From ea89cfddeb6e854d71888f0904674b46d8c763a3 Mon Sep 17 00:00:00 2001 From: Nicole LeGare Date: Tue, 3 Dec 2024 16:29:43 -0800 Subject: [PATCH 1/8] Add compiler flags for partition-alloc and missing linker args --- docs/usage.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/usage.md b/docs/usage.md index 17ed063f8..d4af88255 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -155,8 +155,13 @@ are also required: -DPKEY=$PKEY -DIA2_ENABLE=1 -include /path/to/generated_output_header.h +-I $IA2_PATH/runtime/partition-alloc/include -Werror=incompatible-pointer-types -Wl,--wrap=pthread_create +-Wl,--wrap=calloc +-Wl,--wrap=malloc +-Wl,--wrap=realloc +-Wl,--wrap=free -pthread -Wl,-z,now -Wl,-z,relro @@ -166,6 +171,11 @@ are also required: -Wl,--wrap=main -Wl,--dynamic-list=$IA2_PATH/runtime/libia2/dynsym.syms -Wl,--export-dynamic +-L$IA2_PATH/build/runtime/libia2 +-L$IA2_PATH/build/runtime/partition-alloc +-llibia2 +-lpartition-alloc +-lcallgates ``` Also if the rewriter produces a linker args file for a given compartment (i.e. a From da28bb91bb2c333f2ffa408f42df34ea17371445 Mon Sep 17 00:00:00 2001 From: Nicole LeGare Date: Mon, 9 Dec 2024 10:30:05 -0800 Subject: [PATCH 2/8] Add docs for running pad-tls --- docs/usage.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/usage.md b/docs/usage.md index d4af88255..b350f9b07 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -181,3 +181,11 @@ are also required: Also if the rewriter produces a linker args file for a given compartment (i.e. a `.ld` file), you must include `-Wl,@/path/to/generated_linker_args_$PKEY.ld` when linking that DSO. + +## Using Thread Local Storage + +When using TLS in a containerized app, you'll need to run the `pad-tls` tool on +all shared objects in the app. This includes `libc.so` as libc initializes TLS. +If you're seeing compartment violations when accessing TLS then you likely need +to run `pad-tls` on the relevant. The tool can be found at +`$IA2_PATH/build/tools/pad-tls/pad-tls`. From 7e0de07e9e447861cbbfc31d3a58b967d3caac93 Mon Sep 17 00:00:00 2001 From: Nicole LeGare Date: Mon, 9 Dec 2024 10:38:50 -0800 Subject: [PATCH 3/8] Add missing include path --- docs/usage.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/usage.md b/docs/usage.md index b350f9b07..3f9d2ce64 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -155,6 +155,7 @@ are also required: -DPKEY=$PKEY -DIA2_ENABLE=1 -include /path/to/generated_output_header.h +-I $IA2_PATH/runtime/libia2/include -I $IA2_PATH/runtime/partition-alloc/include -Werror=incompatible-pointer-types -Wl,--wrap=pthread_create @@ -185,7 +186,7 @@ linking that DSO. ## Using Thread Local Storage When using TLS in a containerized app, you'll need to run the `pad-tls` tool on -all shared objects in the app. This includes `libc.so` as libc initializes TLS. -If you're seeing compartment violations when accessing TLS then you likely need -to run `pad-tls` on the relevant. The tool can be found at +all shared objects in the app. This includes `libc.so` as libc both initializes +and makes use of TLS. If you're seeing compartment violations when accessing TLS +then you likely need to run `pad-tls` on the relevant. The tool can be found at `$IA2_PATH/build/tools/pad-tls/pad-tls`. From c95877f30f19f9076b3a6eaf8677b153e628f37e Mon Sep 17 00:00:00 2001 From: Nicole L Date: Mon, 9 Dec 2024 10:59:30 -0800 Subject: [PATCH 4/8] Containerized -> compartmentalized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ayrton Muñoz --- docs/usage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage.md