I have an application where I'd like to use the rtld-audit
interface provided by Linux to hook the shared-library loading process. This works great if I use the LD_AUDIT
environment variable to tell the dynamic linker to use my audit library audit.so
when I run my program.
However, I'd like to make this a bit more automatic, not requiring special environment setup. GNU ld
provides an --audit
flag, described as follows:
--audit AUDITLIB
Adds AUDITLIB to the "DT_AUDIT" entry of the dynamic section. AUDITLIB is not checked for existence, nor will it use the DT_SONAME specified in the library. If specified multiple times "DT_AUDIT" will contain a colon separated list of audit interfaces to use. If the linker finds an object with an audit entry while searching for shared libraries, it will add a corresponding "DT_DEPAUDIT" entry in the output file. This option is only meaningful on ELF platforms supporting the rtld-audit interface.
This suggests to me that if I link my program using --audit audit.so
, then it should associate my audit library with the program. I would expect that that the audit library would then be loaded when the program is run.
Sure enough, using readelf
, I can verify that using this flag causes audit.so
to be registered as an audit library in the ELF header. However, if I run my program without LD_AUDIT
set, the audit library is never invoked. It seems like I have to set LD_AUDIT=audit.so
in order to get the behavior I want.
This begs the question: what does the --audit
flag actually do? any documentation beyond the man page quote above seems to be pretty scarce. It's not clear to me that the Linux dynamic loader even uses the DT_AUDIT
field in the ELF header. Is this by design?
It sets the DT_AUDIT
dynamic entry, for whoever is willing to pay attention to it.
The problem is that (as of current trunk) GLIBC dynamic loader does not pay attention to it (look for process_dl_audit
routine). It only pays attention to LD_AUDIT
environment variable, and to --audit
flag when the loader: ld.so
is invoked directly.
Until someone contributes code to also pay attention to DT_AUDIT
, the --audit
flag to ld
will remain useless.