1 .\" Copyright (c) 2009 Linux Foundation, written by Michael Kerrisk
2 .\" <mtk.manpages@gmail.com>
4 .\" %%%LICENSE_START(VERBATIM)
5 .\" Permission is granted to make and distribute verbatim copies of this
6 .\" manual provided the copyright notice and this permission notice are
7 .\" preserved on all copies.
9 .\" Permission is granted to copy and distribute modified versions of this
10 .\" manual under the conditions for verbatim copying, provided that the
11 .\" entire resulting derived work is distributed under the terms of a
12 .\" permission notice identical to this one.
14 .\" Since the Linux kernel and libraries are constantly changing, this
15 .\" manual page may be incorrect or out-of-date. The author(s) assume no
16 .\" responsibility for errors or omissions, or for damages resulting from
17 .\" the use of the information contained herein. The author(s) may not
18 .\" have taken the same level of care in the production of this manual,
19 .\" which is licensed free of charge, as they might when working
22 .\" Formatted or processed versions of this manual, if unaccompanied by
23 .\" the source, must acknowledge the copyright and authors of this work.
26 .\" 2009-01-12, mtk, Created
28 .TH RTLD-AUDIT 7 2019-03-06 "Linux" "Linux Programmer's Manual"
30 rtld-audit \- auditing API for the dynamic linker
33 .BR "#define _GNU_SOURCE" " /* See feature_test_macros(7) */"
37 The GNU dynamic linker (run-time linker)
38 provides an auditing API that allows an application
39 to be notified when various dynamic linking events occur.
40 This API is very similar to the auditing interface provided by the
41 Solaris run-time linker.
42 The necessary constants and prototypes are defined by including
45 To use this interface, the programmer creates a shared library
46 that implements a standard set of function names.
47 Not all of the functions need to be implemented: in most cases,
48 if the programmer is not interested in a particular class of auditing event,
49 then no implementation needs to be provided for the corresponding
52 To employ the auditing interface, the environment variable
54 must be defined to contain a colon-separated list of shared libraries,
55 each of which can implement (parts of) the auditing API.
56 When an auditable event occurs,
57 the corresponding function is invoked in each library,
58 in the order that the libraries are listed.
62 .BI "unsigned int la_version(unsigned int " version );
65 This is the only function that
67 be defined by an auditing library:
68 it performs the initial handshake between the dynamic linker and
70 When invoking this function, the dynamic linker passes, in
72 the highest version of the auditing interface that the linker supports.
73 If necessary, the auditing library can check that this version
74 is sufficient for its requirements.
76 As its function result,
77 this function should return the version of the auditing interface
78 that this auditing library expects to use (returning
81 If the returned value is 0,
82 or a version that is greater than that supported by the dynamic linker,
83 then the audit library is ignored.
87 .BI "char *la_objsearch(const char *" name ", uintptr_t *" cookie ,
88 .BI " unsigned int " flag );
91 The dynamic linker invokes this function to inform the auditing library
92 that it is about to search for a shared object.
95 argument is the filename or pathname that is to be searched for.
97 identifies the shared object that initiated the search.
99 is set to one of the following values:
102 This is the original name that is being searched for.
103 Typically, this name comes from an ELF
112 was created using a directory specified in
113 .BR LD_LIBRARY_PATH .
117 was created using a directory specified in an ELF
128 .RI ( /etc/ld.so.cache ).
132 was found via a search of one of the default directories.
136 is specific to a secure object (unused on Linux).
138 As its function result,
140 returns the pathname that the dynamic linker should use
141 for further processing.
142 If NULL is returned, then this pathname is ignored for further processing.
143 If this audit library simply intends to monitor search paths, then
149 .BI "void la_activity( uintptr_t *" cookie ", unsigned int "flag );
152 The dynamic linker calls this function to inform the auditing library
153 that link-map activity is occurring.
155 identifies the object at the head of the link map.
156 When the dynamic linker invokes this function,
158 is set to one of the following values:
161 New objects are being added to the link map.
164 Objects are being removed from the link map.
167 Link-map activity has been completed: the map is once again consistent.
171 .BI "unsigned int la_objopen(struct link_map *" map ", Lmid_t " lmid ,
172 .BI " uintptr_t *" cookie );
175 The dynamic linker calls this function when a new shared object is loaded.
178 argument is a pointer to a link-map structure that describes the object.
181 field has one of the following values
184 Link map is part of the initial namespace.
187 Link map is part of a new namespace requested via
191 is a pointer to an identifier for this object.
192 The identifier is provided to later calls to functions
193 in the auditing library in order to identify this object.
194 This identifier is initialized to point to object's link map,
195 but the audit library can change the identifier to some other value
196 that it may prefer to use to identify the object.
