe { getauxval(AT_SECURE) as usize != 0 }
+}
+
 #[cfg(feature = "runtime")]
 #[inline]
 pub(crate) fn exe_phdrs() -> (*const c::c_void, usize, usize) {

src/param/auxv.rs

@@ -1,12 +1,9 @@
 use crate::backend;
 #[cfg(any(
     linux_raw,
-    all(
-        libc,
-        any(
-            all(target_os = "android", target_pointer_width = "64"),
-            target_os = "linux",
-        )
+    any(
+        all(target_os = "android", target_pointer_width = "64"),
+        target_os = "linux",
     )
 ))]
 use crate::ffi::CStr;
@@ -58,12 +55,9 @@ pub fn clock_ticks_per_second() -> u64 {
 /// [Linux]: https://man7.org/linux/man-pages/man3/getauxval.3.html
 #[cfg(any(
     linux_raw,
-    all(
-        libc,
-        any(
-            all(target_os = "android", target_pointer_width = "64"),
-            target_os = "linux",
-        )
+    any(
+        all(target_os = "android", target_pointer_width = "64"),
+        target_os = "linux",
     )
 ))]
 #[inline]
@@ -82,12 +76,9 @@ pub fn linux_hwcap() -> (usize, usize) {
 /// [Linux]: https://man7.org/linux/man-pages/man3/getauxval.3.html
 #[cfg(any(
     linux_raw,
-    all(
-        libc,
-        any(
-            all(target_os = "android", target_pointer_width = "64"),
-            target_os = "linux",
-        )
+    any(
+        all(target_os = "android", target_pointer_width = "64"),
+        target_os = "linux",
     )
 ))]
 #[inline]

src/runtime.rs

@@ -485,3 +485,28 @@ pub unsafe fn sigwaitinfo(set: &Sigset) -> io::Result<Siginfo> {
 pub unsafe fn sigtimedwait(set: &Sigset, timeout: Option<Timespec>) -> io::Result<Siginfo> {
     backend::runtime::syscalls::sigtimedwait(set, timeout)
 }
+
+/// `getauxval(AT_SECURE)`—Returns the Linux "secure execution" mode.
+///
+/// Return a boolean value indicating whether "secure execution" mode was
+/// requested, due the the process having elevated privileges. This includes
+/// whether the `AT_SECURE` AUX value is set, and whether the initial real
+/// UID and GID differ from the initial effective UID and GID.
+///
+/// The meaning of "secure execution" mode is beyond the scope of this comment.
+///
+/// # References
+///  - [Linux]
+///
+/// [Linux]: https://man7.org/linux/man-pages/man3/getauxval.3.html
+#[cfg(any(
+    linux_raw,
+    any(
+        all(target_os = "android", target_pointer_width = "64"),
+        target_os = "linux",
+    )
+))]
+#[inline]
+pub fn linux_secure() -> bool {
+    backend::param::auxv::linux_secure()
+}