8 files changed, 111 insertions, 6 deletions

diff --git a/usr/src/cmd/sgs/rtld/common/_rtld.h b/usr/src/cmd/sgs/rtld/common/_rtld.h
index ece14a855e..83b7071471 100644
--- a/usr/src/cmd/sgs/rtld/common/_rtld.h
+++ b/usr/src/cmd/sgs/rtld/common/_rtld.h
@@ -26,7 +26,7 @@
  * Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 /*
- * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 #ifndef	__RTLD_H
 #define	__RTLD_H
@@ -589,6 +589,8 @@ extern const char	*rpl_ldflags;	/* replaceable LD_FLAGS string */
 extern const char	*rpl_libpath;	/* replaceable LD_LIBRARY string */
 extern Alist		*rpl_libdirs;	/*	and its associated Pdesc list */
 extern const char	*rpl_preload;	/* replaceable LD_PRELOAD string */
+extern const char	*rpl_ldtoxic;	/* replaceable LD_TOXIC_PATH string */
+extern Alist		*rpl_toxdirs;	/*    and associated Pdesc list */
 
 extern const char	*prm_audit;	/* permanent LD_AUDIT string */
 extern const char	*prm_debug;	/* permanent LD_DEBUG string */
diff --git a/usr/src/cmd/sgs/rtld/common/analyze.c b/usr/src/cmd/sgs/rtld/common/analyze.c
index e14c121f07..df05f21924 100644
--- a/usr/src/cmd/sgs/rtld/common/analyze.c
+++ b/usr/src/cmd/sgs/rtld/common/analyze.c
@@ -21,6 +21,7 @@
 
 /*
  * Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, Joyent, Inc. All rights reserved.
  */
 
 /*
@@ -834,6 +835,44 @@ is_so_loaded(Lm_list *lml, const char *name, int *in_nfavl)
 }
 
 /*
+ * Walk the toxic path list and determine if the object in question has violated
+ * the toxic path. When evaluating the toxic path we need to ensure that we
+ * match any path that's a subdirectory of a listed entry. In other words if
+ * /foo/bar is toxic, something in /foo/bar/baz/ is no good. However, we need to
+ * ensure that we don't mark /foo/barbaz/ as bad.
+ */
+static int
+is_load_toxic(Lm_list *lml, Rt_map *nlmp)
+{
+	const char	*fpath = PATHNAME(nlmp);
+	size_t		flen = strlen(fpath);
+	Pdesc 		*pdp;
+	Aliste 		idx;
+
+	for (ALIST_TRAVERSE(rpl_toxdirs, idx, pdp)) {
+		if (pdp->pd_plen == 0)
+			continue;
+
+		if (strncmp(pdp->pd_pname, fpath, pdp->pd_plen) == 0) {
+			if (pdp->pd_pname[pdp->pd_plen-1] != '/') {
+				/*
+				 * Path didn't end in a /, make sure
+				 * we're at a directory boundary
+				 * nonetheless.
+				 */
+				if (flen > pdp->pd_plen &&
+				    fpath[pdp->pd_plen] == '/')
+					return (1);
+				continue;
+			}
+			return (1);
+		}
+	}
+
+	return (0);
+}
+
+/*
  * Tracing is enabled by the LD_TRACE_LOADED_OPTIONS environment variable which
  * is normally set from ldd(1).  For each link map we load, print the load name
  * and the full pathname of the associated object.
@@ -2169,6 +2208,17 @@ load_finish(Lm_list *lml, const char *name, Rt_map *clmp, int nmode,
 	uint_t		rdflags;
 
 	/*
+	 * If this dependency is associated with a toxic path, then we must
+	 * honor the user's request to die.
+	 */
+	if (is_load_toxic(lml, nlmp) != 0) {
+		eprintf(lml, ERR_FATAL, MSG_INTL(MSG_TOXIC_FILE),
+		    PATHNAME(nlmp));
+		rtldexit(lml, 1);
+
+	}
+
+	/*
 	 * If this dependency is associated with a required version ensure that
 	 * the version is present in the loaded file.
 	 */
diff --git a/usr/src/cmd/sgs/rtld/common/globals.c b/usr/src/cmd/sgs/rtld/common/globals.c
index 5f48fafc5f..2e98768551 100644
--- a/usr/src/cmd/sgs/rtld/common/globals.c
+++ b/usr/src/cmd/sgs/rtld/common/globals.c
@@ -24,6 +24,7 @@
  *	  All Rights Reserved
  *
  * Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #include	<sys/types.h>
@@ -132,6 +133,8 @@ const char	*rpl_ldflags = NULL;	/* replaceable LD_FLAGS string */
 const char	*rpl_libpath = NULL;	/* replaceable LD_LIBRARY_PATH string */
 Alist		*rpl_libdirs = NULL;	/*    and associated Pdesc list */
 const char	*rpl_preload = NULL;	/* replaceable LD_PRELOAD string */
+const char	*rpl_ldtoxic = NULL;	/* replaceable LD_TOXIC string */
+Alist		*rpl_toxdirs = NULL;	/*    and associated Pdesc list */
 
