Ubuntu patch prevents custom argv[0]

[Ecordonnier]

On Ubuntu 24.04.03 starting e.g. true with a custom argv[0] works:

ecordonnier@LBM9V6C4:~/dev/coreutils$ bash -c "exec -a foobar
/usr/lib/cargo/bin/coreutils/true"
foobar 0.0.24 (multi-call binary)

Usage: foobar [function [arguments...]]

Currently defined functions:

    [, arch, b2sum, b3sum, base32, base64, basename, basenc, cat,
chcon, chgrp, chmod, chown,
    chroot, cksum, comm, cp, csplit, cut, date, dd, df, dir,
dircolors, dirname, du, echo,
...
...

On Ubuntu 26.04 (development branch) it doesn't work:

asteba@asteba-MS-7C75:~$ /usr/lib/cargo/bin/coreutils/true --version
/usr/lib/cargo/bin/coreutils/true (uutils coreutils) 0.2.2

asteba@asteba-MS-7C75:~$ bash -c "exec -a foobar /usr/lib/cargo/bin/coreutils/true"
Security violation: Requested utility `foobar` does not match executable name:
  /usr/lib/cargo/bin/coreutils/true

It works with GNU coreutils however:

asteba@asteba-MS-7C75:~/dev$ bash -c "exec -a foobar /usr/bin/gnutrue"
asteba@asteba-MS-7C75:~/dev$ 

The error "Security Violation..." comes from a Ubuntu patch ( https://git.launchpad.net/ubuntu/+source/rust-coreutils/tree/debian/patches/require-utility-to-be-invoked-at-matching-path.patch?h=applied/ubuntu/devel ):

asteba@asteba-MS-7C75:~/dev/coreutils/ubuntu-sources$ rg -i "security violation" .
./rust-coreutils-0.2.2/debian/patches/require-utility-to-be-invoked-at-matching-path.patch
27:+                    "Security violation: Requested utility `{}` does not match executable name:\n  {}",

./rust-coreutils-0.2.2/src/bin/coreutils.rs
116:                    "Security violation: Requested utility `{}` does not match executable name:\n  {}",

@julian-klode FYI (submitted at https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug/2137745 )

Context: in order to save space, uutils coreutils is compiled as multi-call binary on Ubuntu, and the single utilities are simply hard links to the same multi-call file. So in theory any utility could execute any function of uutils-coreutils if executed with the wrong argv[0] (e.g. "true" could execute an "ls" command).

[julian-klode]

Yes we cannot allow the code to dispatch based on argv[0] because AppArmor only checks the binary, not the arguments. This can really be solved by creating a library with a int uu_main(char *command, int argc, char *argv[]) C export that only dispatches on command and not argv[0] and then lots of tiny programs tail dynamically linking it and calling that with a hardcoded command command.

[Ecordonnier]

Yes we cannot allow the code to dispatch based on argv[0] because AppArmor only checks the binary, not the arguments. This can really be solved by creating a library with a int uu_main(char *command, int argc, char *argv[]) C export that only dispatches on command and not argv[0] and then lots of tiny programs tail dynamically linking it and calling that with a hardcoded command command.

I've given it a try in a local branch. One issue I see is that if those "tiny wrapper programs" are in Rust, they're about 400KB in size (static linking of rust stdlib, panic handling, etc.). I can reduce a bit by using methods described in https://github.com/johnthagen/min-sized-rust# , but it's never going to be as small as e.g. C wrappers.
Is that what you had in mind? This would make the Ubuntu package significantly bigger (currently coreutils is about 11MB big, and all utilities are hard-linked. This would be 112 wrappers times 400KB, so 40MB just for the wrappers plus one dynamic library which would have approximately the same size than current utilities).

I think a 50MB package would be OK for desktop / server scenarios, unless you're also targetting very small embedded systems with this package as well?

[oech3]

Can you bundle libstd-*.so to the package with -C prefer-dynamic?

[Ecordonnier]

Yes we cannot allow the code to dispatch based on argv[0] because AppArmor only checks the binary, not the arguments. This can really be solved by creating a library with a int uu_main(char *command, int argc, char *argv[]) C export that only dispatches on command and not argv[0] and then lots of tiny programs tail dynamically linking it and calling that with a hardcoded command command.

@julian-klode what do you think? Is the increase in the .deb size acceptable with 400KB wrappers? Or should I ship an libstd-*.so library which would get used only by uutils-coreutils like @oech3 suggested?

[oech3]

$ env RUSTFLAGS=-Cprefer-dynamic cargo build --profile=release-fast --workspace --bins --exclude uu_runcon --exclude uu_chcon --exclude coreutils
...
   Compiling itertools v0.14.0
error: the linked panic runtime `panic_unwind` is not compiled with this crate's panic strategy `abort`

error: could not compile `crc-fast` (lib) due to 1 previous error
warning: build failed, waiting for other jobs to finish...

[oech3]

Another issue caused by argv[0]: coreutils/coreutils#183

[oech3]

I locally made a auxval based coreutils which could be extended to cover the usecase of symlink chains in the future.

[oech3]

Does ubuntu patch accept executing from fd?:
coreutils/coreutils#183 (comment)