tree-wide: always do dlopen() with RTLD_NOW + RTLD_NODELETE

Let's systematically use RTL_NOW|RLTD_NODELETE as flags passed to
dlopen(), across our codebase.

Various distros build with "-z now" anyway, hence it's weird to specify
RTLD_LAZY trying to override that (which it doesn't). Hence, let's
follow suit, and just do what everybody else does.

Also set RTLD_NODELETE, which is apparently what distros will probably
end up implying sooner or later anyway. Given that for pretty much all
our dlopen() calls we never call dlclose() anyway, let's just set this
everywhere too, to make things systematic.

This way, the flags we use by default match what distros such as fedora
do, there are no surprises, and read-only relocations can be a thing.

Fixes: #34537

diff --git a/src/basic/dlfcn-util.c b/src/basic/dlfcn-util.c
index 8022f552943f47d3d451636d8e943abc21b697e3..2ebb1463c2087faf8d11486d6cdb0cf1d6a8b1cd 100644 (file)
--- a/src/basic/dlfcn-util.c
+++ b/src/basic/dlfcn-util.c
@@ -44,7 +44,7 @@ int dlopen_many_sym_or_warn_sentinel(void **dlp, const char *filename, int log_l
         if (*dlp)
                 return 0; /* Already loaded */
 
-        dl = dlopen(filename, RTLD_LAZY);
+        dl = dlopen(filename, RTLD_NOW|RTLD_NODELETE);
         if (!dl)
                 return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                        "%s is not installed: %s", filename, dlerror());

diff --git a/src/shared/bpf-dlopen.c b/src/shared/bpf-dlopen.c
index ca5060a1022a78514518f31724134aa69103a4e9..87b13615c19f6e679e6a1ca946dc69c07b3264e8 100644 (file)
--- a/src/shared/bpf-dlopen.c
+++ b/src/shared/bpf-dlopen.c
@@ -83,13 +83,13 @@ int dlopen_bpf(void) {
 
         DISABLE_WARNING_DEPRECATED_DECLARATIONS;
 
-        dl = dlopen("libbpf.so.1", RTLD_LAZY);
+        dl = dlopen("libbpf.so.1", RTLD_NOW|RTLD_NODELETE);
         if (!dl) {
                 /* libbpf < 1.0.0 (we rely on 0.1.0+) provide most symbols we care about, but
                  * unfortunately not all until 0.7.0. See bpf-compat.h for more details.
                  * Once we consider we can assume 0.7+ is present we can just use the same symbol
                  * list for both files, and when we assume 1.0+ is present we can remove this dlopen */
-                dl = dlopen("libbpf.so.0", RTLD_LAZY);
+                dl = dlopen("libbpf.so.0", RTLD_NOW|RTLD_NODELETE);
                 if (!dl)
                         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                                "neither libbpf.so.1 nor libbpf.so.0 are installed: %s", dlerror());

diff --git a/src/shared/idn-util.c b/src/shared/idn-util.c
index 7fa81677c92243eab449e87fe9215d77d689cff1..c62f6574911a7d961d02d91b5505398c5a86b67a 100644 (file)
--- a/src/shared/idn-util.c
+++ b/src/shared/idn-util.c
@@ -52,11 +52,11 @@ int dlopen_idn(void) {
         if (idn_dl)
                 return 0; /* Already loaded */
 
-        dl = dlopen("libidn.so.12", RTLD_LAZY);
+        dl = dlopen("libidn.so.12", RTLD_NOW|RTLD_NODELETE);
         if (!dl) {
                 /* libidn broke ABI in 1.34, but not in a way we care about (a new field got added to an
                  * open-coded struct we do not use), hence support both versions. */
-                dl = dlopen("libidn.so.11", RTLD_LAZY);
+                dl = dlopen("libidn.so.11", RTLD_NOW|RTLD_NODELETE);
                 if (!dl)
                         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                                "libidn support is not installed: %s", dlerror());
@@ -64,7 +64,6 @@ int dlopen_idn(void) {
         } else
                 log_debug("Loaded 'libidn.so.12' via dlopen()");
 
-
         r = dlsym_many_or_warn(
                         dl,
                         LOG_DEBUG,

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 723e6b4190dc205074d280b28aec544f8f2b58f1..36a0f906daae412858801ccb5d27e331cddfaaa7 100644 (file)
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -724,7 +724,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
                 if (!filename_is_valid(fn))
                         return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
 
-                context->tcti_dl = dlopen(fn, RTLD_NOW);
+                context->tcti_dl = dlopen(fn, RTLD_NOW|RTLD_NODELETE);
                 if (!context->tcti_dl)
                         return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG), "Failed to load %s: %s", fn, dlerror());
 

diff --git a/src/shared/userdb.c b/src/shared/userdb.c
index c893876eaffc8399cf487440d5badb93e0f03260..a35716c3d539611b99fa67cf9581786e5c08f910 100644 (file)
--- a/src/shared/userdb.c
+++ b/src/shared/userdb.c
@@ -1443,7 +1443,7 @@ int userdb_block_nss_systemd(int b) {
 
         /* Note that we might be called from libnss_systemd.so.2 itself, but that should be fine, really. */
 
-        dl = dlopen(LIBDIR "/libnss_systemd.so.2", RTLD_LAZY|RTLD_NODELETE);
+        dl = dlopen(LIBDIR "/libnss_systemd.so.2", RTLD_NOW|RTLD_NODELETE);
         if (!dl) {
                 /* If the file isn't installed, don't complain loudly */
                 log_debug("Failed to dlopen(libnss_systemd.so.2), ignoring: %s", dlerror());

diff --git a/src/test/test-dlopen.c b/src/test/test-dlopen.c
index 9c315373b4ff60719a9cb729cdad44708a6e2884..6704e936e7b95fa5b7acf21975da7b22deccff06 100644 (file)
--- a/src/test/test-dlopen.c
+++ b/src/test/test-dlopen.c
@@ -10,7 +10,7 @@ int main(int argc, char **argv) {
         int i;
 
         for (i = 0; i < argc - 1; i++)
-                assert_se(handles[i] = dlopen(argv[i + 1], RTLD_NOW));
+                assert_se(handles[i] = dlopen(argv[i + 1], RTLD_NOW|RTLD_NODELETE));
 
         for (i--; i >= 0; i--)
                 assert_se(dlclose(handles[i]) == 0);

diff --git a/src/test/test-nss-hosts.c b/src/test/test-nss-hosts.c
index 6744d7068a9f6619564a3bf1042fa3459c057381..214fb217c85dcc04bdaa46e5099681aba865a517 100644 (file)
--- a/src/test/test-nss-hosts.c
+++ b/src/test/test-nss-hosts.c
@@ -380,7 +380,7 @@ static int test_one_module(const char *dir,
 
         log_info("======== %s ========", module);
 
-        _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_LAZY|RTLD_NODELETE);
+        _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_NOW|RTLD_NODELETE);
         if (!handle)
                 return -EINVAL;
 

diff --git a/src/test/test-nss-users.c b/src/test/test-nss-users.c
index 5178779d54a4767a52b74a5031430acb65c1696c..cba0f823b92afc855d8d705a12386ed30a5e3ce2 100644 (file)
--- a/src/test/test-nss-users.c
+++ b/src/test/test-nss-users.c
@@ -166,7 +166,7 @@ static int test_one_module(const char *dir,
 
         log_info("======== %s ========", module);
 
-        _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_LAZY|RTLD_NODELETE);
+        _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_NOW|RTLD_NODELETE);
         if (!handle)
                 return -EINVAL;