diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2020-04-16 18:16:26 -0700 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2020-04-16 18:16:26 -0700 |
commit | 41ff5cc4f9f360fab0a3fd696ca6aa266eb02cba (patch) | |
tree | 248681f6e7ae7731451dc7e4af12534a93c6a233 | |
parent | 2d144e66124e8d93b71bebccb3fe8ff871a12840 (diff) | |
download | secret-memory-preloader-41ff5cc4f9f360fab0a3fd696ca6aa266eb02cba.tar.gz |
Make the use of secret memory environment controlled
Use no secret memory for make check
Fix the intermediate rules problem
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | preload.c | 21 |
2 files changed, 14 insertions, 11 deletions
@@ -2,11 +2,13 @@ LIBS=-lcrypto all: preload.so openssl_test +.INTERMEDIATE: preload_test.o openssl_test.o + clean: rm -f *.o *.so openssl_test preload_test check: preload_test preload.so - LD_PRELOAD=./preload.so MALLOC_DEBUG=1 ./preload_test + LD_PRELOAD=./preload.so MALLOC_DEBUG=1 NO_SECRET_MEM=1 ./preload_test %.so: %.c gcc -g -shared -fPIC -o $@ $^ @@ -11,15 +11,10 @@ #include <linux/memfd.h> /* bits to get memfd_create to work */ -#define NOSECRET 1 -#ifndef NOSECRET #define MFD_SECRET 0x0008U #define MFD_SECRET_IOCTL '-' #define MFD_SECRET_EXCLUSIVE _IOW(MFD_SECRET_IOCTL, 0x13, unsigned long) #define MFD_SECRET_UNCACHED _IOW(MFD_SECRET_IOCTL, 0x14, unsigned long) -#else -#define MFD_SECRET 0 -#endif #define ASSERT(x) do { if (!(x)) { printf("ASSERTION failed at line %d\n", __LINE__); exit(1); } } while (0) @@ -180,17 +175,23 @@ void __attribute__ ((constructor)) preload_setup(void) void *p; struct malloc_chunk *c; const size_t msize = pad_request(sizeof(*m)); + int use_secret = 1; if (getenv("MALLOC_DEBUG") != NULL) debug = 1; + if (getenv("NO_SECRET_MEM") != NULL) + use_secret = 0; - fd = memfd_create("secure", MFD_CLOEXEC|MFD_SECRET); + if (use_secret) + fd = memfd_create("secure", MFD_CLOEXEC|MFD_SECRET); + else + fd = memfd_create("secure", MFD_CLOEXEC); check(fd < 0, "memfd_create"); -#ifndef NOSECRET - ret = ioctl(fd, MFD_SECRET_EXCLUSIVE); - check(ret < 0, "ioctl"); -#endif + if (use_secret) { + ret = ioctl(fd, MFD_SECRET_EXCLUSIVE); + check(ret < 0, "ioctl"); + } ret = ftruncate(fd, SEG_SIZE); check(ret < 0, "ftruncate"); |