google · mzfr · Feb 27, 2026
diff --git a/linux/ldso_preload/weak_permissions/Dockerfile.safe b/linux/ldso_preload/weak_permissions/Dockerfile.safe
@@ -0,0 +1,22 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:22.04
+
+RUN : > /etc/ld.so.preload \
+    && chmod 0644 /etc/ld.so.preload \
+    && chown root:root /etc/ld.so.preload \
+    && chmod 0755 /etc
+
+CMD ["sleep", "infinity"]
diff --git a/linux/ldso_preload/weak_permissions/Dockerfile.vulnerable b/linux/ldso_preload/weak_permissions/Dockerfile.vulnerable
@@ -0,0 +1,22 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:22.04
+
+RUN : > /etc/ld.so.preload \
+    && chmod 0666 /etc/ld.so.preload \
+    && chown 1000:1000 /etc/ld.so.preload \
+    && chmod 0777 /etc
+
+CMD ["sleep", "infinity"]
diff --git a/linux/ldso_preload/weak_permissions/README.md b/linux/ldso_preload/weak_permissions/README.md
@@ -0,0 +1,30 @@
+# Linux ld.so.preload Weak Permissions
+
+Testbed for insecure `/etc/ld.so.preload` permissions and ownership that allow
+privilege escalation via dynamic linker preload hijacking.
+
+## Setup
+
+```bash
+docker build -t ldso-preload-vulnerable -f Dockerfile.vulnerable .
+docker build -t ldso-preload-safe -f Dockerfile.safe .
+```
+
+## How to Trigger the Vulnerability?
+
+The vulnerable image has a world-writable `/etc/ld.so.preload`, non-root
+ownership, and a writable `/etc` directory. Run SCALIBR against each image.
+
+```bash
+# From the osv-scalibr repo root
+./run_scalibr_on_image.sh ldso-preload-vulnerable
+```
+
+The safe image should not produce findings:
+
+```bash
+./run_scalibr_on_image.sh ldso-preload-safe
+```
+
+## References
+- https://attack.mitre.org/techniques/T1574/006/
diff --git a/linux/ldso_preload/weak_permissions/docker-compose.yml b/linux/ldso_preload/weak_permissions/docker-compose.yml
@@ -0,0 +1,14 @@
+version: "3.9"
+
+services:
+  ldso-preload-vulnerable:
+    build:
+      context: .
+      dockerfile: Dockerfile.vulnerable
+    container_name: ldso-preload-vulnerable
+
+  ldso-preload-safe:
+    build:
+      context: .
+      dockerfile: Dockerfile.safe
+    container_name: ldso-preload-safe