[PATCH nptl] ldso: Add config option for controlling LD_PRELOAD

[Carmelo AMOROSO]

On hardened system it could be useful to disable the use
of LD_PRELOAD environment variable for preloading shared objects
before the system libraries. So this patch add a config option,
LDSO_PRELOAD_ENV_SUPPORT, to control this behaviour.
It is enabled by default.

Signed-off-by: Carmelo Amoroso <carmelo.amoroso at st.com>
---
 extra/Configs/Config.in |   12 ++++++++++++
 ldso/ldso/ldso.c        |    8 ++++++++
 2 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/extra/Configs/Config.in b/extra/Configs/Config.in
index 90094ca..13e0d17 100644
--- a/extra/Configs/Config.in
+++ b/extra/Configs/Config.in
@@ -309,6 +309,18 @@ config LDSO_PRELOAD_FILE_SUPPORT
 	  whitespace separated list of shared libraries to be loaded before
 	  the program.
 
+config LDSO_PRELOAD_ENV_SUPPORT
+	bool "Enable library loader LD_PRELOAD environment"
+	depends on HAVE_SHARED
+	default y
+	help
+	  Enable this to make use of LD_PRELOAD environment variable.
+	  A whitespace-separated list of additional, user-specified, ELF shared
+	  libraries to be loaded before all others. This can be used to
+	  selectively override functions in other shared libraries. For
+	  set-user-ID/set-group-ID ELF binaries, only libraries in the standard
+	  search directories that are also set-user-ID will be loaded.
+
 config LDSO_BASE_FILENAME
 	string "Shared library loader naming prefix"
 	depends on HAVE_SHARED && (LDSO_CACHE_SUPPORT || LDSO_PRELOAD_FILE_SUPPORT)
diff --git a/ldso/ldso/ldso.c b/ldso/ldso/ldso.c
index 74da588..ea4ad0f 100644
--- a/ldso/ldso/ldso.c
+++ b/ldso/ldso/ldso.c
@@ -47,7 +47,9 @@
 
 /* Global variables used within the shared library loader */
 char *_dl_library_path         = NULL;	/* Where we look for libraries */
+#ifdef __LDSO_PRELOAD_ENV_SUPPORT__
 char *_dl_preload              = NULL;	/* Things to be loaded before the libs */
+#endif
 char *_dl_ldsopath             = NULL;	/* Location of the shared lib loader */
 int _dl_errno                  = 0;	/* We can't use the real errno in ldso */
 size_t _dl_pagesize            = 0;	/* Store the page size for use later */
@@ -348,7 +350,9 @@ void _dl_get_ready_to_run(struct elf_resolve *tpnt, DL_LOADADDR_TYPE load_addr,
 	     auxvt[AT_UID].a_un.a_val == auxvt[AT_EUID].a_un.a_val &&
 	     auxvt[AT_GID].a_un.a_val == auxvt[AT_EGID].a_un.a_val)) {
 		_dl_secure = 0;
+#ifdef __LDSO_PRELOAD_ENV_SUPPORT__
 		_dl_preload = _dl_getenv("LD_PRELOAD", envp);
+#endif
 		_dl_library_path = _dl_getenv("LD_LIBRARY_PATH", envp);
 	} else {
 		static const char unsecure_envvars[] =
@@ -365,7 +369,9 @@ void _dl_get_ready_to_run(struct elf_resolve *tpnt, DL_LOADADDR_TYPE load_addr,
 			/* We could use rawmemchr but this need not be fast.  */
 			nextp = _dl_strchr(nextp, '\0') + 1;
 		} while (*nextp != '\0');
+#ifdef __LDSO_PRELOAD_ENV_SUPPORT__
 		_dl_preload = NULL;
+#endif
 		_dl_library_path = NULL;
 		/* SUID binaries can be exploited if they do LAZY relocation. */
 		unlazy = RTLD_NOW;
@@ -612,6 +618,7 @@ void _dl_get_ready_to_run(struct elf_resolve *tpnt, DL_LOADADDR_TYPE load_addr,
 
 	_dl_map_cache();
 
+#ifdef __LDSO_PRELOAD_ENV_SUPPORT__
 	if (_dl_preload) {
 		char c, *str, *str2;
 
@@ -667,6 +674,7 @@ void _dl_get_ready_to_run(struct elf_resolve *tpnt, DL_LOADADDR_TYPE load_addr,
 				str++;
 		}
 	}
+#endif /* __LDSO_PRELOAD_ENV_SUPPORT__ */
 
 #ifdef __LDSO_PRELOAD_FILE_SUPPORT__
 	do {
-- 
1.6.3.3