 const char	*prm_audit = NULL;	/* permanent LD_AUDIT string */
 const char	*prm_debug = NULL;	/* permanent LD_DEBUG string */
diff --git a/usr/src/cmd/sgs/rtld/common/rtld.msg b/usr/src/cmd/sgs/rtld/common/rtld.msg
index 97e2841b8f..9309d0c62e 100644
--- a/usr/src/cmd/sgs/rtld/common/rtld.msg
+++ b/usr/src/cmd/sgs/rtld/common/rtld.msg
@@ -21,6 +21,7 @@
 
 #
 # Copyright (c) 1995, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, Joyent, Inc.  All rights reserved.
 #
 
 @ _START_
@@ -99,9 +100,14 @@
 @ MSG_SYS_MPROT		"%s: mprotect failed: %s"
 @ MSG_SYS_MMAPANON	"mmap anon failed: %s"
 
+# Secure path failures
+
 @ MSG_SEC_OPEN		"%s: open failed: No such file in secure directories"
 @ MSG_SEC_ILLEGAL	"%s: open failed: illegal insecure pathname"
 
+# Toxic failures
+
+@ MSG_TOXIC_FILE	"%s: dependency marked as toxic"
 
 # Configuration failures
 
@@ -395,6 +401,7 @@
 @ MSG_LD_PROFILE_OUTPUT	"PROFILE_OUTPUT"
 @ MSG_LD_SFCAP		"SFCAP"
 @ MSG_LD_SIGNAL		"SIGNAL"
+@ MSG_LD_TOXICPATH	"TOXIC_PATH"
 @ MSG_LD_TRACE_OBJS	"TRACE_LOADED_OBJECTS"
 @ MSG_LD_TRACE_OBJS_E	"TRACE_LOADED_OBJECTS_E"
 @ MSG_LD_TRACE_OBJS_A	"TRACE_LOADED_OBJECTS_A"
diff --git a/usr/src/cmd/sgs/rtld/common/setup.c b/usr/src/cmd/sgs/rtld/common/setup.c
index 862bb7d61f..98e3ba5d33 100644
--- a/usr/src/cmd/sgs/rtld/common/setup.c
+++ b/usr/src/cmd/sgs/rtld/common/setup.c
@@ -28,7 +28,7 @@
  *	  All Rights Reserved
  */
 /*
- * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 /*
@@ -819,6 +819,14 @@ setup(char **envp, auxv_t *auxv, Word _flags, char *_platform, int _syspagsz,
 			return (0);
 	}
 
+	/*
+	 * Initialize our toxic paths
+	 */
+	if (rpl_ldtoxic != NULL) {
+		(void) expand_paths(mlmp, rpl_ldtoxic, &rpl_toxdirs,
+		    AL_CNT_SEARCH, 0, PD_TKN_CAP);
+	}
+
 #if	defined(_ELF64)
 	/*
 	 * If this is a 64-bit process, determine whether this process has
diff --git a/usr/src/cmd/sgs/rtld/common/util.c b/usr/src/cmd/sgs/rtld/common/util.c
index aaefba0f80..8d813c807b 100644
--- a/usr/src/cmd/sgs/rtld/common/util.c
+++ b/usr/src/cmd/sgs/rtld/common/util.c
@@ -24,6 +24,7 @@
  *	  All Rights Reserved
  *
  * Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 /*
@@ -1424,6 +1425,7 @@ static	u_longlong_t		cmdisa = 0;	/* command line (-e) ISA */
 #define	ENV_FLG_CAP_FILES	0x0080000000000ULL
 #define	ENV_FLG_DEFERRED	0x0100000000000ULL
 #define	ENV_FLG_NOENVIRON	0x0200000000000ULL
+#define	ENV_FLG_TOXICPATH	0x0400000000000ULL
 