b/docs/usage.md index 3f9d2ce64..23e926334 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -185,7 +185,7 @@ linking that DSO. ## Using Thread Local Storage -When using TLS in a containerized app, you'll need to run the `pad-tls` tool on +When using TLS in a compartmentalized app, you'll need to run the `pad-tls` tool on all shared objects in the app. This includes `libc.so` as libc both initializes and makes use of TLS. If you're seeing compartment violations when accessing TLS then you likely need to run `pad-tls` on the relevant. The tool can be found at From 43c87c7d1ccfc03450b2a9ba26f663d921368271 Mon Sep 17 00:00:00 2001 From: Nicole LeGare Date: Mon, 9 Dec 2024 11:11:22 -0800 Subject: [PATCH 5/8] Add note about using ldd to find dependencies --- docs/usage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage.md b/docs/usage.md index 23e926334..68b9a37f0 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -189,4 +189,4 @@ When using TLS in a compartmentalized app, you'll need to run the `pad-tls` tool all shared objects in the app. This includes `libc.so` as libc both initializes and makes use of TLS. If you're seeing compartment violations when accessing TLS then you likely need to run `pad-tls` on the relevant. The tool can be found at -`$IA2_PATH/build/tools/pad-tls/pad-tls`. +`$IA2_PATH/build/tools/pad-tls/pad-tls`. Note that the `ldd` and `lddtree` tools can be used to list the DSO dependencies of your app. From fbc3b906344320f9e20cfc96fb16b9f796690bb8 Mon Sep 17 00:00:00 2001 From: Nicole LeGare Date: Mon, 9 Dec 2024 11:38:24 -0800 Subject: [PATCH 6/8] Add even more --wrap linker args --- docs/usage.md | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/docs/usage.md b/docs/usage.md index 68b9a37f0..23641d0f0 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -158,11 +158,22 @@ are also required: -I $IA2_PATH/runtime/libia2/include -I $IA2_PATH/runtime/partition-alloc/include -Werror=incompatible-pointer-types --Wl,--wrap=pthread_create --Wl,--wrap=calloc --Wl,--wrap=malloc --Wl,--wrap=realloc --Wl,--wrap=free +-Wl,--wrap,pthread_create +-Wl,--wrap,calloc +-Wl,--wrap,free +-Wl,--wrap,malloc +-Wl,--wrap,memalign +-Wl,--wrap,posix_memalign +-Wl,--wrap,pvalloc +-Wl,--wrap,realloc +-Wl,--wrap,valloc +-Wl,--wrap,malloc_usable_size +-Wl,--wrap,realpath +-Wl,--wrap,strdup +-Wl,--wrap,strndup +-Wl,--wrap,getcwd +-Wl,--wrap,asprintf +-Wl,--wrap,vasprintf -pthread -Wl,-z,now -Wl,-z,relro @@ -185,8 +196,9 @@ linking that DSO. ## Using Thread Local Storage -When using TLS in a compartmentalized app, you'll need to run the `pad-tls` tool on -all shared objects in the app. This includes `libc.so` as libc both initializes -and makes use of TLS. If you're seeing compartment violations when accessing TLS -then you likely need to run `pad-tls` on the relevant. The tool can be found at -`$IA2_PATH/build/tools/pad-tls/pad-tls`. Note that the `ldd` and `lddtree` tools can be used to list the DSO dependencies of your app. +When using TLS in a compartmentalized app, you'll need to run the `pad-tls` tool +on all shared objects in the app. This includes `libc.so` as libc both +initializes and makes use of TLS. If you're seeing compartment violations when +accessing TLS then you likely need to run `pad-tls` on the relevant. The tool +can be found at `$IA2_PATH/build/tools/pad-tls/pad-tls`. Note that the `ldd` and +`lddtree` tools can be used to list the DSO dependencies of your app. From 49a135be7aba3d6a6eee7673fc7593784990d472 Mon Sep 17 00:00:00 2001 From: Nicole LeGare Date: Mon, 9 Dec 2024 11:40:45 -0800 Subject: [PATCH 7/8] Update list of partition-alloc linker args --- runtime/partition-alloc/README.