summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
authorRobert Peichaer <rpe@cvs.openbsd.org>2017-08-29 16:56:14 +0000
committerRobert Peichaer <rpe@cvs.openbsd.org>2017-08-29 16:56:14 +0000
commit7d3eed9bebc94ded87cabf2e5f9fa735f2b12cab (patch)
treeaf895738b5404808cde553d58d4e8d55aaca5f51 /etc
parent0fa82eb7313598bcd16030b3ebb266608951ca5e (diff)
Based on previous work from deraadt, add relinking of ld.so to
reorder_libs() resulting in a unique ld.so on every system start. Idea from and OK deraadt@ OK tb@
Diffstat (limited to 'etc')
-rw-r--r--etc/rc30
1 files changed, 21 insertions, 9 deletions
diff --git a/etc/rc b/etc/rc
index 68182c714d2..7aa326c0443 100644
--- a/etc/rc
+++ b/etc/rc
@@ -1,4 +1,4 @@
-# $OpenBSD: rc,v 1.516 2017/08/28 06:56:54 ajacoutot Exp $
+# $OpenBSD: rc,v 1.517 2017/08/29 16:56:13 rpe Exp $
# System startup script run by init on autoboot or after single-user.
# Output and error are redirected to console by init, and the console is the
@@ -186,19 +186,31 @@ reorder_libs() {
done
_libas=${_libas# }
- for _liba in $_libas; do
- _tmpdir=$(mktemp -dq /tmp/_librebuild.XXXXXXXXXXXX) && (
- set -o errexit
- _lib=${_liba#/usr/lib/}
- _lib=${_lib%.a}
- cd $_tmpdir
- ar x ${_liba}
+ for _liba in /usr/libdata/ld.so.a $_libas; do
+ _tmpdir=$(mktemp -dq /tmp/_librebuild.XXXXXXXXXXXX) &&
+ (
+ set -o errexit
+ _install='install -F -S -o root -g bin -m 0444'
+ _lib=${_liba##*/}
+ _lib=${_lib%.a}
+ cd $_tmpdir
+ ar x $_liba
+ if [[ $_lib == ld.so ]]; then
+ ld -g -x -e _dl_start \
+ --version-script=Symbols.map --shared -Bsymbolic \
+ --no-undefined -o ld.so.test $(ls *.o | sort -R)
+ chmod u+x test-ld.so
+ [[ $(./test-ld.so ok) == './test-ld.so: ok!' ]]
+ $_install /usr/libexec/ld.so /usr/libexec/ld.so.save
+ $_install ld.so.test /usr/libexec/ld.so
+ else
cc -shared -o $_lib $(ls *.so | sort -R) $(cat .ldadd)
[[ -s $_lib ]] && file $_lib | fgrep -q 'shared object'
LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN {exit 0}'
LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir openssl \
x509 -in /etc/ssl/cert.pem -out /dev/null
- install -F -S -o root -g bin -m 0444 $_lib /usr/lib/$_lib
+ $_install $_lib ${_liba%/*}/$_lib
+ fi
) || { _error=true; break; }
done