Limitations

This section describes limitations when using Sentinel LDK to protect Linux applications.

Limitations for All Protected Linux Applications

>The Sentinel License Manager communicates with the protected application via TCP and UDP on port 1947. This port is IANA-registered exclusively for this purpose. At the end user site, the firewall must be configured so that communication via this port is not blocked.

Limitations for Linux Applications That Are Protected Using Sentinel LDK Envelope

>Protected applications do not function correctly when launched using commands such as sudo or kdesu.

>Background checks with interactive command-line applications (for example, FTP and SSH) are not supported.

>Applications that implement or override critical symbols from the standard C library (libc) cannot be protected. These symbols include memory management functions (malloc, calloc, free, realloc), dynamic linking functions (dlopen, dlerror, dlsym, dlclose), the process control function (register_atfork), and networking and I/O functions (connect, socket, accept, send, recv, select, poll, epoll_wait, read, write, dup, pipe, fcntl, ioctl, shutdown, gethostbyname). This limitation applies to many libc APIs related to file I/O, interprocess communication, networking, synchronization, and other system-level utilities.

>Thales recommends that you not use pthread_exit() in your main thread. If you do, protected applications may not be terminated properly, and you may have to kill the process explicitly.

>Background checks are not supported for Open GL full-screen and interactive console applications. An interactive console application is one that continuously expects inputs at runtime in the console (for example: ftp, cscope, telnet).

>Sentinel LDK Envelope for Linux does not support binaries containing R_<arch>_IRELATIVE relocations, where <arch> denotes an architecture such as x86, x86_64, arm, or aarch64.

>Under Ubuntu 14, the attempt to resolve undefined symbols in the protected library occurs before dlopen() returns with the RTLD_NOW flag.

For example : Python load module always uses dlopen() with RTLD_NOW that can be overwritten by sys.setdlopenflags(1).

To resolve this, use dlopen() with the RTLD_LAZY (lazy binding) flag.

>Given the following circumstances:

•A Linux application is protected with Envelope, with protection against debugging.

•The application calls the wait(&status) system call. This is equivalent to: waitpid(-1, &status, 0)

The application may hang.

Workaround 1: Call waitpid for a specific child process pid (pid > 0).

Workaround 2: Disable the anti-debugging feature in Envelope.

NOTE   Workaround 2 significantly reduces the security of the protected application. Thales recommends that you consult with Technical Support before choosing this workaround.

>If the Sentinel HL key is disconnected while a protected console application that included a background check is running, the application is suspended. When the key is re-connected, the application resumes, but it goes into the background. The application can be brought to the foreground by using the built-in shell "fg" command from the same terminal where application had been launched.

To bring a background application to the foreground:

a.List all running jobs using command "jobs".

b.Choose the relevant job ID from the list.

c.Enter fg %[jobID] to bring the application to the foreground.