[SYCL] Add implicit rpath to libsycl directory #6306
Conversation
This patch adds the flag `-f{no-}sycl-implicit-rpath`, which ensures
that on Linux-like platforms the directory containing `libsycl.so` in
the clang build or installation is added to the SYCL binaries' `RPATH`.
This flag is enabled by default.
This makes it easier for SYCL binaries to find `libsycl.so` and removes
the need for user to set `LD_LIBRARY_PATH` in most cases.
This flag is similar to the OpenMP `-fopenmp-implicit-rpath` flag.
|
I thought the main reason rpath hasn't been added before is security related risks: https://security.stackexchange.com/a/165762. I would be great if someone can comment if this patch is safe in that regard. |
|
That's a very interesting question, just a few notes on that:
So as far as I understand it this would rather come into play when users of DPC++ are packaging SYCL applications. In that scenario if they don't use Note that in CMake for example when using Overall I think that this patch brings a better development environment in line with what CMake usually does, and that ultimately it is up to packagers of SYCL applications to make sure they don't have any But I suppose an argument can be made that making this the default may cause application developers to accidentally ship DPC++ SYCL applications with unwanted |
I think that's the main point of the concern. |
Why are we making this default behavior? |
|
The main idea of this patch is to make it a bit more user friendly to use the SYCL compiler by removing the need to set Assuming a DPC++ compiler installed in With this patch: /opt/llvm/bin/clang++ -fsycl sample.cpp -o sample
./sampleWith this patch but flag disabled by default: /opt/llvm/bin/clang++ -fsycl -fsycl-implicit-rpath sample.cpp -o sample
./sampleWithout this patch (or with this patch but flag disabled by default): So the tradeoff is that with this patch developers won't ever have to worry about their SYCL applications not finding |
I understand but if security is a concern, maybe making this disabled by default is a better option even if it is not as user-friendly, I am not a security expert, so I am hoping someone else can comment @AaronBallman is this something you are familiar with? |
Unfortunately, I don't feel confident I have enough expertise to answer this. |
|
I think even making this NOT a default is a concern. Having dynamic libraries pulled in from directories I dont set in my OS by programs I otherwise would trust, is frightening. Unless my OS explicitly prompted me to let it load these, I'd be very unhappy with the implications of this. Even if it DID explicitly prompt me, I'd still be concerned. |
|
@npmiller, have there been any discussions/concerns raised when -fopenmp-implicit-rpath was added in upstream? I assume we just trying to follow same path here? |
|
To effectively use SYCL on Linux the user needs to not only have the SYCL shared library on the LD_LIBRARY_PATH, but also the device compilers. To my mind, while putting the shared lib on the LD_LIBRARY_PATH is arguably inconvenient, at least it's consistent with the device drivers. If the SYCL shared library is magically handled for the user but the device compilers are not, then I'm not sure we are gaining much. And that's before we address the security concern. RPATH hides from the user this important (and potentially exploitable) aspect of their built app. |
Here's the upstream discussion when adding the OpenMP flag: They didn't discuss much the security aspects of it but did mention that some distributions banned the use of
What do you mean exactly by device compilers/drivers? The PI plugins are in the same directory as It's true that Talking about CMake, maybe as an alternative to this patch we could disable the flag by default but provide a DPC++ CMake configuration that would enable this |
I just realized this is incorrect, I was just experimenting with a build directory and so There's actually a recent ticket about exactly that issue here: #6217 also suggesting to set a relative |
|
I don't see how this could introduce any potential security issue. If someone doesn't trust our compiler or the location they install our compiler/runtime, they can't trust a binary produced with that compiler. In other words if you sideload an untrustworthy compiler (or binary produced by one) you have much bigger problems then rpath. And if they do trust our compiler (and the installation folder) why would the rpath cause any additional attack surface? |
It's not about the location of where they install the our compiler, it's that other things on the system (which the user may or may not have control over) may surprisingly change our compiler's behavior because we configured our compiler in a way that allows for that. |
I assume you mean the application behavior. Because the compiler behavior would be unaffected because this PR is adding the rpath to the application compiled by the compiler not to the compiler itself. The rpath would be pointing to the compiler installation location. This means that only modifying libraries inside the compilation installation location would modify the application behavior. |
Oops, you're correct, sorry about that!
Maybe that's sufficient mitigation for this to not be a security concern (I don't know)? We'd really need a security expert to weigh in on this for me to feel confident in the change, given my fairly light knowledge of rpath (as a predominately Windows developer, I've always found rpath behavior to be confusing). |
|
Note that with #6658
|
|
@cperkinsintel, can you review please? |
| Instructs the compiler to add the directory within the clang build or | ||
| installation containing the SYCL library to the `RPATH` of generated | ||
| binaries when building in SYCL mode. This flag is enabled by default. |
There was a problem hiding this comment.
Which path is going to be used if I have both of them: build and installation directories?
There was a problem hiding this comment.
It's tied to the clang binary, so it will point to the associated lib directory, for example:
$ ./build/bin/clang++ -fsycl a.cpp -o a
# RPATH will point to "/path/to/build/lib"
$ ./install/bin/clang++ -fsycl a.cpp -o a
# RPATH will point to "/path/to/install/lib"
And when it comes to resolving which libraries to use RPATH is looked up before the system libraries, so even if you have DPC++ installed on your system, binaries generated with the clang++ from your build directory will use the libsycl.so from your build directory as well.
Remove unnecessary test body Co-authored-by: Alexey Bader <[email protected]>
There was a problem hiding this comment.
The changes look OK to me - have we addressed all of the security issues that have been brought up? Given the current default of enabled, should there be any additional callout in documentation to use -fno-sycl-implicit-rpath to disable for any concerned application devs?
|
Making my comments here since this topic has been revived again in my inbox:
I don't have the authority to rubber stamp PRs as "Officially Secure" or "Officially Vulnerable" (nor do I want it), but I personally question why we feel |
|
As an aside, it looks like |
|
After reading through everything again, given all the legitimate concerns and the fact that the equivalent OpenMP feature has now also been reverted upstream (https://reviews.llvm.org/D118493#4178250) after similar discussions, I think it only makes sense to close this pull request now. Thanks everyone for all the great input and discussion! |
This patch adds the flag
-f{no-}sycl-implicit-rpath, which ensuresthat on Linux-like platforms the directory containing
libsycl.sointhe clang build or installation is added to the SYCL binaries'
RPATH.This flag is enabled by default.
This makes it easier for SYCL binaries to find
libsycl.soand removesthe need for user to set
LD_LIBRARY_PATHin most cases.This flag is similar to the OpenMP
-fopenmp-implicit-rpathflag.This patch is related to: #6301 and in that case should make the extra CMake configuration unnecessary as well.