200 returns a bit mask created by ORing zero or more of the
202 which allow the auditing library to select the objects to be monitored by
206 Audit symbol bindings to this object.
209 Audit symbol bindings from this object.
211 A return value of 0 from
213 indicates that no symbol bindings should be audited for this object.
217 .BI "unsigned int la_objclose(uintptr_t *" cookie );
220 The dynamic linker invokes this function after any finalization
221 code for the object has been executed,
222 before the object is unloaded.
225 argument is the identifier obtained from a previous invocation of
228 In the current implementation, the value returned by
234 .BI "void la_preinit(uintptr_t *" cookie );
237 The dynamic linker invokes this function after all shared objects
238 have been loaded, before control is passed to the application
239 (i.e., before calling
243 may still later dynamically load objects using
248 .BI "uintptr_t la_symbind32(Elf32_Sym *" sym ", unsigned int " ndx ,
249 .BI " uintptr_t *" refcook ", uintptr_t *" defcook ,
250 .BI " unsigned int *" flags ", const char *" symname );
251 .BI "uintptr_t la_symbind64(Elf64_Sym *" sym ", unsigned int " ndx ,
252 .BI " uintptr_t *" refcook ", uintptr_t *" defcook ,
253 .BI " unsigned int *" flags ", const char *" symname );
256 The dynamic linker invokes one of these functions
257 when a symbol binding occurs between two shared objects
258 that have been marked for auditing notification by
262 function is employed on 32-bit platforms;
265 function is employed on 64-bit platforms.
269 argument is a pointer to a structure
270 that provides information about the symbol being bound.
271 The structure definition is shown in
273 Among the fields of this structure,
275 indicates the address to which the symbol is bound.
279 argument gives the index of the symbol in the symbol table
280 of the bound shared object.
284 argument identifies the shared object that is making the symbol reference;
285 this is the same identifier that is provided to the
287 function that returned
288 .BR LA_FLG_BINDFROM .
291 argument identifies the shared object that defines the referenced symbol;
292 this is the same identifier that is provided to the
294 function that returned
299 argument points a string containing the name of the symbol.
303 argument is a bit mask that both provides information about the symbol
304 and can be used to modify further auditing of this
305 PLT (Procedure Linkage Table) entry.
306 The dynamic linker may supply the following bit values in this argument:
307 .\" LA_SYMB_STRUCTCALL appears to be unused
310 The binding resulted from a call to
316 call returned an alternate value for this symbol.
318 By default, if the auditing library implements
322 functions (see below), then these functions are invoked, after
324 for PLT entries, each time the symbol is referenced.
325 .\" pltenter/pltexit are called for non-dynamically loaded libraries,
326 .\" but don't seem to be called for dynamically loaded libs?
327 .\" Is this the same on Solaris?
328 The following flags can be ORed into
330 to change this default behavior:
332 .B LA_SYMB_NOPLTENTER
346 is the address to which control should be passed after the function returns.
347 If the auditing library is simply monitoring symbol bindings,
348 then it should return
350 A different value may be returned if the library wishes to direct control
351 to an alternate location.
353 The precise name and argument types for this function
354 depend on the hardware platform.
355 (The appropriate definition is supplied by
357 Here is the definition for x86-32:
360 .BI "Elf32_Addr la_i86_gnu_pltenter(Elf32_Sym *" sym ", unsigned int " ndx ,
361 .BI " uintptr_t *" refcook ", uintptr_t *" defcook ,
362 .BI " La_i86_regs *" regs ", unsigned int *" flags ,
363 .BI " const char *" symname ", long int *" framesizep );
366 This function is invoked just before a PLT entry is called,
367 between two shared objects that have been marked for binding notification.
381 argument points to a structure (defined in
383 containing the values of registers to be used for
384 the call to this PLT entry.
388 argument points to a bit mask that conveys information about,
389 and can be used to modify subsequent auditing of, this PLT entry, as for
392 .\" FIXME . Is the following correct?
397 buffer that can be used to explicitly set the frame size
398 used for the call to this PLT entry.
401 invocations for this symbol return different values,
402 then the maximum returned value is used.
405 function is called only if this buffer is
406 explicitly set to a suitable value.
413 The precise name and argument types for this function
414 depend on the hardware platform.
415 (The appropriate definition is supplied by
417 Here is the definition for x86-32:
420 .BI "unsigned int la_i86_gnu_pltexit(Elf32_Sym *" sym ", unsigned int " ndx ,
421 .BI " uintptr_t *" refcook ", uintptr_t *" defcook ,
422 .BI " const La_i86_regs *" inregs ", La_i86_retval *" outregs ,
423 .BI " const char *" symname );
426 This function is called when a PLT entry,
427 made between two shared objects that have been marked
428 for binding notification, returns.
