In addition to setting the GLIBC_TUNABLES environment variable,
tunables may be provided globally via the file
/etc/tunables.conf, which gets stored in glibc’s dynamic
library cache /etc/ld.so.cache and read by every program at
startup. /etc/tunables.conf contains one tunable per line:
glibc.malloc.trim_threshold=128 glibc.malloc.check=3
ldconfig (with whatever options you normally use) will read the tunables in /etc/tunables.conf and save them as an extension in /etc/ld.so.cache. Tunables in the cache are applied to every program at startup, programs which are already running are not affected.
/etc/tunables.conf supports the same “include file” syntax as ld.so.conf.
Tunables in /etc/tunables.conf serve as defaults. They
override the built-in defaults in each program, but may be overridden
by the GLIBC_TUNABLES environment variable. Each tunable may
have one or more prefixes which modifies the behavior of the tunable.
overridable+nonoverridable-Prefixing the tunable name with nonoverridable or -
blocks changes from the environment variable, giving the global
setting precedence. Prefixing with overridable or +
(the default) reverts this behavior, which is only useful with the
filters (below).
onlysecure@Tunables prefixed with onlysecure or @ will apply only
to processes that are AT_SECURE (i.e. setuid or setgid binaries, or
elevated capabilities).
nonsecure$Tunables prefixed with nonsecure or $ will apply only to
processes that aren’t AT_SECURE.
anysecure*Tunables prefixed with anysecure or * will apply to all
processes.
When none of the onlysecure, nonsecure or anysecure
prefixes is given, a tunable behaves as if nonsecure had been
specified: it applies only to processes that are not AT_SECURE. Use
anysecure or onlysecure to affect AT_SECURE (setuid,
setgid, or capability-elevated) processes.
The GLIBC_TUNABLES environment variable is ignored entirely for
AT_SECURE processes, so the system-wide file is the only way to set a
tunable for such a process. A tunable applied this way is not subject to
any per-tunable security screening, so onlysecure and
anysecure must be used deliberately: they can enable
security-sensitive tunables (for example glibc.malloc.check) in
every setuid or setgid program. The config file is therefore trusted to
the same degree as /etc/ld.so.cache and must only be writable by
the system administrator.
Filters make the system-wide tunables only affect certain programs. This allows having a non-overridable default for most of the system but a different, overridable, value for certain programs that might not work at all with the default setting. The syntax for filters is to have each filter on its own line, followed by tunables that are applied when the filter matches, with this format:
[ filtername : pattern ]
Existing filters are:
procMatches the process name. The pattern is either a fully qualified path, or the basename of such a path. The process name is read from /proc/self/exe (if available) or argv[0] (unless AT_SECURE is in effect). Example:
-glibc.cpu.x86_shstk=1 [proc:/usr/bin/program_that_crashes_with_shstk] +glibc.cpu.x86_shstk=0
Note that the effects of a filter only last until the next filter, or
a line with [] on it (“no filter”), or the end of the file
(if the filter appears in an included file, at the end of the included
file).