 #define	SEL_REPLACE		0x0001
 #define	SEL_PERMANT		0x0002
@@ -1597,8 +1599,7 @@ ld_generic_env(const char *s1, size_t len, const char *s2, Word *lmflags,
 		if ((len == MSG_LD_FLAGS_SIZE) && (strncmp(s1,
 		    MSG_ORIG(MSG_LD_FLAGS), MSG_LD_FLAGS_SIZE) == 0)) {
 			select |= SEL_ACT_SPEC_1;
-			str = (select & SEL_REPLACE) ? &rpl_ldflags :
-			    &prm_ldflags;
+			str = &rpl_ldflags;
 			variable = ENV_FLG_FLAGS;
 		}
 	}
@@ -1809,6 +1810,8 @@ ld_generic_env(const char *s1, size_t len, const char *s2, Word *lmflags,
 	 * In case an auditor is called, which in turn might exec(2) a
 	 * subprocess, this variable is disabled, so that any subprocess
 	 * escapes ldd(1) processing.
+	 *
+	 * Also, look for LD_TOXIC_PATH
 	 */
 	else if (*s1 == 'T') {
 		if (((len == MSG_LD_TRACE_OBJS_SIZE) &&
@@ -1846,7 +1849,13 @@ ld_generic_env(const char *s1, size_t len, const char *s2, Word *lmflags,
 			select |= SEL_ACT_LML;
 			val = LML_FLG_TRC_SEARCH;
 			variable = ENV_FLG_TRACE_PTHS;
+		} else if ((len == MSG_LD_TOXICPATH_SIZE) && (strncmp(s1,
+		    MSG_ORIG(MSG_LD_TOXICPATH), MSG_LD_TOXICPATH_SIZE) == 0)) {
+			select |= SEL_ACT_SPEC_1;
+			str = &rpl_ldtoxic;
+			variable = ENV_FLG_TOXICPATH;
 		}
+
 	}
 	/*
 	 * LD_UNREF and LD_UNUSED (internal, used by ldd(1)).
@@ -1970,7 +1979,8 @@ ld_generic_env(const char *s1, size_t len, const char *s2, Word *lmflags,
 			*lmtflags &= ~val;
 	} else if (select & SEL_ACT_SPEC_1) {
 		/*
-		 * variable is either ENV_FLG_FLAGS or ENV_FLG_LIBPATH
+		 * variable is either ENV_FLG_FLAGS, ENV_FLG_LIBPATH, or
+		 * ENV_FLG_TOXICPATH
 		 */
 		if (env_flags & ENV_TYP_NULL)
 			*str = NULL;
diff --git a/usr/src/man/man1/ld.so.1.1 b/usr/src/man/man1/ld.so.1.1
index 4b14ca4f1a..19afbbf3d6 100644
--- a/usr/src/man/man1/ld.so.1.1
+++ b/usr/src/man/man1/ld.so.1.1
@@ -1,9 +1,10 @@
 '\"
 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved
+.\" Copyright (c) 2014, Joyent, Inc.  All Rights Reserved
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH LD.SO.1 1 "Oct 5, 2012"
+.TH LD.SO.1 1 "May 8, 2014"
 .SH NAME
 ld.so.1 \- runtime linker for dynamic objects
 .SH SYNOPSIS
@@ -574,6 +575,24 @@ aid debugging. See also the \fBRTLD_DI_SETSIGNAL\fR request to
 .RE
 
 .sp
+.ne 2
+.na
+.BR LD_TOXIC_PATH,
+.BR LD_TOXIC_PATH_32,
+.BR LD_TOXIC_PATH_64,
+.ad
+.sp .6
+.RS 4n
+The toxic path refers to a set of paths where by, if
+.B ld.so.1
+were to load a dependency on that path, rather than loading it, it
+should kill the process. This is useful when having built libraries that
+while matching the native architecture of the system, are not suitable
+to be used, for example, libraries that that correspond to an alternate
+release of an operating system.
+.RE
+
+.sp
 .LP
 Notice that environment variable names beginning with the
 characters '\fBLD_\fR' are reserved for possible future enhancements to \fBld\fR(1) and
diff --git a/usr/src/tools/env/illumos.sh b/usr/src/tools/env/illumos.sh
index 825d172e65..4559fa6c15 100644
--- a/usr/src/tools/env/illumos.sh
+++ b/usr/src/tools/env/illumos.sh
@@ -230,3 +230,9 @@ export SPRO_VROOT="$SPRO_ROOT"
 
 # Uncomment this to disable support for SMB printing.
 # export ENABLE_SMB_PRINTING='#'
+
+#
+# These checks ensure that if we accidentally run a program linked against the
+# proto area, that we then fail the build.
+#
+export LD_TOXIC_PATH="$ROOT/lib:$ROOT/usr/lib"