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/runtime/partition-alloc/README.md b/runtime/partition-alloc/README.md index 95c4522fe..6e33413a7 100644 --- a/runtime/partition-alloc/README.md +++ b/runtime/partition-alloc/README.md @@ -7,10 +7,21 @@ allocator, first build `libpartition_alloc.so` with the CMake `partition-alloc` your program against `libpartition_alloc.so` with the following linker flags. ``` --Wl,--wrap=calloc \ --Wl,--wrap=malloc \ --Wl,--wrap=realloc \ --Wl,--wrap=free +-Wl,-wrap,calloc +-Wl,-wrap,free +-Wl,-wrap,malloc +-Wl,-wrap,memalign +-Wl,-wrap,posix_memalign +-Wl,-wrap,pvalloc +-Wl,-wrap,realloc +-Wl,-wrap,valloc +-Wl,-wrap,malloc_usable_size +-Wl,-wrap,realpath +-Wl,-wrap,strdup +-Wl,-wrap,strndup +-Wl,-wrap,getcwd +-Wl,-wrap,asprintf +-Wl,-wrap,vasprintf ``` [wrap]: https://chromium.googlesource.com/chromium/src/base/+/refs/heads/main/allocator/allocator_shim_override_libc_symbols.h From f11a90543816ae9893b0aa6f0c1fa7a1ad80ffcc Mon Sep 17 00:00:00 2001 From: Nicole LeGare Date: Fri, 13 Dec 2024 10:21:50 -0800 Subject: [PATCH 8/8] Fix `-Wl,--wrap` instructions --- docs/usage.md | 32 +++++++++++++++---------------- runtime/partition-alloc/README.md | 30 ++++++++++++++--------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/docs/usage.md b/docs/usage.md index 23641d0f0..8811eb1d7 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -158,22 +158,22 @@ are also required: -I $IA2_PATH/runtime/libia2/include -I $IA2_PATH/runtime/partition-alloc/include -Werror=incompatible-pointer-types --Wl,--wrap,pthread_create --Wl,--wrap,calloc --Wl,--wrap,free --Wl,--wrap,malloc --Wl,--wrap,memalign --Wl,--wrap,posix_memalign --Wl,--wrap,pvalloc --Wl,--wrap,realloc --Wl,--wrap,valloc --Wl,--wrap,malloc_usable_size --Wl,--wrap,realpath --Wl,--wrap,strdup --Wl,--wrap,strndup --Wl,--wrap,getcwd --Wl,--wrap,asprintf --Wl,--wrap,vasprintf +-Wl,--wrap=pthread_create +-Wl,--wrap=calloc +-Wl,--wrap=free +-Wl,--wrap=malloc +-Wl,--wrap=memalign +-Wl,--wrap=posix_memalign +-Wl,--wrap=pvalloc +-Wl,--wrap=realloc +-Wl,--wrap=valloc +-Wl,--wrap=malloc_usable_size +-Wl,--wrap=realpath +-Wl,--wrap=strdup +-Wl,--wrap=strndup +-Wl,--wrap=getcwd +-Wl,--wrap=asprintf +-Wl,--wrap=vasprintf -pthread -Wl,-z,now -Wl,-z,relro diff --git a/runtime/partition-alloc/README.md b/runtime/partition-alloc/README.md index 6e33413a7..caf03a5f0 100644 --- a/runtime/partition-alloc/README.md +++ b/runtime/partition-alloc/README.md @@ -7,21 +7,21 @@ allocator, first build `libpartition_alloc.so` with the CMake `partition-alloc` your program against `libpartition_alloc.so` with the following linker flags. ``` --Wl,-wrap,calloc --Wl,-wrap,free --Wl,-wrap,malloc --Wl,-wrap,memalign --Wl,-wrap,posix_memalign --Wl,-wrap,pvalloc --Wl,-wrap,realloc --Wl,-wrap,valloc --Wl,-wrap,malloc_usable_size --Wl,-wrap,realpath --Wl,-wrap,strdup --Wl,-wrap,strndup --Wl,-wrap,getcwd --Wl,-wrap,asprintf --Wl,-wrap,vasprintf +-Wl,--wrap=calloc +-Wl,--wrap=free +-Wl,--wrap=malloc +-Wl,--wrap=memalign +-Wl,--wrap=posix_memalign +-Wl,--wrap=pvalloc +-Wl,--wrap=realloc +-Wl,--wrap=valloc +-Wl,--wrap=malloc_usable_size +-Wl,--wrap=realpath +-Wl,--wrap=strdup +-Wl,--wrap=strndup +-Wl,--wrap=getcwd +-Wl,--wrap=asprintf +-Wl,--wrap=vasprintf ``` [wrap]: https://chromium.googlesource.com/chromium/src/base/+/refs/heads/main/allocator/allocator_shim_override_libc_symbols.h