Search code examples
linuxshared-librariesldglibcelf

What does the --audit flag to GNU ld do?


I have an application where I'd like to use the rtld-audit interface provided by Linux to hook the shared-library loading process. This works great if I use the LD_AUDIT environment variable to tell the dynamic linker to use my audit library audit.so when I run my program.

However, I'd like to make this a bit more automatic, not requiring special environment setup. GNU ld provides an --audit flag, described as follows:

--audit AUDITLIB

Adds AUDITLIB to the "DT_AUDIT" entry of the dynamic section. AUDITLIB is not checked for existence, nor will it use the DT_SONAME specified in the library. If specified multiple times "DT_AUDIT" will contain a colon separated list of audit interfaces to use. If the linker finds an object with an audit entry while searching for shared libraries, it will add a corresponding "DT_DEPAUDIT" entry in the output file. This option is only meaningful on ELF platforms supporting the rtld-audit interface.

This suggests to me that if I link my program using --audit audit.so, then it should associate my audit library with the program. I would expect that that the audit library would then be loaded when the program is run.

Sure enough, using readelf, I can verify that using this flag causes audit.so to be registered as an audit library in the ELF header. However, if I run my program without LD_AUDIT set, the audit library is never invoked. It seems like I have to set LD_AUDIT=audit.so in order to get the behavior I want.

This begs the question: what does the --audit flag actually do? any documentation beyond the man page quote above seems to be pretty scarce. It's not clear to me that the Linux dynamic loader even uses the DT_AUDIT field in the ELF header. Is this by design?


Solution

  • It sets the DT_AUDIT dynamic entry, for whoever is willing to pay attention to it.

    The problem is that (as of current trunk) GLIBC dynamic loader does not pay attention to it (look for process_dl_audit routine). It only pays attention to LD_AUDIT environment variable, and to --audit flag when the loader: ld.so is invoked directly.

    Until someone contributes code to also pay attention to DT_AUDIT, the --audit flag to ld will remain useless.