429 The function is called just before control returns to the caller
444 argument points to a structure (defined in
446 containing the values of registers used for the call to this PLT entry.
449 argument points to a structure (defined in
451 containing return values for the call to this PLT entry.
452 These values can be modified by the caller,
453 and the changes will be visible to the caller of the PLT entry.
455 In the current GNU implementation, the return value of
458 .\" This differs from Solaris, where an audit library that monitors
459 .\" symbol binding should return the value of the 'retval' argument
460 .\" (not provided by GNU, but equivalent to returning outregs->lrv_eax
461 .\" on (say) x86-32).
463 This API is nonstandard, but very similar to the Solaris API,
464 described in the Solaris
465 .IR "Linker and Libraries Guide" ,
467 .IR "Runtime Linker Auditing Interface" .
469 Note the following differences from the Solaris dynamic linker
474 interface is not supported by the GNU implementation.
480 functions do not provide a
486 function does not provide
490 arguments (but does provide a
492 argument with the function return value).
494 In glibc versions up to and include 2.9,
495 specifying more than one audit library in
497 results in a run-time crash.
498 This is reportedly fixed in glibc 2.10.
499 .\" FIXME . Specifying multiple audit libraries doesn't work on GNU.
500 .\" My simple tests on Solaris work okay, but not on Linux -- mtk, Jan 2009
501 .\" glibc bug filed: http://sourceware.org/bugzilla/show_bug.cgi?id=9733
502 .\" Reportedly, this is fixed on 16 Mar 2009 (i.e., for glibc 2.10)
509 la_version(unsigned int version)
511 printf("la_version(): %d\en", version);
517 la_objsearch(const char *name, uintptr_t *cookie, unsigned int flag)
519 printf("la_objsearch(): name = %s; cookie = %p", name, cookie);
520 printf("; flag = %s\en",
521 (flag == LA_SER_ORIG) ? "LA_SER_ORIG" :
522 (flag == LA_SER_LIBPATH) ? "LA_SER_LIBPATH" :
523 (flag == LA_SER_RUNPATH) ? "LA_SER_RUNPATH" :
524 (flag == LA_SER_DEFAULT) ? "LA_SER_DEFAULT" :
525 (flag == LA_SER_CONFIG) ? "LA_SER_CONFIG" :
526 (flag == LA_SER_SECURE) ? "LA_SER_SECURE" :
533 la_activity (uintptr_t *cookie, unsigned int flag)
535 printf("la_activity(): cookie = %p; flag = %s\en", cookie,
536 (flag == LA_ACT_CONSISTENT) ? "LA_ACT_CONSISTENT" :
537 (flag == LA_ACT_ADD) ? "LA_ACT_ADD" :
538 (flag == LA_ACT_DELETE) ? "LA_ACT_DELETE" :
543 la_objopen(struct link_map *map, Lmid_t lmid, uintptr_t *cookie)
545 printf("la_objopen(): loading \e"%s\e"; lmid = %s; cookie=%p\en",
547 (lmid == LM_ID_BASE) ? "LM_ID_BASE" :
548 (lmid == LM_ID_NEWLM) ? "LM_ID_NEWLM" :
552 return LA_FLG_BINDTO | LA_FLG_BINDFROM;
556 la_objclose (uintptr_t *cookie)
558 printf("la_objclose(): %p\en", cookie);
564 la_preinit(uintptr_t *cookie)
566 printf("la_preinit(): %p\en", cookie);
570 la_symbind32(Elf32_Sym *sym, unsigned int ndx, uintptr_t *refcook,
571 uintptr_t *defcook, unsigned int *flags, const char *symname)
573 printf("la_symbind32(): symname = %s; sym\->st_value = %p\en",
574 symname, sym\->st_value);
575 printf(" ndx = %d; flags = 0x%x", ndx, *flags);
576 printf("; refcook = %p; defcook = %p\en", refcook, defcook);
578 return sym\->st_value;
582 la_symbind64(Elf64_Sym *sym, unsigned int ndx, uintptr_t *refcook,
583 uintptr_t *defcook, unsigned int *flags, const char *symname)
585 printf("la_symbind64(): symname = %s; sym\->st_value = %p\en",
586 symname, sym\->st_value);
587 printf(" ndx = %d; flags = 0x%x", ndx, *flags);
588 printf("; refcook = %p; defcook = %p\en", refcook, defcook);
590 return sym\->st_value;
594 la_i86_gnu_pltenter(Elf32_Sym *sym, unsigned int ndx,
595 uintptr_t *refcook, uintptr_t *defcook, La_i86_regs *regs,
596 unsigned int *flags, const char *symname, long int *framesizep)
598 printf("la_i86_gnu_pltenter(): %s (%p)\en", symname, sym\->st_value);
600 return sym\->st_value;